In recent years, connected cars, connected to the Internet and offering a variety of convenient functions, have become increasingly common. With that, has come a government push towards getting even higher-level self-driving automobiles on the road by 2020. Automobiles are becoming an increasingly comfortable mode of transportation. These developments, however, bring with them the risk of cyber-attacks—something that would not have been possible against cars in the past. Here at NRI SecureTechnologies (hereafter “NRI Secure”), we have valued the importance of security since ten years before the term “IoT” (Internet of Things) was even coined. We asked Daisuke Noguchi, an NRI Secure consultant who researches car security technologies, what we need to do in order to keep our cars safe in the future.
Terrorism, theft, pranks
What kind of cyber-attacks are possible against automobiles, and what dangers do they pose? Mr. Noguchi discusses three possibilities.
“The first possibility is terrorism. Unauthorized remote access would make it possible for a terrorist to take control of the steering function, make it so the brakes don’t work, or even lock the doors. All of these can be a threat to human lives. The second possibility is theft. Criminals can alter the data in a car key to gain access and steal the car for themselves. Third are so-called pranksters, who might take control of a system to open and close people’s car windows, or turn their indicators on and off.”
These things are possible because, like smartphones, automobiles nowadays are connected to a variety of external networks and devices, which gives attackers who gain unauthorized access into the system the ability to control the car’s actual driving mechanisms. “It’s like cars have become toys, turned into remote control cars,” says Mr. Noguchi.
Implementing the Automotive Penetration Test
Automobile manufacturers have taken this danger into account, and since a few years ago have begun working to handle this issue, establishing security offices within their companies. In May 2017, we at NRI Secure released a service called the “Automotive Penetration Test,” aimed at automobile manufacturers. In this service, specialists at NRI Secure attempt to infiltrate the automotive systems of the car and gain remote access to the car’s engine, brake, door lock, and indicator controls, much like a hacker would.
The cars are evaluated through broad and detailed criteria based on standards like the EDSA, an international standard for control equipment. We report on any vulnerabilities and suggest possible solutions, so that the automobile manufacturer is able to strengthen the security of their cars.
The equipment installed in automobiles can be classified largely into three categories: information systems, which connect to external networks or devices; control systems like the brakes and steering wheel, which control the body of the vehicle; and gateway (GW) technologies, which separate these two systems. If an information system is attacked by something like an external network, the attacker may infiltrate the control system via the GW, which would allow them to manipulate the vehicle.
The need for a continuous monitoring system for security
Though these security evaluations are effective for the time being, Mr. Noguchi says that continuous security monitoring will be what is important in the future.
“Until now, with regards to the product cycle, there was no real need to tweak anything on the automotive systems and equipment on cars that people had already bought, unless they were recalled. But now that cars are connected to networks, there is a need to preserve security throughout the life-span of the vehicle, even after it is in the hands of the consumer. Systems must be continuously monitored for issues, and there must be countermeasures in place against any issues. In this sort of circumstance, we believe that continuous ‘monitoring,’ to check whether any systems are under attack, will be of particular importance.”
Utilizing our long-term, multi-lateral experience, and the strength of our team of specialists
Connected cars will come into widespread use in the future, and are expected to make up over 90% of the new cars that are sold in 2035. Self-driving cars will also become increasingly common as their technologies become more refined, their range of use increases, and many more of these cars show up on the road. As this occurs, the traffic on automotive systems and the number of external connections will increase and the technology will become more sophisticated, bringing with them an increased risk of hacking. Mr. Noguchi says that for this reason, “it is very important that we have a system to monitor car security. This kind of system will serve as an important part of the infrastructure to preserve safe driving into the future.”
“So far, we at NRI Secure have provided one of Japan’s only advanced monitoring services in the field of information security. Over ten years ago, we began sounding the alarms for security threats to control system infrastructures for things like electricity, gas, and water, back when society still didn’t understand the importance of such security, and have dedicated ourselves to providing security measures to handle these threats. We have also had experience monitoring the information systems of financial institutions, which are under heavy threat of attack. We plan to utilize these experiences, which span a variety of fields, to help realize safe driving in future society.”
NRI Secure is home to a team of white-hat hackers (ethical hackers) that include former winners of world hacking tournaments, as well as professionals with experience in the information security field across a variety of industries. The company will utilize these strengths as we dedicate ourselves to the realization of the safe, motorized society of the future.
Nomura Research Institute, Ltd.
Corporate Communications Department