Back in 2008, Jeremy Clarksen printed his bank details in a newspaper to make the point that data theft was a “storm in a teacup”. Soon, he found £500 taken out of his account. “I was wrong and I have been punished for my mistake,” he wrote on this.
In 2020, cyber-security specialist Martin Hron claimed he remotely hacked a coffee-machine and made it asking for ransom. “As expected, it’s a simple binary protocol with hardly any encryption, authorization or authentication,” he reported. “Communication with machines takes place on TCP port 2081.”
A serious hacker wouldn’t loose time by hacking a pot but consider this: many of us drive cars that use an unsecured type of over-the-air connection.
A number of recent cyber-security studies proved that point. In the most recent well-known case, researchers at Sky-Go had found 19 vulnerabilities in a Mercedes E-Class car. Another report by Context Information Security, published by consumer magazine Which?, have inspected a Ford Focus and a Volkswagen Polo to find that both vehicles could be hacked remotely.
“Currently, there is no formal mandatory procedure for cyber security risk assessment in automotive industry,” said Vladimir Pedanov, founder at cyber-security start-up Autovisor.sg, in a phone interview. “In practice, that leads to a situation, just for instance, when an OEM uses HTTP protocol for connectivity instead of HTTPS. In one case, we conducted security tests for a Chinese automaker and found numerous potential attack vectors. For instance, breaches of data could be done through in-cabin multimedia devices.”
Vladimir Pedanov is a member of the ISO’s working group on the future standard SAE/ISO 21 434. He says that the new standard is going to put an end to bad practices such as using unsecure HTTP protocol in vehicle connectivity. Although the standard is supposed to be of recommendatory nature, automakers are approaching the working group for consultations in order to leverage their cyber security risk assessment processes in advance.
ISO 21 434 applies cybersecurity to the whole vehicle model’s life cycle from the concept phase to post-production. Final release is planned on March, 2021.
“With the new standard, the cyber security requirements will spread from OEMs down to the whole supply chain,” Pedanov told me in a phone interview.
“The standard exists in the form of international draft, currently. Final release is planned on March 2021. It is supposed to be of recommendatory nature at first albeit certain state bodies can require mandatory compliance. Many automakers have already started preparing for compliance with the requirements of the standard and we are helping some of them.”
In countries such as Germany, automakers already have to comply to the security standard ISO 26 262.
“The difference between the standards ISO 26 262 and ISO 21 434 is that the first regulates development of functional safety devices such as airbags and brake systems,” explains Pedanov. “It takes cybersecurity through the prism of overall safety of the devices. The latter applies cybersecurity to the whole automotive model’s life cycle from the concept phase to post-production to cyber-security of manufacturing.”
“Although the standard is not ready yet, its main structure has already been created and we can start implementing its requirements right now. The requirements do not prescribe the need to use any means of protection on a mandatory basis. However, despite this, the standard already significantly increases the level of industry readiness for cyber attacks.”