greater potential liability compared with manufacturers of mobile devices. Even the ability to remotely open a car’s doors could be life-threatening if it’s an assailant who’s flipping the locks, and the driver is sitting in a dark parking lot.
Connected cars also pose an increased security risk because they’re more vulnerable to physical breaches than small mobile devices, which often remain with users in the home or in a briefcase or bag, says Shankar Somasundaram, senior director of IoT security strategy at global information security firm Symantec (NASDAQ: [[ticker:SYMC]]). Cars are often parked on the street or in public garages. Drivers routinely hand their car keys to mechanics, valet parking attendants, friends, and family members.
“Physical access to cars happens a lot more than it happens to mobile devices,” Somasundaram (pictured above) says.
Mountain View, CA-based Symantec is already working with auto manufacturers to reduce the risks, and earlier this month the company identified automotive security as a key focus for a joint seed funding project with Frost Data Capital to nurture the growth of 10 new security startups a year.
Somasundaram says car makers do already have many security checks in place, such as shields intended to insure that only trusted code can run on their processors. But security protection for automobile computers needs to be built in at the design phase—and often it isn’t, he says.
“A lot more can be done, which is why we see these attacks,” Somasundaram says, referring to the Jeep experiment and other demonstrations by security researchers. Current model connected cars contain about 100 processors, and 5 million to 25 million lines of code, he says. Consumers and their many devices are interacting with this meshed network of computers. “I think that introduces a lot of risk,” Somasundaram says.
Auto manufacturers could do more to isolate their infotainment computers from the ones that control critical functions of the car, such as the engine and brakes, Somasundaram says.
According to Wired, Miller and Valasek tunneled through the Jeep’s cellular connection and rewrote code in the entertainment system, which allowed them to send commands to critical components including the accelerator, transmission, and brakes.
Fiat Chrysler initially offered owners of the affected cars a fix—a software patch they could install in the car themselves through a USB port. But just as with desktop computers or laptops, automakers have to make sure their remedies and software updates don’t introduce new threats to security.
Any car with an open USB port should have an antivirus shield to make sure the small USB memory storage unit doesn’t contain malware that could infect the car’s computers, Cobb says. When auto manufacturers rely on car owners to download a software patch themselves, they could open a number of routes to corrupt the car’s on-board computers. The consumer would likely download the patch from the manufacturer’s website to their own desktop or other computer—which may not be adequately protected from malware—and then copy the patch onto one of the family’s USB drives, which could contain other files or code, he says.
It may sound far-fetched, but