Cyber IoT Security: McAfee on Threats and Autonomous Cars

IoT Security

Autonomous cars are just around the corner, there have been IoT security controversies surrounding their safety, and a few doubts still hang in the minds of people who don’t like the idea of a computer driving their car. However, the biggest news stories surrounding this topic have been to do with how safely the cars are driving, not how safe they are from cyber-attack – the McAfee Threat Predictions 2016 Report warned that autonomous cars could have up to 12 separate surfaces vulnerable to cyber-attack. As our cars become a part of this interconnected world, they too must be secured against the kind of attacks that corrupt our other IoT devices. The security of our cars from IoT attacks should be top of our priority list, given that we will be trusting them with driving us around every day.

IoT Device SecurityThe vulnerability of IoT cars was demonstrated in a terrifying experiment last year, two hackers gained access and control over a Jeep Cherokee, they were able to adjust the climate control, the radio, the dashboard, they were even able to cut the transmission. Now consider the implications of having 220 million cars worldwide connected like an IoT device – one that is vulnerable to hacks.

IoT Security and Devices

In the McAfee White Paper on Automotive Security they warn of the size and complexity of protecting a modern car from cyber-attacks, stating that “assessing the scope of threats is an immense job, and an attack surface may be left unprotected unintentionally”. In their report on threat predictions for 2017, they suggest that the control plane of IoT devices (namely autonomous cars) will be the primary target for hackers – the control plane often has access or control over other processes going on in the device. They claim that less time has been dedicated to the IoT security of these systems, than there has been to the devices themselves, and thus the systems are now the weakest point. The other main weak points are the aggregation points, which are likely to be cloud-based so cloud security has a role to play as well. I mean, why hack one vehicle when you could hack into a whole fleet?

We spoke with Steve Grobman, CTO at Intel Security to ask him a few questions about the risks of adding cars to our connected world.

What part of an autonomous vehicles is most vulnerable to cyber-attack?


I think part of the challenge is there is not one single component, that there are so many areas of vulnerability. The challenge is going to be where we find Vulnerabilities that need to be addressed while the cars and vehicles need to remain service.

There is an inherent delay between detection and deployment of security threats, practices like responsible disclosure will make it so vulnerabilities can be better addressed. I’d be very careful to point at one part of the car, or one part of the control system as the weak point. Maybe a good analogy is the car itself – what is the most important part of a car? Is it the steering wheel? The engine? The brakes?

It’s not that there aren’t critical systems, we have to look at the whole vehicle. When you get down to the next level, there are so many sub-components and different processes going on, you can’t focus on one part.

Do you think we will see a lot of hacks of autonomous cars/fleets, as they become ever more prominent in society?

I think we need to be prepared for it, but we also need to recognise that most cyber-attacks occur for a reason. They are usually driven by incentives for the bad actor and the ability of a bad actor to infiltrate a device or network.

We need to consider what the opportunity costs are for an actor attacking an autonomous car. Something that scares me is the ransomware business models, if you consider ransomware applied to a fleet of vehicles, then a bad actor could take control and hold the fleet to ransom. We need to be looking at it through the lens of the attacker, what is the level of investment compared to the return on that investment?

Making large scale attacks more difficult is more critical than securing individual devices. Autonomous vehicles are going to be some of the most complex interconnected devices ever created. Having them built without any weaknesses is unrealistic. We need to strive for strong security measures that minimise the risk to large scale attacks. There needs to be as much investment in patching and repair technology as there has been in vehicles themselves.

How can the industry best respond to these threats, or deal with them before they arise?

It is a multifaceted approach

  1. Strong investment in original design
  2. Investment in infield repair and upgrade vulnerabilities
  3. Invest in an aggressive research community to identify vulnerabilities before bad actors can exploit them

It Is a confluence of these 3 factors that will allow us to fully utilize this fantastic technology.

What advice would you give to those purchasing an autonomous car to ensure it is secure?

I think they key is going to be thinking about cyber security in the same way consumers think about safety and reliability. In the same way a consumer can’t run their own crash test, but they can look at independent evaluations. That same lens that is used for safety and reliability should be used for cyber security – look at which companies are investing in cyber security and what companies are passing independent security tests. It just becomes yet another criteria in the buying process.

So there is a need for a comprehensive security network to be built into the autonomous vehicle network. In the McAfee White Paper, they suggest a 4 pronged security plan, that encompasses Hardware Security, Software Security, network security, and Cloud Security. Only by focussing on all 4 aspects, can you truly secure an IoT device or system, especially one as sophisticated as an autonomous car. The future is autonomous, it is up to the manufacturers to decide how secure it will be.

By Josh Hamilton

David Gevorkian

How to Apply Website Accessibility in UX and How to Achieve Better User Experience

Design Tweaks: Apply Website Accessibility in UX In this current digital age, websites have become more complex because of the introduction of various aesthetic designs on a web page interface. It especially affects people with ...
Bill Talbot

How IT Operations Can Survive and Thrive in a Multi-cloud World

IT Operations Can Thrive in a Multi-cloud World IT operations teams are contending with the reality that growing volumes of workloads are running across multiple cloud services. While multi-cloud environments are growing ubiquitous, many IT ...
Gary Bernstein

Infographic: The Data That Never Sleeps

Here’s What Happens Every Minute on the Internet in 2020 In 2020, the world changed fundamentally – and so did the data that makes the world go around. As COVID-19 swept the world, nearly every ...
Ajay

Explainable Intelligence Part 2 – Illusion of the Free Will

Illusion of the Free Will Explainable Artificial Intelligence (XAI) is getting a lot of attention these days, and like most people, you're drawn to it because the very nature of neural networks - opacity induces the ...
Flexiant Tony Lucas

There Are Still Opportunities For Service Providers

Opportunities For Service Providers Service providers (SPs) still have a golden, but short-lived opportunity to commercialize the $266.4 billion cloud services market before AWS and others call it “game over.” By being more agile, able to ...
Mark Kirstein

IT Pros Can Now Deliver a More Streamlined, Cost-Efficient Migration of Microsoft Teams

IT Pros Deliver a More Streamlined Migration of Microsoft Teams In the modern workplace, the ability for employees to collaborate and engage with each other on projects in real time is becoming essential. The increased ...