Connected car security: Why identity is in the driving seat
An increasingly diverse range of connected objects has joined the Internet of Things (IoT) in recent years. According to IDATE, 420 million drivers will generate a connectivity market amounting to €9 billion by 2020.
However, with cars increasingly becoming computing platforms rather than simply a means of travelling, they are also becoming more attractive targets for hackers. This is backed up by the FBI recently publishing an advisory on car hacking, naming connected cars as one of the biggest cyber-threats of tomorrow, says Simon Moffatt, director Advanced Customer Engineering, ForgeRock.
An accelerating sector, but one lacking in
Digital transformation is having a significant impact on all industry sectors, but nowhere more so than the automotive sector. Today’s motor companies are likely to look very different in ten years time as they continue evolving from manufacturers to complex service providers.
Why? Because having the ability to record and analyse all manner of data generated by a car (such as distance travelled, speed, fuel efficiency) means manufacturers can deliver more personalised driving experiences, whilst also collecting valuable product data.
There are an estimated 40-60 million connected cars throughout the world currently. Within the next five years, Gartner predicts this will increase to over 250 million. At present, the average security level within these vehicles is equivalent to that of IT systems and computers from the ’80s, with limited encryption, data protection and identity management.
Connected cars are vulnerable
More and more evidence is coming to light that demonstrates the vulnerability of connected cars. Just recently, Nissan was forced to suspend the functions of its smart car companion app after researchers found it could be used to access control systems in its electric cars.
Perhaps more notably, last year two security researchers were able to take control of a moving Jeep via its infotainment system. Once they had gained access, they were able to control the steering, transmission and even the brakes. This served as a stark warning to both car manufacturers and owners.
Identity in the driving seat
Identity is becoming a critical element in the connected car journey; the identity of the user, of the car, its connectivity system, and that of the smart devices that connect with the vehicle. The problem is that there is currently no connection between the identity of the driver and the identities of the smart devices within the car.
In terms of security, this relationship must be established, so that only the vehicle’s authenticated operator can control the various on-board connected devices. If a hacker tried to take control remotely, they would simply be blocked, as their identity wouldn’t be recognised. In order to do this, an effective identity management platform must be deployed that can link together all of the relevant identities in the correct context.
Of course, a vehicle does not have to be dedicated exclusively to one person. The identity of a vehicle or device can be linked to numerous individuals interacting with it. For example, a family car’s identity could be linked to the identities of both the driving members of the family and that of the younger, non-driving members. In this case, the kids would have access to the on-board entertainment system, but no access to any of the driving controls.
The multi-layered security solution
In the future, multi-layered security approaches will almost certainly be used to protect connected cars. Indeed, various physical authentication methods such as fingerprint, voice and facial recognition are already being tested.
These would work in tandem with on-board identity management systems to increase the security of the vehicle. Manufacturers will surely continue to surprise us with more state-of-the-art features, but the end goal remains the same; protecting the legitimate owner and occupants of the vehicle.
For automotive companies, the connected car is both an exciting and a risky prospect. Consumers want to trust the technology before they put their lives in the hands of the manufacturers.
Clearly, the connected car has a long way to go – cases such as Jeep and Nissan haven’t done the industry any favours. And yet, the connected car undoubtedly represents the future of the industry, so the sooner a more robust approach to identity is adopted, the sooner we will see consumer trust increase.
The author of this blog is Simon Moffatt, director Advanced Customer Engineering, ForgeRock.