Will your next car steal itself?

Five automotive security and identity challenges

As vehicles offer an ever-growing number of digital features, they could present several security threats--unless automakers manage these technologies effectively.

That's the thinking of Dave Miller, CSO at cloud-based platform vendor Covisint. Miller says that in a world of smarter cars, there are five key vehicle identity and security issues to consider. Now Miller believes that cloud services provide the answer to these threats, and given the obvious vested interest, it might be tempting to dismiss the whole concept. But his observations are interesting--read on to see whether you find these concerns compelling (and to get a reality check from a Gartner analyst).

Five automotive security and identity challenges

One challenge is identifying the right owner of the vehicle. "Technology, through password combinations or other similar methods, will bind us to our future cars, enabling us to operate, drive and maintain these vehicles," Miller says.

In some instances, this will require two-factor authentication, such as the car's legitimate owner physically having his mobile phone on him before the car will operate, Miller says. But if this authentication process doesn't happen correctly, criminals can obtain access.

[Also see Robert McMillan's With hacking, music can take control of your car]

Miller's proposed solution is a strong, repeatable and independent (outside of the vehicle) validation process managing this type of transaction.

The second issue is deprovisioning. This involves managing the process when an owner sells a car, and making sure that the previous owner can't still remotely start the car. "If the user [identity] isn't automatically deprovisioned from the old owner to the new owner, the old owner can still control the car's operation," Miller says.

(This is the basis for the title of the article: With capabilities like remote starting, smart parking, collision avoidance, et cetera, built into next-generation vehicles, you can conjecture a scenario in which a thief moves a vehicle without actually getting into it.)

Once the car is sold and the title is transferred, all of the vehicle's operations and access points should immediately and fully be transferred from the old owner to the new owner, Miller says.

The technology solution is "a single, independent system that sits in the middle, ensuring that the old owner is deprovisioned and the new owner is provisioned," Miller says. "Link this independent entity to the public title records to ensure that the transfer of ownership changes the status the old and new digital owners."

Another concern is a lack of two-factor authentication services. The password combinations used for owner access to the vehicle are insecure and hackable, Miller says. "Passwords can easily be guessed," he says. "Computers can be stolen and hacked into."

This threat can be address via extensive two-factor and risk-based authentications, Miller says. "Two-factor requires a second piece of information, and risk-based requires that the person be physically at a location or predetermined time before the authorization is given," he says.

The fourth threat is too many identities. "We're just getting too ID-weary," Miller says. "We have too many password combinations in too many places. Since people tend to pick simple password combinations, or use the same one at each instance (for both secure and unsecure sites), the danger of being hacked exponentially rises, he says.

A possible solution is to use one password combination everywhere, but ensure that it is extremely difficult to duplicate. "This requires a cloud-based identity broker that enables users to have a single ID, ensuring the correct--and hard-to-duplicate--identity and reducing identity fatigue," Miller says.

The final threat is too much decision-making in the vehicle, i.e. requiring that the vehicle make all the security decisions and take security actions.

"When too much decision making happens in the vehicle, then both in-vehicle software and hardware need to be updated, something people don't like to do," Miller says. "When they don't do it, security suffers." Again, his proposed solution is to move the security and identity decision making into the cloud.

Fact or fantasy?

One analyst says concerns of this sort are not as far out as you might think.

User identification for vehicles will become a growing concern as cars become more connected and networked, says Thilo Koslowski, a vice president and distinguished analyst at Garner Inc., who follows the automotive manufacturing industry.

"Consumers want to extend their digital lifestyles into the vehicle to access infotainment and safety-related content," Koslowski says. "Today's cars don't offer this level of connectivity and therefore this type of security isn't required, but this is going to change."

Koslowski predicts that by 2016 the majority of consumers in mature automotive markets such as the U.S. and Western Europe will begin to expect basic, in-vehicle Web-data access in their new cars. Around that time, or at least by the end of the decade, the auto industry will offer connected content in most of their cars, he says.

"Other advanced technologies including car-to-car and car-to-infrastructure communication as well as autonomous vehicles will further emphasize the need for user identification and data security," Koslowski says.

"Since more of the content and data management is moving 'off board,' the cloud is becoming a critical element in addressing the need for security and user identification reliably."

Join the CSO newsletter!

Error: Please check your email address.

More about CovisintGartnerInc.Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts