It is not only the wireless interfaces that can be used to enter a car and inject malicious software and unwanted functions. Stefan Nürnberger from the Center for Security, Privacy and Accountability (CISPA) in Saarbrücken (Germany) which performs penetration tests on cars, contributed an interesting hacker entry point: During tests on an existing luxury car, they found that the folding mirrors were directly connected to the vehicle’s CAN bus. For a malicious person it would have been easy to break off a mirror to gain access to the CAN bus.
Likewise, the OBD and OBD-II diagnostics interface is a major entry point for attacks due to its completely open and unprotected nature. While some might argue that it is necessary to have physical access to the vehicle to connect to the OBD interface, this is not really a strong protection: Malicious software can be contained in OBD dongles available on the market for connectivity and insurance applications. The list of vulnerabilities could be continued. The point is that with a car becoming a computer – or rather, a system of interconnected computers – they face much the same problem as the PC, with all its concomitants.
So the question is: How can the problem be solved, what does the automotive industry need to do to keep the hackers at bay? “The good news is: other industries have been to this point before” said Dominik Wee, partner at consultancy McKinsey. Another good news is that, according to Wee, 83 percent of the OEMs are aware of the threat. The less good news is that the majority has no clue yet what to do; only 41 percent of the respondents have cybersecurity teams up and running. Wee suggested that the auto industry should adopt the security approach from the IT industry, with a tiered approach. Paul Wooderson, Senior functional safety and cyber security engineer at engineering consultancy Horiba Mira, sketched the measures from the engineering perspective. He advised establishing a development process that takes into account the cyber threats. “You should treat the car as a part of the Internet of Things”, he said. Specific restraints and requirements of the automotive design, such as the long design cycle and the complex supply chain, must be taken into account like technical factors such as limited microcontroller resources, real-time capability and scalability. Basically, his suggestions amounted to adding the security as additional aspect into the known V model.