Mar 17, 2016
With electronic systems now at the heart of pretty much any vehicle on the road, much attention is being focused on what security implications this might have.
After all, we’ve all heard the horror stories about hackers being able to surreptitiously gain access to computer systems of big companies and organisations, and potentially cause chaos.
So what’s to stop someone from breaking into an electronic system which controls many of the important functions of your car - from your heating and air conditioning to your engine management system - and taking control of them away from you?
The International Business Times reckons that the security issue is the same as those faced by any other manufacturer of electronic devices - namely, that the hackers are always one step ahead of those who devise and install the security features on them.
A report from the International Data Corporation, commissioned by security firm Veracode, found car manufacturers themselves were worried that data security standards applying across their industry were lagging behind the capabilities of hackers and cyber-criminals, and warned it could be years before they caught up.
"While automotive manufacturers are well aware of the issues relating to physical security for the connected car and liability thereof, the cybersecurity issues are less understood," the report warns, adding: "This is new technology and the strategies for addressing these issues are still being formulated.”
Meanwhile, manufacturers estimate it could take anything from one to three years for them to build greater security into the systems of their ‘connected’ cars - a delay which Chris Wysopal, chief technology officer at Veracode, says “is compounded by the need [to ensure all apps developed for the purpose are secure] under the microscope of government-regulated safety standards and liability concerns.”
In other words, in order to properly tackle all potential hacking threats, the car manufacturers need to be freed from the shackles imposed on them by regulations which are drawn up, ironically, to ensure that they stay within the law at all times.
But when hackers exhibit no such concerns, how can the car industry - and any other sector with an interest in reassuring its customers and users that their data is secure - combat all potential threats?
The simple answer is that it can’t. So could it mean that all vehicle-makers’ efforts, in conjunction with their software-writing teams, to harness technology in order to serve us with a safer driving experience - such as engine management and automated parking systems - actually end up making us more vulnerable to an array of threats, many as yet unforeseen?
One recent incident involved Nissan’s Leaf electric car, which could have its air conditioning and heating systems accessed remotely, without the owner’s knowledge.
According to one software expert, the main problem is that the developer of the app which controls these functions left it vulnerable to an attack which could be perpetrated by someone with access to a vehicle’s unique identification number (VIN).
“It's not that [the developers] have done authorisation [on the app] badly, they just haven't done it at all, which is bizarre,” Hunt told the BBC. In other words, no passwords or other security layers were in use to protect the air-con and heating systems from being accessed remotely, and even without the car’s owner or driver knowing anything about it.
He also said the fact that, while each VIN contains a long series of letters and numbers, only the last few differentiate individual cars, means it could be easy for someone with access to just one of this string of numbers to potentially also attack several other vehicles.
The models affected are the Nissan Leaf and e-NV20. Nissan has responded by temporarily disabling its ‘Connect EV’ app in which the vulnerability was discovered.
In a statement, Nissan said: “”An independent IT consultant and subsequent internal Nissan investigation found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
“No other critical driving elements of the Nissan LEAF or e-NV200 are affected and our 200,000-plus Leaf and e-NV200 drivers across the world can continue to use their cars safely and with total confidence.
“The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”
Nissan expects to have updated versions of the apps available soon, but meanwhile it has had to make an embarrassing apology to owners of technologically-advanced cars, many of which may have been bought on the strength of the potential for convenient operation of their ancillary systems and the positive implications for their efficiency and economy.
“We apologise for the disappointment caused to our Nissan LEAF and e-NV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount. We're looking forward to launching updated versions of our apps very soon."
The bottom line is that these latest flaws to be uncovered haven’t put any vehicles’ main driving controls at risk. Yet the ease with which someone was able to find a way of controlling a car’s heating and ventilation systems while the driver remained totally unsuspecting of any untoward activity will have car manufacturers reviewing the security of some of their flagship technological features.
So, do you think cars have become too clever for their own good - or is the fact that these flaws have come about due to a human omission a sign that we still need to keep working on ways of eliminating any such risks for the sake of our driving convenience and comfort? Your thoughts are welcome via Facebook and Twitter.
