Micki Boland is a global cyber security warrior and evangelist with Check Point’s Office of the CTO. Micki has over 20 years in ICT, cyber security, emerging technology, and innovation. Micki’s focus is helping customers, system integrators, and service providers reduce risk through the adoption of emerging cyber security technologies. Micki is an ISC2 CISSP and holds a Master of Science in Technology Commercialization from the University of Texas at Austin, and an MBA with a global security concentration from East Carolina University.

In this highly informative Cyber Talk interview, Check Point expert Micki Boland provides an analysis of Software Defined Vehicles, describing their advantages and flaws, along with actionable security best practices that can keep software safe.

Help our readers understand what benefits the Internet Connected Software Defined Vehicle provides to drivers, automakers and public transportation systems:

For a variety of stakeholders, the continued development of connected vehicles offers several key benefits. I’ll briefly outline them below:

1. Driver’s perspective:

•    Improved driving experience by optimizing routes.
•    Enhanced personal safety through real-time information about road hazards, construction zones, and weather-related dangers.
•    Access to rapid emergency services and roadside assistance on demand.

2. Vehicle manufacturer’s perspective:

•    Ability to offer road hazard services and monitor vehicle telemetry data.
•    Delivery of software updates for infotainment and onboard systems.
•    Monitoring of vehicle health and providing consumers with access to vehicle statistics.
•    Enhances vehicle safety with features like crash avoidance systems.

3. Public transportation systems and public safety:

•    Communication with intelligent transportation systems to improve infrastructure.
•    Integration with smart city infrastructure to enhance public safety and reduce traffic-related fatalities.

Connected vehicles are not just a concept; they are a reality. Many vehicles already transmit telemetry data to auto makers and third parties, allowing for software updates and remote monitoring. Additionally, across the globe, efforts are underway to establish communication between vehicles and traffic management systems, contributing to the development of smart cities.

Is my Software Defined Vehicle vulnerable to hijacking, vehicle theft and the hacking of systems and software? Is it also capable of invading my privacy?

Threat actors are actively seeking to hijack core system functions in order to steal cars. You may have seen recent media reports about two auto manufacturers susceptible to hijacking via the vehicle USB port. This is a TikTok challenge and has resulted in vehicle thefts and crash deaths. One manufacturer is offering financial compensation to owners suffering from vehicle theft.

It does not stop there. Sam Curry, a web application security researcher, published fascinating results in a January 2023 report (here). Sam and team found many automotive vulnerabilities related to everything from the telematic (telemetry) platforms, automotive APIs and infrastructure, including cloud infrastructure and DevOps platforms, customer accounts, and the vehicles themselves. Hackers have breached Tesla infotainment systems and even injected code into vehicle headlights!

Attacking the vehicle has long been the subject of hacker conferences. In real life, hacks range from manipulating the vehicle: unlocking it, engine start/stop, flashing headlights, finding vehicle location by VIN number to track vehicle, hijacking the vehicle owner’s online account, hacking telemetry APIs to stealing data. Additionally, commercial fleet management platforms have been the subject of hacks that exploit vulnerabilities in the web and that exploit vulnerabilities in the APIs hosting these applications.

Hackers inject code into vehicle headlights: https://www.thedrive.com/news/shadetree-hackers-are-stealing-cars-by-injecting-code-into-headlight-wiring

Hackers breached Tesla Infotainment system: https://www.securityweek.com/tesla-hacked-twice-at-pwn2own-exploit-contest/

At present, why aren’t Internet Connected Software Defined Vehicles sufficiently secure?

Securing connected vehicles is a critical concern for the cyber security industry, auto makers and suppliers, third party fleet management providers, 5G network providers, and 5G device makers — all of which are involved in various aspects of the Internet Connected Software Defined Vehicle ecosystem. To tackle this multifaceted challenge, the automotive industry is taking a comprehensive approach, with a focus on cyber security, standards, architecture, communication protocols, and the perspectives of auto manufacturers.

Where are we really when it comes to Software Defined Vehicle cyber security?

1. Cyber security focus:

•    The U.S. places significant emphasis on Software Defined Vehicle cyber security, with the automotive sector and its partners actively engaged.
•    Events like the Annual Automotive Cybersecurity Detroit Conference bring together key industry stakeholders, including manufacturers, government bodies, standards organizations, and Tier 1 suppliers.

2. Automotive standards for cyber security for the lifecycle of Software Defined Vehicles:

•    ISO/SAE provides essential standards for cyber security engineering in road vehicles.
•    ISO/SAE 21434:2021 offers a comprehensive framework for managing cyber security risks throughout the vehicle lifecycle, from concept to decommissioning.

3. Auto maker perspectives:

•    Auto manufacturers face complex challenges in ensuring Internet Connected Software Defined Vehicle safety, cyber security, and privacy throughout a vehicle’s lifecycle.
•    Key considerations include evolving threats, increased connectivity, complex software ecosystems, Over The Air (OTA) updates, telematics, and data privacy.

What are the remaining challenges in this dynamic and complex systems?

1. Evolving threat landscape: To protect people from evolving vehicle threats, we must continually evolve threat prevention initiatives, which can be tough.

2. Increasing connectivity: Extensive vehicle connectivity expands the attack surface, requiring robust security measures at all entry points.

3. Complex software ecosystem: Managing and securing diverse software components in modern vehicles is essential to prevent vulnerabilities and compatibility issues.

4. OTA updates and patch management: Secure delivery and installation of OTA updates necessitate establishing secure channels and ensuring update authenticity and integrity.

5. Software defined vehicles: The concept of Software Defined Vehicles introduces further security considerations in regards to safeguarding software integrity; not only for auto makers, but also for third party providers of infotainment, telemetry, mapping software, etc.

6. Telematics and data privacy: Telematics systems raise privacy concerns, demanding secure data handling and transmission.

7. Collaboration and standards: Industry-wide collaboration and standards are crucial to effectively address Internet Connected Software Defined Vehicle cyber security complexities and challenges.

Addressing these complexities requires continuous investment in cyber security research, rigorous testing, partnerships with experts, and adherence to industry best practices to ensure the safety, security, and privacy of Internet Connected Software Defined Vehicles.

Can you explain Over The Air (OTA) updates for Software Defined Vehicles?

The hallmark feature of a Software Defined Vehicle is the capacity for Over The Air (OTA) updates. OTA updates are essential for keeping the vehicle’s software up-to-date (similar to patch management for computer systems). These updates are facilitated through the vehicle’s Vehicle Identification Number (VIN) and are applicable to both traditional and electric vehicles.

They are delivered in various ways, including through embedded 5G or tethering with the owner’s mobile device. OTA updates encompass infotainment system enhancements, security updates, feature improvements, and system fixes. Communication during OTA transactions involves data exchange between the vehicle, the auto manufacturer, and third parties, and integration with the vehicle owner’s mobile application and customer web portal.

Can you provide some recommendations to help protect my Internet Connected Software Defined Vehicle?

You can take steps to dramatically reduce the risk to your Software Defined Vehicle as it relates to safety, security, and privacy.

1. Protect the mobile devices connecting to your Software Defined Vehicle with a mobile threat prevention tool, like Check Point Harmony Mobile. If you are connecting your mobile device to your Software Defined Vehicle, you need good mobile threat prevention to block malicious applications, smishing, malicious links, and to defend against man-in-the-middle attacks. And be sure to extend mobile threat prevention to any devices connecting to your 5G mobile WiFi hotspot and/or your vehicle’s embedded 5G mobile WiFi hotspot.

2. Conduct a thorough review your security and privacy settings for your Software Defined Vehicle. Typically, this is done from your vehicle’s command center, mobile application, and online vehicle portal. Understand security and privacy settings, as well as the cadence for security and privacy-related software updates. Limit the amount of information that you share with your auto manufacturer and third parties. Again, your VIN is privileged information and so is your vehicle location.

3. Securely manage your vehicle mobile application. Software Defined Vehicles come with a mobile application associated with the car’s VIN, enabling the owner to view vehicle location and system status’, to request roadside service, and to inform maintenance programs of issues.

Review your mobile application settings and privacy warnings. Know that in many instances, the Software Defined Vehicle owner has limited control of the settings regarding what information is to be shared with the auto maker and its designated third parties. From a physical security perspective, never remote start your vehicle with your mobile application unless you have control of your vehicle’s physical security.

4. Manage the internet connectivity to your Software Defined Vehicle. Only you should determine when your vehicle accepts Over the Air updates. Whether you synchronize your 5G mobile device to your Software Defined Vehicle or have onboard embedded 5G, your vehicle will seek to connect when there is an internet connection available. Many vehicles support software updates over all available communications methods: embedded 5G, Bluetooth and WiFi.

Make sure you do allow automatic software and feature updates only when your vehicle is idle.

Note: Not only does your vehicle want to auto-initiate system and security updates, but it also runs third party software that wants to auto-install feature and security updates. These third party software sources all have potential vulnerabilities. In my case of a 2023 Ford F350, there are 30 pieces of open source software on board this vehicle.

5. Use Multifactor authentication on your Software Defined Vehicle online portal. Enough said!

6. Mind the physical security of your Software Defined Vehicle. Park your vehicle in well-lit and secure environments if possible. If you have a vehicle on the “most wanted” list, apply the security fixes, park in a garage or in another secure environment. Always use situational awareness. If your vehicle is one that has vulnerabilities, get the fixes or get a wheel lock put in place. Some of the auto makers are providing these for vehicle owners.