We all hear about the exciting developments in the world of the Networked Car and the opportunities and benefits they could bring, particularly with respect to a reduction in the number of deaths and injuries resulting from road traffic accidents and a reduction in harmful emissions arising from improved traffic management. Occasionally we also hear, quite righty, cautionary notes relating to liability and privacy. However, there is a further note of caution (or perhaps a reality check) to be considered – that of security, specifically e-security.
Since the invention, or more specifically the implementation, of the car immobiliser over the past decade, vehicle theft rates have generally declined in each market in which they have been fitted. In many respects this has been a success story and has enabled vehicle manufacturers to focus on other technologies within the car, such as more sophisticated telematics, ITS and safety systems. However, one unexpected side-effect of the success of the immobiliser is that our collective awareness of vehicle theft has started to diminish, which in turn has led to a sense of complacency.
By contrast, the growth of the Internet has led to a huge increase in awareness of security and privacy matters. Initially the focus of Internet security was on firewalls and anti-virus software, but as those technologies started to mature so attention spread to include privacy, not only of what can be accessed at any point in time, but also of what information is stored and potentially retrieved at a later date.
With the advent of the Networked Car, there is now a convergence of technologies. The benefits of integrating the Internet and other communications technologies into vehicles are only just starting to be understood. The vision of autonomous vehicles is not the end game in itself, it is the benefits of partially and fully autonomous vehicles that is the real story.
So if the future of the Networked Car is so exciting, why would I want to dampen enthusiasm by talking about e-security? Isn’t it true that the ‘scare stories’ that appear in the media are actually academics conducting research? Surely there can’t be a real risk, afterall criminals are not as bright as academics are they? Whilst I do not want to be a harbinger of doom, it is my opinion that a review of modern vehicle crime can yield some important lessons about how Organised Criminal Groups (OCGs) operate and how, without proper precautions and countermeasures, the modern cyber-criminal could run amok with Networked Cars.
Highly sophisticated, well-funded international OCGs are now responsible for an upwards trend in vehicle crime in most developed markets, reversing many years of steady decline. This isn’t just a glitch in the data, it is a reflection of a long established trend but, like an iceberg, only its tip has been visible – until now.
It is stating the obvious to say that as vehicle security systems become more sophisticated, the tools required to overcome them also become more sophisticated and more time-consuming and expensive to develop. However, in common with many legitimate global businesses, OCGs have realised that whilst the technology needs to be developed by experts, they can be manufactured in volume by any low cost economy and the Internet becomes their primary distribution channel. Variations on this business model mean that electronic theft tools are now available almost anywhere in the world with prices ranging from just €20 up to around €50,000. It is no coincidence that countries such as France, Italy, Netherlands, Sweden and others are all showing in an increase in vehicle crime for the first time in a decade and many more are forecasted to follow.
Another alarming trend is the range of methods being used to develop e-theft tools. Whilst some criminals may get lucky with some Internet research and a ‘trial and error’ method, the reverse engineering techniques employed by others are quite staggering in their complexity. Hardware-Based Reverse Engineering includes Semiconductor Slicing and Side Channel Analysis. Software-Based Reverse Engineering includes Firmware Extraction, Firmware Analysis and Observing Input and Output. Network-Based Reverse Engineering includes Bus Monitoring, Diagnostic Message Manipulation and Bus Injection (Fuzzing).
The key lesson to learn here is that the modern OCGs should not be under-estimated. They are here, they are global, they are active and if vehicle e-theft is any guide, they are highly successful and their next target could easily be the Networked Car.
Mike Parris presented e-Security for the Networked Car – What are you doing about it? at the ITU Symposium at the Geneva Motor Show in March 2014.
Photo by Samuele Errico Piccarini