Interview on the Security of Smart Cars – heute.de
On Sunday automakers will launch the international auto show in Detroit. There the cars of the future will be presented and the trend is clearly towards smart and connected vehicles. What will the smart cars be able to do?
The vehicle of the future will exchange information not only with the environment but also with infrastructure systems to allow the vehicle occupant a safe and pleasant driving experience. In the discussions about the car of the future, it is so often talked about the innovative technology, but little of the people inside the car. The smart cars will assist drivers by taking over tasks that machines are better capable to solve than people.
Is it technically possible that the cars of the future communicate, for example, with one another or with the environment like traffic lights or parking lots?
This is made possible by wireless communication. For example, industry experts are working right now on a communication standard called WAVE, which stands for Wireless Access in Vehicular Environments. The WAVE standard is an enhancement of wireless networks in order to meet the needs for networked cars.
You have stated recently, everything that can be hacked, will hacked. How can you protect the smart cars of the future from hacker attacks?
As security researchers, we must take this stance. In my view, a suitable mix between preventive and reactive mechanisms will protect the car of the future. Preventive mechanisms for example, block unauthorized access. Reactive mechanisms aim to detect conspicuous events in the system, which then might be assigned to attacks. The proper cooperation between the two mechanisms is crucial.
Also you also actively research the security of cars. What exactly are you working on?
At the moment I am concentrating my research efforts on reactive mechanisms and what particularly interests me is the manipulation of ECUs. Specifically, I’m working on a method to detect the manipulation of engine controllers.
At security conferences, hackers have already demonstrated how to hack the smart cars. They have, for example, manipulated speedometer, turned on brakes or even steered the vehicle using their laptops. Is it really so easy to hack the security of smart cars?
The short answer is no. Cars as they are currently on the streets have no protection mechanisms installed, as these researchers show impressively. Technically such manipulations are quite feasible. However, there are also limitations. For the attacks illustrated the attacker would have direct access to the car have, may open the hood or access differently to the vehicle electronics. In addition, the attacker would have to know exactly the format of control messages. This format will usually differ between vehicle types. The effort to successfully attack a vehicle can be very high.
What features of smart cars are particularly sensitive to attacks?
A main attack surface is secure software updates. How can you safely upgrade the software in a car? This question is a major challenge, especially if you’re including, so-called ‘over-the-air’ updates that are updates imported via a wireless connection in the car. Currently such functions are not widely deployed, but the cost savings and the possibilities such a feature would enable are huge.
Will there be an absolute security against hacker attacks at smart cars at all at some point?
No, there won’t absolute security. But the current security debate helps to raise awareness for security concerns and that is a basic requirement for safe systems. It is important that a single attack cannot disrupt the entire system. Even if one single attack is successful, it should be possible to contain the damage. Which is in turn a technical problem to be solved.
In your opinion, how important is the protection against hacker attacks for automakers in the development of their smart cars?
Cyber security is my perception very high on the priority list of the automakers.
A current trend is towards self-driving cars, like Google, for example, has been testing for some time. Even traditional automakers like Volkswagen strive for self-driving cars. As a driver, can you just sit back and even fall asleep while the car drives by itself, or would there be a risk that hackers take control of the car?
Such an attack would quite brazenly. But seriously, it’s not so important whether the driver or the autopilot take the decisions in the car, but that attack surface the interfaces in the car are exposing.
Smart devices store data to function as personalized as possible for their user. Must car holders fear that their car collects personally identifiable information and pass that on to the automakers?
The customers should not have any fear. I do not think that automakers have the intention to spy on someone or to do harm, but collect these data in order to build more efficient systems. This in turn provides benefits for the customer. The data should be anonymized and customers should ask for such features. This is also an interesting area of ongoing research.
Many thanks for the interview!
Interview with heute.de on January 8, 2015 (translated to English)