A relatively short post.. hopefully some car manufacturers are reading..
IoT security and car / vehicle security are hot topics at the moment. From the Jeep hack to Tesla, there have already been examples where cars can be ‘hacked’. These have demonstrated that control can be taken, not just of relatively benign functions like climate or the stereo, but of actual ‘car’ controls like steering and brakes.
In addition to this, if you use, or read reviews of most cars entertainment / infotainment systems, they are pretty poor in terms or UI and capabilities. Hands up if the maps on your phone beat your cars GPS / navigation system.
This seems to be a clear symptom of manufactures wanting to have their cake and eat it. What I mean is minimal changes to the architecture, implementation and security of the software and hardware (computer) that runs the car while simultaneously wanting to connect it to the internet for clever features and updates.
In the world of mobile phones, and indeed traditional computing there is a concept of trusted or secure execution environments. These vary in implementation, but the premise is a hardware protected trusted environment for executing sensitive activities while less sensitive activities run on the normal operating system and less secure / more open environment.
If you follow this blog you’ll have seen that I have actually argued we can make a software only solution more than secure enough for payments. This however differs from cars on two very important ways;
- I propose we monitor the software at all times it is in use to ensure the payment is legitimate and secure. I am not sure any car manufacturer wants to monitor the software in all its cars, all the time, in real time.
- People are unlikely to die. This is not being overly dramatic; a failed payment or fraudulent payment likely involves a call to your bank and minor inconvenience. If the ‘driving’ parts of your car can be hacked there is a very real risk of serious injury or the loss of life.
How do we solve this, and still provide convenience?
I propose that the car computer effectively be split into two discrete components.
The first being secure and dealing with anything to do with controlling the car such as the engine, brakes, steering etc. This should be in secure environment that ideally can only be updated at a garage using a physical connection and certificates etc. This could potentially be remotely updated, but that should be weighed against the risks.
The second being the ‘fun’ part. This would include the whole infotainment system, music, climate, navigation* etc. These components can then be updated remotely, ideally still with reasonable security such as encrypted communication and certificates etc.
This split would allow manufacturers to update the UI, navigation etc much more frequently with relatively low risk.
I’m hoping that car manufacturers will move in this or a similarly secure direction soon. If they do not, I fear something bad will happen. This will not only be bad for those involved, but will lead to strong regulation and prove (again) that companies must be regulated to do the right thing.
It’s time to stop hiding behind supply chain or what ever the excuse is and to protect your customers and the general public. Either that or stop making connected cars!
Concepts similar to this likely apply to a wide range of IoT ‘things’.
*You could make an argument for not having navigation here, as it is possible to direct people the wrong way which could be dangerous, but I’d suggest less imminently dangerous, and I’m definitely not proposing no security for the ‘infotainment’ stuff!