In the 1980’s and early 1990’s, carjackings were
unfortunately rampant. Not a day would go by when, depending on your geographic
location, when there would not be a carjacking. As this was a physical attack,
the aggressor would have to be reasonably proximate to the vehicle. This was
not an attack designed to be done remotely. Technology had modified this
deviant behavior, so that the attack could be accomplished from anywhere
ranging from a few feet away from the target to across the planet. The initial
form of this crime involved the theft of the vehicle. The new technology has
changed this mode of attack. Presently, the attacker may maliciously
interfering with its operations (e.g. air conditioning, steering, breaking,
etc.), unlocking the vehicle and turning off the alarm (if present), or many
other actions focused on the vehicle.
One aspect of this that will continue to grow in complexity
and risk involves the vehicle’s operations. At present, the vehicle may be a
target for the malicious attacks. These attacks may be on the vehicle’s breaks,
turning on or off the air conditioning, using the battery’s charge until it is
nearly zero or completely used, or the steering. This has the potential for a
harrowing adventure for the driver at the time. The theft would still however
involve a physical theft, post-remote unlocking of the doors. The owner could
be in a baseball game while this is done.
As technology continues to advance, the movement is toward a
self-driving vehicle. As this continues to take shape over the next decade, this
may become a target. The attacker could remotely take control over the vehicle
and, for example, update the destination address. Even with a passenger taking
control manually, the system could be over-written and the attacker would still
have control.
Over the next decade, information security needs to be taken
into consideration and implemented all along the way of design, and not near
the end of the project or only at significant milestones. This methodology has
not worked in the past 15 years and certainly would not work in the future. This
mode will only continue to allow errors and oversights, as have been present in
nearly all of the auto makers. The next 15 years holds exponentially more risk
than the last 15 years. As the connectivity of the vehicle increases, so will
the amount of attack surface that has to be secured by the application security
engineers.
The application security engineers at the automakers have a
serious and daunting task ahead. It is their responsibility to ensure a
satisfactory groundwork is in place to secure the vehicle and minimize the
opportunity for theft and continued deviance.
No comments:
Post a Comment