China has just banned Teslas from the streets in the Chinese resort town of Beidaihe. As government leadership descends on the city for a secret conclave, the electric cars are not welcome on the streets of the coastal city for the next two months. The reason being the concern that the vehicles’ impressive array of sensors and cameras may offer a line of sight into meetings of Beijing’s senior leadership.
So how could cars form a threat to security in any way? In the change of combustion engine cars to electric vehicles, we see at the same time a clear trend to cars becoming ever more smarter. Where Tesla one of the most famous electric cars, its autonomous driving features are also amongst the world’s most advanced smart car technologies.
Cars are becoming so interconnected, that it makes sense to see them as yet another smart tool, yes, even smarter than your mobile phone.
What security threats do I need to worry about?
There are two major security threats.
First, there is all the personal data your car has access to. Basically, my car has a history of the places I go to. It’s also linked to my phone, so it has the list of contacts of my phone, you can see people I call regularly. Some cars also have credit card information, access to certain apps, internet access, basically my browsing history, and that’s a lot a lot of personal information!
Second, is the way cars connect to other cars, their environment, and the cloud. Connected cars can share information with other vehicles in C2C (car-to-car) or C2I (Car-to-Infrastructure) connections in real-time. In essence, they are becoming sophisticated nodes of the global network that manages massive amounts of information.
Opportunities in smart car security technologies
According to the study “Driving Security: Cyber Assurance for Next-Generation Vehicle”, there are three aspects are essential when it comes to manufacturing secure connected cars:
- Design secure cars. Security requirements are part of the early stage of the design process. Designers should focus on security, implementing protections against known threats for each component, subsystem, and network that the connected vehicle will be exposed to once it leaves the car maker’s production line.
- Create safe networks.Internal communications and communications with external entities should be encrypted. Car makers also have to design monitoring systems able to detect suspicious activities that could be potentially associated with attack patterns.
- Vehicle hardening. Vendors have to harden their connected cars at all levels:
- Encryption of data at rest and data in motion
- Implementing proper cloud security controls
- Access control mechanisms
- Securing the operating system
- Penetration testing of the apps
How afraid should I be?
Teslas are arguably the most connected and widespread of a new generation of vehicles. Not only do they hoover up a massive amount of data on the driver—from call logs to on-board browser history to average speed and route history—but their outward-facing sensors and cameras can relay a considerable amount of information about the surrounding world.
A 19-year-old German programmer, David Colombo, proved earlier this year that accessing incredibly sensitive data on Tesla was fairly easy. Using a third-party application with access to Tesla’s API, Colombo got into the systems of more than two dozen Teslas around the world, controlling their locks, windows, and sound systems and downloading a huge bundle of information.
He was able to see a large amount of data. Including where the Tesla has been, where it charged, current location, where it usually parks, when it was driving, the speed of the trips, the navigation requests, history of software updates, even a history of weather around the Tesla and just so much more.
This is a good example of the flaws of vulnerabilities of the core of these smart vehicles. The amount of data Tesla collects and uses is just the tip of the iceberg. We have yet to see fully autonomous vehicles or the much-vaunted “smart cities,” which could see 5G-enabled roads and traffic lights.
In the near future, cars will not only collect information about their driver and passengers, but the vehicles, pedestrians, and city around them. Some of that data will be necessary for the car to function properly—to reduce collisions, better plan routes, and improve the vehicles themselves.
To wrap up, let’s end with a question:
Do you feel safe with the government having access to all your car data?
Let us know in the comments and see you in the next Boys and Bots!