A growing number of automakers have announced plans to integrate fast data connections into their models. High-speed internet could lead to increased driver safety and entertainment options. However, the boost in features could also leave software vulnerabilities. “Modern vehicles already operate with more than 100 million lines of code, multiple communication mechanisms such as GPS, RDS, Bluetooth, Wi-Fi and more,” Brian Contos, the chief security officer of Phosphorus Cybersecurity, told Lifewire in an email interview. “That much code in a hyper-connected device dictates that there are going to be bugs and security vulnerabilities.”
5G for the Road
Audi and Verizon plan to bring 5G Ultra-Wideband technology to the automaker’s vehicle lineup, starting with the model year 2024 vehicles. The faster connectivity will pave the way for new features, such as improved driver assistance. Once there is a 5G connection to the car, the driver and passengers could benefit from real-time traffic updates, regular software updates, and more. But the car will also feed more location information, driving routes, and stops, plus potentially full video feedback to every app or monitoring network. Some cars are already running Android in their dashboards, pointed out Mike Juran, the CEO of Altia, a company that makes user interface software for vehicles. “While this provides a great platform for drivers and passengers to enjoy the benefit of 5G, the party responsible for the data shared within each app being used in the car is the OEM,” Juran told Lifewire in an email. “Certainly, drivers are responsible for selecting privacy settings on their smartphones, but what happens in the car? Free platforms like Android must monetize the data. OEMs need to act as gatekeepers to protect privacy and security.” Because of the nature of a vehicle as a moving object with vulnerable passengers inside, security issues could become safety issues, Contos said. Any collected, transmitted, and stored data can be corrupted, intercepted, or stolen. One 5G feature touted by automakers is software updates sent over the air (OTA). But this same feature could allow attackers to inject malicious code into the firmware updates or spoof an official OTA update to force the code in that way, Contos said. Simple coding errors by the vehicle manufacturer could also inject firmware-level bugs and physical impairments into the vehicle. “Additionally, the vehicle-to-everything communication capabilities that are enabled by 5G could allow hackers to use other compromised devices to infect the car’s computerized systems,” Contos added. “For instance, imagine a smart traffic light that was infected with malware, which communicates to the vehicle.”
Software Seatbelts
Keeping cars safe from cyber threats will take many of the same steps that go into other kinds of software development. To prevent car hacks, security must be built into the code from the very start, not just patched on later, Contos said. For OTA updates, carmakers need to ensure strong encryption practices and ensure that safeguards are in place for authenticating a legitimate software update. Most of the data protection today from car manufacturers is done around the electronic control unit and data modules, Alex Lam, the chief strategy officer at the cybersecurity firm TechDemocracy, said in an email. Hackers that attack these parts of a car need to have a hardwired connection to the vehicle. For example, most vehicle ECUs can only be accessed by physically connecting to the OBD2 port on the car. Standard off-the-shelf vehicle scanners can then access standard module data, Lam said. However, more vehicle and vendor-specific data modules require proprietary vendor-specific software tools to read telemetry and other data. Recoding of the vehicle’s computer modules can be done with the proprietary software. “As vehicles become connected to the 5G network, especially as part of an autonomous vehicle network, the vehicle-specific data will be naturally connected into the broader network,” Lam said. “This could provide a potential entry point if not secured.”