Are connected cars a hacker's dream?

(c) McCausland

Today’s cars connect to the Internet in ways never before imagined, placing amazing capabilities at the fingertips of drivers. Whether it is infotainment, navigation, safety, diagnostics, performance upgrades or fleet management, connected cars transmit data, update firmware, and deliver the latest in touchscreen, app store and voice-recognition and human sensor technologies.

With this said, connected cars are rapidly gaining market share. According to a report from Research and Markets,, the global connected car market will generate over $141 billion in revenue by 2020, with advanced infotainment systems and high-speed wireless Internet connections as the two key features that will  drive this growth.

All of this connectivity means that the potential for data leaks, malware, or worse, will intensify, especially where mobile apps are concerned. Aside from data trolling on user behaviour information (where did you go? What did you buy there?), the potential for systemic hacks that subvert a car’s control systems and breaks is now a reality. The critical question is: how can car manufacturers reduce the potential for data leaks and attacks?

As growing numbers of automotive and aftermarket OEMs provide connectivity solutions, the need for next-generation tools that protect against today’s demanding security threat landscape is not just a nice-to-have, but a must. In addition to the obvious risks and liabilities, car makers must contend with threats to their brand integrity. We must all accept that connected cars live in a hostile environment, and in the same way as car makers must provide functioning safety devices like seatbelts and airbags, their cars are in constant danger of hacking and malicious attacks, subject to analysis, malware injection, tampering, IP theft, piracy and key extraction, and their drivers are facing a new danger to their digital and physical self.

Already, mobile apps for cars collect all sorts of customer data, and sensitive vehicle information, and now, a hack can impact people’s safety. A proper combination of authentication, tampering, reengineering and code lifting technologies can ensure connected car safety.

To lower the risk of malicious attacks to software in a connected car, all sensitive software needs to be “hardened”.  This goes way beyond the infotainment systems and the in-vehicle app store, since malicious code can cross over from these systems to the vehicle control system.  This is a multifaceted problem that includes both hardware and software and proper design approaches used in other vertical markets where exposure to hacking and poor software design have caused immense damage already.  Automakers must use robust and efficient software protection schemes to prevent attacks, that include the loss of proprietary algorithms, and prevent dangerous overrides to the braking system and other vehicle safety systems. Although there are code protection techniques on the market, many do not protect against class breaks (sometimes called “Break Once Run Everywhere (BORE) attacks”). A class break is an attack that, if successfully executed on one software instance, could be similarly applied to crack all other instances of the same software. Typically all copies of the target software have the same binary code image, enabling an adversary to develop a generic reverse-engineering scheme. 

Software diversification is a leading protection technique against class breaks. It significantly increases the time and cost of attacking an installed base of protected applications. Essentially, the attacker must crack each copy of the application. For this reason, software diversification should be the de facto means to protect software applications that are distributed in large numbers to consumer devices, such as mobile devices. Any system that contains sensitive data, such as digital licenses, personal information, passwords, or cryptographic keys, and runs in an untrusted environment (such as many consumer devices), needs some form of software diversification as part of the hardening solution. This will greatly improve the security of the applications and enhance protection against class breaks and piracy.

Other software protection best practices include code protection at the source code level and white-box cryptography.  Code protection is a tool used to "harden" software application code to prevent reverse engineering and other techniques used by cyber-criminals to gain access to sensitive information and resources contained in applications. Whereas white-box cryptography keeps secret cryptographic keys well hidden within app code even during runtime. 

Implementing advanced code and data obfuscation techniques, preferably at the source code level, can prevent the use of hacker techniques like static and dynamic analysis and avoid malicious modifications. Combining both code protection and white-box cryptography will achieve an even higher level of security.

Right now connected cars seem like a driver’s dream, but they are also a hackers dream.  Essentially cars are becoming rolling entertainment centers with the potential to make our roads safer and manage traffic. However, it will take only one data breach that causes a serious accident to wake up automobile manufacturers and drivers to how susceptible our connected cars are to data breaches. To avoid hackers taking control of fundamental vehicle functions, car manufacturers will have to ensure applications are secured to protect IP, drivers and their corporate reputations.

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.