Cyber Security: McAfee on IoT Threats and Autonomous Cars

Cyber Security: McAfee on IoT Threats and Autonomous Cars

IoT Threats and Autonomous Cars

Autonomous cars are just around the corner, there have been controversies surrounding their safety, and a few doubts still hang in the minds of people who don’t like the idea of a computer driving their car. However, the biggest news stories surrounding this topic have been to do with how safely the cars are driving, not how safe they are from cyber-attack – the McAfee Threat Predictions 2016 Report warned that autonomous cars could have up to 12 separate surfaces vulnerable to cyber-attack. As our cars become a part of this interconnected world, they too must be secured against the kind of attacks that corrupt our other IoT devices. The security of our cars from IoT attacks should be top of our priority list, given that we will be trusting them with driving us around every day.

The vulnerability of IoT cars was demonstrated in a terrifying experiment last year, two hackers gained access and control over a Jeep Cherokee, they were able to adjust the climate control, the radio, the dashboard, they were even able to cut the transmission. Now consider the implications of having 220 million cars worldwide connected like an IoT device – one that is vulnerable to hacks.

IoT Threats

In the McAfee White Paper on Automotive Security they warn of the size and complexity of protecting a modern car from cyber-attacks, stating that “assessing the scope of threats is an immense job, and an attack surface may be left unprotected unintentionally”. In their report on threat predictions for 2017, they suggest that the control plane of IoT devices (namely autonomous cars) will be the primary target for hackers – the control plane often has access or control over other processes going on in the device. They claim that less time has been dedicated to the security of these systems, than there has been to the devices themselves, and thus the systems are now the weakest point. The other main weak points are the aggregation points, which are likely to be cloud-based so cloud security has a role to play as well. I mean, why hack one vehicle when you could hack into a whole fleet?

We spoke with Steve Grobman, CTO at Intel Security to ask him a few questions about the risks of adding cars to our connected world.

What part of an autonomous vehicles is most vulnerable to cyber-attack?

Steve GrobmanI think part of the challenge is there is not one single component, that there are so many areas of vulnerability. The challenge is going to be where we find vulnerabilities that need to be addressed while the cars and vehicles need to remain service.

There is an inherent delay between detection and deployment of security threats, practices like responsible disclosure will make it so vulnerabilities can be better addressed. I’d be very careful to point at one part of the car, or one part of the control system as the weak point. Maybe a good analogy is the car itself – what is the most important part of a car? Is it the steering wheel? The engine? The brakes?

It’s not that there aren’t critical systems, we have to look at the whole vehicle. When you get down to the next level, there are so many sub-components and different processes going on, you can’t focus on one part.

Do you think we will see a lot of hacks of autonomous cars/fleets, as they become ever more prominent in society?

I think we need to be prepared for it, but we also need to recognise that most cyber-attacks occur for a reason. They are usually driven by incentives for the bad actor and the ability of a bad actor to infiltrate a device or network.

We need to consider what the opportunity costs are for an actor attacking an autonomous car. Something that scares me is the ransomware business models, if you consider ransomware applied to a fleet of vehicles, then a bad actor could take control and hold the fleet to ransom. We need to be looking at it through the lens of the attacker, what is the level of investment compared to the return on that investment?

Making large scale attacks more difficult is more critical than securing individual devices. Autonomous vehicles are going to be some of the most complex interconnected devices ever created. Having them built without any weaknesses is unrealistic. We need to strive for strong security measures that minimise the risk to large scale attacks. There needs to be as much investment in patching and repair technology as there has been in vehicles themselves.

How can the industry best respond to these threats, or deal with them before they arise?

It is a multifaceted approach

  1. Strong investment in original design
  2. Investment in infield repair and upgrade vulnerabilities
  3. Invest in an aggressive research community to identify vulnerabilities before bad actors can exploit them

It Is a confluence of these 3 factors that will allow us to fully utilize this fantastic technology.

What advice would you give to those purchasing an autonomous car to ensure it is secure?

I think they key is going to be thinking about cyber security in the same way consumers think about safety and reliability. In the same way a consumer can’t run their own crash test, but they can look at independent evaluations. That same lens that is used for safety and reliability should be used for cyber security – look at which companies are investing in cyber security and what companies are passing independent security tests. It just becomes yet another criteria in the buying process.

So there is a need for a comprehensive security network to be built into the autonomous vehicle network. In the McAfee White Paper, they suggest a 4 pronged security plan, that encompasses Hardware Security, Software Security, Network Security, and Cloud Security. Only by focussing on all 4 aspects, can you truly secure an IoT device or system, especially one as sophisticated as an autonomous car. The future is autonomous, it is up to the manufacturers to decide how secure it will be.

By Josh Hamilton

About Josh Hamilton

An aspiring journalist and writer from Belfast, Northern Ireland, living in London, Ontario. Lover of music, politics, tech and life.

View Website
View All Articles

Sorry, comments are closed for this post.

Comics
Adopting A Cohesive GRC Mindset For Cloud Security

Adopting A Cohesive GRC Mindset For Cloud Security

Cloud Security Mindset Businesses are becoming wise to the compelling benefits of cloud computing. When adopting cloud, they need a high level of confidence in how it will be risk-managed and controlled, to preserve the security of their information and integrity of their operations. Cloud implementation is sometimes built up over time in a business,…

Three Reasons Cloud Adoption Can Close The Federal Government’s Tech Gap

Three Reasons Cloud Adoption Can Close The Federal Government’s Tech Gap

Federal Government Cloud Adoption No one has ever accused the U.S. government of being technologically savvy. Aging software, systems and processes, internal politics, restricted budgets and a cultural resistance to change have set the federal sector years behind its private sector counterparts. Data and information security concerns have also been a major contributing factor inhibiting the…

Data Breaches: Incident Response Planning – Part 1

Data Breaches: Incident Response Planning – Part 1

Incident Response Planning – Part 1 The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, and not surprisingly — these days, it’s almost impossible to read news headlines without noticing yet another story about a data breach. As cybersecurity shifts from being a strictly IT issue to…

The Security Gap: What Is Your Core Strength?

The Security Gap: What Is Your Core Strength?

The Security Gap You’re out of your mind if you think blocking access to file sharing services is filling a security gap. You’re out of your mind if you think making people jump through hoops like Citrix and VPNs to get at content is secure. You’re out of your mind if you think putting your…

How Formal Verification Can Thwart Change-Induced Network Outages and Breaches

How Formal Verification Can Thwart Change-Induced Network Outages and Breaches

How Formal Verification Can Thwart  Breaches Formal verification is not a new concept. In a nutshell, the process uses sophisticated math to prove or disprove whether a system achieves its desired functional specifications. It is employed by organizations that build products that absolutely cannot fail. One of the reasons NASA rovers are still roaming Mars…

Beacons Flopped, But They’re About to Flourish in the Future

Beacons Flopped, But They’re About to Flourish in the Future

Cloud Beacons Flying High When Apple debuted cloud beacons in 2013, analysts predicted 250 million devices capable of serving as iBeacons would be found in the wild within weeks. A few months later, estimates put the figure at just 64,000, with 15 percent confined to Apple stores. Beacons didn’t proliferate as expected, but a few…

Achieving Network Security In The IoT

Achieving Network Security In The IoT

Security In The IoT The network security market is experiencing a pressing and transformative change, especially around access control and orchestration. Although it has been mature for decades, the network security market had to transform rapidly with the advent of the BYOD trend and emergence of the cloud, which swept enterprises a few years ago.…

Technology Influencer in Chief: 5 Steps to Success for Today’s CMOs

Technology Influencer in Chief: 5 Steps to Success for Today’s CMOs

Success for Today’s CMOs Being a CMO is an exhilarating experience – it’s a lot like running a triathlon and then following it with a base jump. Not only do you play an active role in building a company and brand, but the decisions you make have direct impact on the company’s business outcomes for…