Based on Movimento’s decades of experience programming and reflashing cars and components for many automakers and Tier 1 suppliers, here are five best practices to keep in mind when securing the connected car.
(1) Encrypt car’s wide area network communications
Encrypting network communications has long been a method to protect against data theft and guarantee confidentiality, and yet only in February of this year BMW pushed an OTA software update to 2.2 million BMW, Mini and Rolls-Royce cars equipped with their ConnectedDrive system to implement encryption for car communications.
BMW’s “in the clear” transmission of data was uncovered by a group of hackers from Allgemeiner Deutscher Automobil-Club (ADAC), a German auto club, who set up rogue cell sites to which the test vehicles automatically connected. Once in, hackers were able to lock and unlock doors, access the navigation and entertainment system, and change environmental settings.
(2) Don’t let components software update each other
Viruses frequently spread within information systems by first finding a foothold, then scanning the network for insecure devices that they can infiltrate. One of the ways to stop this type of wildfire is to prevent vehicle Electronic Control Units (ECUs) from software updating aka reflashing each other.
Reflashing matters because some of the most dangerous viruses infect a computer’s BiOS or other root vectors, which are often exposed at startup. Preventing ECUs that become infected from spreading the infection to others is a primary line of defense.