Security standards for smart cars should be ‘way higher’: McAfee researcher

Security standards for smart cars should be ‘way higher’: McAfee researcher

Principal security consultant for McAfee Foundstone Services JP Dunning says as a hack on cars has more direct impact, compared to those resulting in data loss, the security standards for these vehicles need to be more stringent.

Car hacking tools
Some of the equipment needed to hack into a car's electronics. (Photo: McAfee)

SINGAPORE: Imagine you’re driving on the expressway in Singapore in your new car which boasts the latest infotainment unit as well as advanced features such as assisted parking, when the vehicle suddenly brakes.

At the same time, the windscreen wipers are activated and the sound system is jacked up to maximum volume.

These are all potential hacking scenarios that could take place, given the inherent vulnerabilities that exist with more advanced cars available these days, as carmakers include more electronic components with the intention of giving drivers a better experience, according to one cybersecurity expert.

Mr JP Dunning, principal security consultant for McAfee’s Foundstone Services, told Channel NewsAsia in an interview on Thursday (Sep 28) that as manufacturers layer on more electric components into their cars, the level of vulnerability for these vehicles rise correspondingly.

These make them an attractive target for cybercriminals who want to make their mark. “Anything new in software or hardware is open to vulnerabilities,” Mr Dunning said.

This is particularly so for the Internet of Things (IoT) environment - which refers to the connecting of devices such as fridges, lights and, yes, cars to the Internet - as it is “security immature”, the threat researcher added.

Even if the carmaker, and its ecosystem of suppliers for various parts of the vehicle, observes good security hygiene in its production of the cars, there is possibility that third-party manufacturers in the after-care market may not.

Car hacks 2
The green panel is the Controller Area Network (CAN), which enables a car's electronic components to "talk" to each other, while the yellow panel is the on-board diagnostic adapter. (Photo: McAfee)

Mr Dunning added that standards for ensuring the security of connected cars should be “way higher” than that of other IoT devices, as the impact of having one’s car hacked is more direct and immediate compared to data loss.

One could potentially lose limbs or even life if a hack takes place while one is driving, and there is also impact on their surrounding environments when it happens, he explained.


So should car owners think twice about getting the latest model out in the market, and opt for mostly mechanical alternatives to minimise the chances of being hacked?

Mr Dunning said that while there are inherent risks in these vehicles, the barrier to entry for researching car-related vulnerabilities is actually quite high. Hackers will have to buy a car, and test its components, to see where the vulnerabilities are. For example, if there is a Bluetooth vulnerability, this might play out differently in different cars depending on the manufacturers’ implementation, he said.

This is why many of the stated vulnerabilities for cars are conducted in controlled environments and using individual parts that can be bought relatively cheaply, or with the support of carmakers, Mr Dunning said.

He said carmakers could be more open to threat disclosures by external parties. While some of them are, and have participated in hackathons where their cars can be hacked and vulnerabilities logged and addressed before going to market, others have taken a “how dare you” attitude to such disclosures and even threatened legal action, he noted.

“There’s less research on car hacking out there than there should be,” Mr Dunning said, adding that it’s a “wait-and-see for the next few years” situation whether cars will become more open or resistant to getting hacked.

Source: CNA/kk