Automotive cybersecurity is no longer an afterthought but something very similar to how organizations now consider information security. “20, 25 years ago people didn’t think of web browsers as needing security,” suggests Chris Valasek, one of the duo who remotely took controls of a Jeep Grand Cherokee in 2015, showing the world the need for automotive cybersecurity. “But now we know that a huge piece of end-user security is how secure the web browser is. This is where we are going with automobiles (…) Just like we saw with Microsoft and other software companies it’s an iterative process and it will get better over time. At one point Microsoft was the insecure operating system. Now they’re doing a really good job of it. So, it just takes time.”
Doctoral candidate at The University of Texas at San Antonio, Maanak Gupta and Ravi Sandhu, Lutcher Brown Endowed Professor of computer science and founding executive director of the UTSA Institute for Cyber Security (ICS) have now created an authorization framework for conceptual reviewing of key access control decisions and enforcement points for all kinds of interaction with the connected car. The proposed framework might be the key to determine what and where vulnerabilities of the car can be exploited. The team of ICS is now working on creating and using security authentication and authorization policies which would enable unauthorized access to the sensors of the cars.
“There are infinite opportunities in this new IoT domain but at the same time cyber threats will have serious implications in smart cars. Can you imagine if someone controls your car steering remotely, or shuts down the engine in the middle of the road?” Gupta said. “There should not be absolutely any open end to orchestrate attacks on these cars.”
Gupta also noted out that the authorization framework can also be applied to smart and driverless cars as these are not only driving the automotive industry of tomorrow but also highly vulnerable to cyber attacks.
“If we’re going to open the world to cars driven by machines, we must be absolutely certain that they aren’t able to be compromised by a malicious attack,” he said. “That it what this framework is for.”