Will Your Next Car Steal Itself?

As vehicles offer an ever-growing number of digital features, they could present several security threats--unless automakers manage these technologies effectively.

That's the thinking of Dave Miller, CSO at cloud-based platform vendor Covisint. Miller says that in a world of smarter cars, there are five key vehicle identity and security issues to consider. Now Miller believes that cloud services provide the answer to these threats, and given the obvious vested interest, it might be tempting to dismiss the whole concept. But his observations are interesting--read on to see whether you find these concerns compelling (and to get a reality check from a Gartner analyst).

Five automotive security and identity challenges

One challenge is identifying the right owner of the vehicle. "Technology, through password combinations or other similar methods, will bind us to our future cars, enabling us to operate, drive and maintain these vehicles," Miller says.

In some instances, this will require two-factor authentication, such as the car's legitimate owner physically having his mobile phone on him before the car will operate, Miller says. But if this authentication process doesn't happen correctly, criminals can obtain access.

[Also see Robert McMillan's With hacking, music can take control of your car]

Miller's proposed solution is a strong, repeatable and independent (outside of the vehicle) validation process managing this type of transaction.

The second issue is deprovisioning. This involves managing the process when an owner sells a car, and making sure that the previous owner can't still remotely start the car. "If the user [identity] isn't automatically deprovisioned from the old owner to the new owner, the old owner can still control the car's operation," Miller says.

(This is the basis for the title of the article: With capabilities like remote starting, smart parking, collision avoidance, et cetera, built into next-generation vehicles, you can conjecture a scenario in which a thief moves a vehicle without actually getting into it.)

Once the car is sold and the title is transferred, all of the vehicle's operations and access points should immediately and fully be transferred from the old owner to the new owner, Miller says.

The technology solution is "a single, independent system that sits in the middle, ensuring that the old owner is deprovisioned and the new owner is provisioned," Miller says. "Link this independent entity to the public title records to ensure that the transfer of ownership changes the status the old and new digital owners."

Another concern is a lack of two-factor authentication services. The password combinations used for owner access to the vehicle are insecure and hackable, Miller says. "Passwords can easily be guessed," he says. "Computers can be stolen and hacked into."

This threat can be address via extensive two-factor and risk-based authentications, Miller says. "Two-factor requires a second piece of information, and risk-based requires that the person be physically at a location or predetermined time before the authorization is given," he says.

The fourth threat is too many identities. "We're just getting too ID-weary," Miller says. "We have too many password combinations in too many places. Since people tend to pick simple password combinations, or use the same one at each instance (for both secure and unsecure sites), the danger of being hacked exponentially rises, he says.

A possible solution is to use one password combination everywhere, but ensure that it is extremely difficult to duplicate. "This requires a cloud-based identity broker that enables users to have a single ID, ensuring the correct--and hard-to-duplicate--identity and reducing identity fatigue," Miller says.

The final threat is too much decision-making in the vehicle, i.e. requiring that the vehicle make all the security decisions and take security actions.

"When too much decision making happens in the vehicle, then both in-vehicle software and hardware need to be updated, something people don't like to do," Miller says. "When they don't do it, security suffers." Again, his proposed solution is to move the security and identity decision making into the cloud.

Fact or fantasy?

One analyst says concerns of this sort are not as far out as you might think.

User identification for vehicles will become a growing concern as cars become more connected and networked, says Thilo Koslowski, a vice president and distinguished analyst at Garner Inc., who follows the automotive manufacturing industry.

"Consumers want to extend their digital lifestyles into the vehicle to access infotainment and safety-related content," Koslowski says. "Today's cars don't offer this level of connectivity and therefore this type of security isn't required, but this is going to change."

Koslowski predicts that by 2016 the majority of consumers in mature automotive markets such as the U.S. and Western Europe will begin to expect basic, in-vehicle Web-data access in their new cars. Around that time, or at least by the end of the decade, the auto industry will offer connected content in most of their cars, he says.

"Other advanced technologies including car-to-car and car-to-infrastructure communication as well as autonomous vehicles will further emphasize the need for user identification and data security," Koslowski says.

"Since more of the content and data management is moving 'off board,' the cloud is becoming a critical element in addressing the need for security and user identification reliably."

Subscribe to the Security Watch Newsletter

Comments