- real-world cybersecurity issues are growing, and a number of ces participants stand ready to guard your data.
- author and hacking specialist alissa knight says it's up to each of us to demand the automakers get this technology right.
- guardknox wants to work with dealers on an aftermarket protection device.
automotive cybersecurity is a challenge. a number of challenges, actually. automakers are challenged to protect their cars. hackers see a challenge in getting into your car. and if you were to challenge most drivers to identify how secure or vulnerable their vehicles are, you would probably get nothing but blank stares.
"vehicles are nothing more than computer networks on wheels now," automotive security expert alissa knight told car and driver. knight is the author of the forthcoming book hacking connected cars: tactics, techniques, and procedures, and her information page for the panel she spoke at during ces calls her "a recognized hacker." customers don't have a lot of options in how their vehicle is secured, she said. if someone is shopping for a car, it's more than a little difficult to bring their own firewall to protect the vehicles from hacking attacks.
"you need to rely on the [auto manufacturers], but if you think about it, the automakers are . . . building a bastardized stack of other people's products," she said.
and suppliers are limited in the kind of security they can offer the automakers, knight said. they can't go in and harden a vehicle's code, because it belongs to the automaker. one thing a supplier can do is build a device that sits in the network to monitor and block inappropriate traffic. knight cited an ecu-based firewall from towersec that works like a firewall on a traditional computer network to limit traffic, defining which devices can talk to which other devices, as an example of a way for automakers to get better control of their connected cars. towersec, an automotive security firm based in israel and michigan, was acquired for $70 million in 2016 by harman for its connected-car division.
knight said she believes getting everyday drivers to understand the risks is going to be a long evolution. many people still don't understand security in personal computers, and those have been in general use for around 30 years.
"the consumer is 100 percent at the mercy of the automaker to secure that vehicle," she said. "what the consumer needs to do is not ask what kind of leather it has or if you can get facebook on the head unit. they have to ask questions like, can the head unit communicate with the steering column and other life-safety units? and if so, why? consumers need to ask these questions until the automakers get it."
pursuing cybersecurity with carmaker partners
a modern or future connected car probably can't be 100 percent secure, at least in the near future. the israeli company guardknox was also at ces this year to talk automotive cybersecurity and share its ideas for anti-hacking protection by teaming with major automakers. a spokesperson told c/d that even though guardknox products are not currently deployed in vehicles, the company expects to make product announcements in 2020, most likely in europe and asia.
guardknox was formed in 2015 by a group of israel air force cybersecurity r&d veterans. it opened an office in ann arbor, michigan, earlier this month and, in the middle of 2019, raised $21 million in series a funding, including money from two automotive industry investors, shanghai automotive's saic capital and faurecia.
guardknox is publicly talking about two partnerships it has with automakers. first, it's working with porsche on an ecu-based secure network orchestrator that protects in-car communications from outside hacking attacks. second, guardknox claims a partnership with daimler's pre-development and innovation department on wireless interactive accessories that use guardknox's bluetooth-to-can gateway—again, to prevent hacking.
the automakers themselves, though, seem to be more interested in keeping their security efforts, well, secure. benjamin oberkersch, a global communications spokesperson for mercedes-benz cars and vans, told us that he could not comment because "as you know, car it security topics are very sensitive." porsche did not return repeated requests for comment on the company's work with guardknox.
guardknox was founded based on the idea that automotive cybersecurity needs to be proactive and does not work as a reactive technology, ceo and co-founder moshe shlisel told c/d. there has to be a physical separation between the safety-critical systems and the rest of the car, he says, so if—for example—the infotainment system gets hacked, the rest of the car still operates as intended. this is what led guardknox to develop its secure network orchestrator (sno) product lines. guardknox says that these products offer "comprehensive vehicle cybersecurity protection against any type of known and unknown cyberattack."
"we protect the entire communication in the vehicle and what goes in and what goes out," shlisel said. "when guardknox is installed in a vehicle, you have fighter-jet protection at an automotive price."
getting security to consumers via aftermarket devices
shlisel often speaks in military terms, sketching potential scenarios such as a hacked fuel tanker truck entering a city and comparing it to a bomb. that's an extreme situation, of course. for more common ones a solution, guardknox believes, is to offer aftermarket anti-hacking devices to the market through automotive dealerships or other businesses. shlisel wouldn't say how much a future secure-network (sno) device might cost a driver, instead pointing out how much goodwill dealerships could generate by offering them to customers.
such a device would likely need to be updated, which could mean more regular communication between the dealer and the driver, shlisel said. dealers would be getting a product that protects the vehicle and also increases the probability that they will sell more cars.
"from an economic perspective, they should give it away for free," he said.