In the 1980’s and early 1990’s, carjackings were unfortunately rampant. Not a day would go by when, depending on your geographic location, when there would not be a carjacking. As this was a physical attack, the aggressor would have to be reasonably proximate to the vehicle. This was not an attack designed to be done remotely. Technology had modified this deviant behavior, so that the attack could be accomplished from anywhere ranging from a few feet away from the target to across the planet. The initial form of this crime involved the theft of the vehicle. The new technology has changed this mode of attack. Presently, the attacker may maliciously interfering with its operations (e.g. air conditioning, steering, breaking, etc.), unlocking the vehicle and turning off the alarm (if present), or many other actions focused on the vehicle.
One aspect of this that will continue to grow in complexity and risk involves the vehicle’s operations. At present, the vehicle may be a target for the malicious attacks. These attacks may be on the vehicle’s breaks, turning on or off the air conditioning, using the battery’s charge until it is nearly zero or completely used, or the steering. This has the potential for a harrowing adventure for the driver at the time. The theft would still however involve a physical theft, post-remote unlocking of the doors. The owner could be in a baseball game while this is done.
As technology continues to advance, the movement is toward a self-driving vehicle. As this continues to take shape over the next decade, this may become a target. The attacker could remotely take control over the vehicle and, for example, update the destination address. Even with a passenger taking control manually, the system could be over-written and the attacker would still have control.
Over the next decade, information security needs to be taken into consideration and implemented all along the way of design, and not near the end of the project or only at significant milestones. This methodology has not worked in the past 15 years and certainly would not work in the future. This mode will only continue to allow errors and oversights, as have been present in nearly all of the auto makers. The next 15 years holds exponentially more risk than the last 15 years. As the connectivity of the vehicle increases, so will the amount of attack surface that has to be secured by the application security engineers.
The application security engineers at the automakers have a serious and daunting task ahead. It is their responsibility to ensure a satisfactory groundwork is in place to secure the vehicle and minimize the opportunity for theft and continued deviance.
Learn more ways to protect your business at The National Cybersecurity Institute.
Charles Parker, II, has been coding since the mid-1980’s, and has been working in the finance, auto manufacturer, and health industries seeking secure solutions for issues for over 17 years. Charles has an MBA, MSA, JD, LLM, and is a doctoral candidate for a PhD in Information Assurance and Security.