Vulnerabilities in Automotive Connectivity – Gold Mine for Cyber security Companies

Automotive Connectivity Vulnerabilities Exposed

  • Massive Investments Targeting Automotive Sector
  • Disruptive Trends Fueling Growth in Connectivity
  • Vulnerabilities Identified
  • Solutions Needed to Fill Gaping Market Void

Major players in the automotive sector are making significant investments in connectivity which translates into a mega opportunity for cyber security applications capable of securing automobiles.  On November 13, 2017 Uber (UBER) announced its intent to do a $10 Billion dollar deal with SoftBank, a Japanese Conglomerate.  It’s pretty clear that the automotive market represents the “new screen” advertisers are jockeying for position.  It’s not hard to see the pace quickening as sensors on cars have increased, more comfort features have been added, and batteries are moving to lithium to keep pace with the electronics load.  Despite all these advancements, there are ZERO solutions that have been implemented for automotive connectivity that can protect against any of the recent global cyberattacks.  The recent breaches against Equifax and Deloitte demonstrate how ill prepared businesses are for the next one.  The hackers would essentially use the same methodology to attack the automotive sector.  Nothing has been fixed.  Using the same combinations of crypto protocols such as TLS, PKI and/or PGP plus filters such as smart firewalls, intrusion and threat detection and prevention haven’t paid off too well and estimates put the cyber damage at $3 Trillion in 2015 and projected to grow to $6 trillion by 2021.  Therein lies the opportunity for exponential growth of new cyber security approaches that actually solve the cyber risks in the automotive market segment because nothing has been adopted yet.  All automotive vehicles have the same cyber exposures, which means hackers can walk in through the same cyber exposures.

Major Players Moving into Automotive Connectivity

In 2014, Apple (APPL) began “Project Titan” and assembled up to 1000 employees to work on developing an electric vehicle at a secret location near its Cupertino headquarters.  AAPL eventually shelved the project but then used its resources to create an autonomous driving system that would eventually partner with existing car makers with the idea of deeply integrating the iOS devices.  CEO Tim Cook stated “we’re focusing on autonomous systems.  It’s a core technology that we view as very important.  We sort of see it as the mother of all AI projects.  It’s probably one of the most difficult AI projects actually to work on.”  Early in 2017, AAPL was granted a permit from the CA DMV to test self-driving vehicles on public roads.  This is one of 54 permits granted by the CA DMV, which includes the usual suspects like all the major auto manufactures including Tesla (TSLA), but other names like Nvidia (NVDA) Baidu (BIDU), Waymo (GOOG), and Telenav (TNAV) are a few notable mentions.

Waymo, which is part of Google, is the leader in autonomous drive and since 2015 has racked up an impressive 1,031,199 miles of autonomous driving based on the yearly disengagement reports required as of 2015.  Disengagements are incidents when the backup driver takes control of the car for safety purposes.  When Waymo started in 2015, the ratio of disengagements per 1000 miles was .8 and that plummeted to .2 in 2016 indicating a trend toward greater reliability.    UBER seems to be riding on the coattails of Waymo, which is suing UBER for IP that Anthony Levandowski brought over from Waymo.  UBER has about 400 people located in Pittsburg, Pennsylvania working on the autonomous car.  Most of their talent came from Carnigie Mellon’s robotics program.  When measuring the program’s success by disengagement, Waymo still has the commanding lead.  Uber had only 20,354 autonomous miles as of March 2017 compared to Waymo’s 1 million plus.

University of Michigan Fact Sheet

In March 2017, Tencent Holdings (TCEHY) made a 5% open market purchase and bought 8,167,544 shares of Tesla (TSLA) for about $1.778 billion.  This made them one of TSLA’s largest shareholders.  Tencent is a Chinese technology holding company with a diverse portfolio of tech investments.  Among their holdings are WeChat, Moments, and Mobile QQ.  In the gaming world, they own a controlling interest in Riot Games and Supercell.  Baidu (BIDU) and Alibaba (BABA) are also major players in the automotive connectivity space and Tencent is using this investment as an opportunity to get exposure to this burgeoning market to compete with their counterparts BIDU and BABA.

BABA unveiled its smart car in Jul 2016 and with the 3 LED screens and 4 detachable 360 degree cameras it’s pretty clear that this is a car that is connected to the internet.    BIDU followed suit mid 2017 with its launch of Apollo, which open sourced the AI of the self-driving car.  Big money seems to really like this sector.

Disruption Increasing the Pace of Innovation

A lot of time is spent hypothecating on the autonomous market but digitation is what we are seeing here and now as the car is becoming a platform for drivers and passengers to spend their time in transit consuming media or other activities.  It’s the third screen!  Cars are getting more and more complex, so much so that longer lasting lithium Ion batters are needed and helping the trend toward fully electric vehicles.  The average vehicle contains over a mile of cabling weighing approximately 50 pounds.  The smart cars contain 60 – 100 sensors and expect to reach as high as 200 by 2020.  The trend in connectivity is getting more sophisticated.

Digitization involves the evolution of connecting the vehicle to the internet.  Right now there are simple things like GPS maps, streaming content, and hands free mobile phone operation.  The future will connect the car to the supply chain and notify the driver when parts are ready to fail.  The IoT sensors may create a mesh of data giving real time weather monitoring.

Increasing Automation The autonomous car will replace drivers doing ride sharing or on long truck routes.  The automation will happen in stages and has already begun as riders enjoy blindspot monitoring and automatic braking. Automotive connectivity is at the infancy stage.
Autonomous Vehicle Stages

Shared Mobility – Car growth is slowing due to e-hailing apps like Uber, Lyft, and new car pooling apps. Estimates show that 1 out of every 10 cars is a shared vehicle.  There used to be a time when getting a driver’s license was a big deal.  Due to the disruption of e-hailing services, the share of young adults (16-24 years old) obtaining a driver’s license dropped from 76% in 2000 to 71% in 2013 against a backdrop of over 30% in the car sharing market in North America over the past 5 years.  The ride sharing and car hailing apps will morph into Mobility as a Service (MaaS).

Disruption in Automotive Market

Things Than Can go Wrong – What’s at Stake  

If cars get hacked then people can die.  Car hacking is no longer something you see in spy movies but a real, identifiable threat that needs to be treated seriously.  In 2014, WikiLeaks send the Washington Post documents that the CIA was looking into hacking cars to carry out “nearly undetectable assassinations.” In 2015, a reporter, Charlie Miller, and hacker, Chris Valasek, rode in a 2014 Jeep Cherokee that was hacked by shutting down the engine and disabling the brakes.   In an email after the hack, Valasek said “it doesn’t appear that any manufacturers currently have detection/prevention methods for such attacks.”  This hack prompted the recall of 1.4 million vehicles.  Also last year, General Motors Co issued a security update for a smartphone app that could have allowed a hacker to take control of some functions of a plug-in hybrid electric Chevrolet Volt, like starting the engine and unlocking the doors.  In January 2015, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have doors remotely opened by hackers.  Terrorists intent on causing chaos could target self-driving cars by turning the wheels of the car, or pushing the accelerator or even braking. Sending a false signal to the GPS could cause the vehicle to go off its route and crash.   The automotive connectivity sector is at great risk of attack and the recent examples highlight how vulnerable cars really are.  All the buzz is talking about driverless cars but the immediate threats are to cars on the road now.

Cyber Security Vulnerabilities
Bentley Bentayga’s Wiring Harness with 90 computers interconnected = Target Rich Environment

Current Problem – Cybersecurity Not Equipped with the Correct Tools

Cybersecurity players like Palo Alto Network (PANW) and Oracle (ORCL) use a combination of smart firewalls, intrusion detection and prevention systems, and monitoring.  These are bulky, data intensive and bandwidth intensive programs that can only go after KNOWN THREATS. While they may have a role, it has become obvious that they are not a standalone solution for any implementation let alone automotive systems.  It is just as obvious that the use of end-to-end encryption for data transfer and separate encryption for storage is not working either.  There are so many ways in – that bypass filters and crypto protocols.  All the successful cyberattacks would use the same means to attack automobiles.

And there are other cyber exposures for automobiles. Blue tooth is almost a standard item in a newer car these days.  The key issue is that blue tooth can be hacked to access mobile devices, computer systems and the data AND all modern cars and vehicles have blue tooth AND also because of the increasing severity of distracted driving laws, more and more drivers are also using blue tooth to talk on their smart phones.  Cars have specially designed docking ports to allow access to the smartphone or other mobile device encouraging the rise in automotive connectivity.

It’s hard to comprehend but the tire pressure monitoring systems (TPMS) is an IoT device that can be tracked or hacked to disable the car or put it into a limp home mode.  Researchers have speculated that the TPMS chip could trigger an explosion.  Event Data Recorders are like black boxes for vehicles and they can be hacked too, allowing you to replace guilty evidence for the insurance company.

Unveiling the Auto Connectivity Solution

The ideal solution would have to break the mold of traditional cyber security and be radically different and innovative.  The automobile manufacturers focusing on automotive connectivity would need a security protocol that is very streamlined and that could not only secure the computer at the point of entry but also secure the IoT sensors in the vehicle.  Since sensors don’t have much memory, the software would need to be compact and be no more than 1.5 MB and for some IoT less than 1 MB.  Given all the devices that currently exist it would need to be a software overlay or integration rather than a chip or hardware based solution.  The software would need to be easy to implement and be able to control the permissions upon which users could access.  It would also need to work with various protocols like blue tooth, satellite and cellular and still operate in a compromised environment.  Although it has taken over 10 years of development and $50 mill in R&D, a solution does exist called Validian Protect which was born out the need to fix the gaping security holes in the blue tooth protocol.  This could be the magic bullet for the automotive connectivity market and with the right partner could see industry wide acceptance.  Typical proof of concept trials take 2-4 weeks to implement with Validian Protect, so investors should keep watch for any Validian (VLDI) licensing agreements with major automotive manufacturers or other large proponents of auto connectivity.

Cyber Security Protocols for Automobiles

Major investments in automotive connectivity have arrived with hundreds of billions of investment dollars at risk and the stakeholders are looking for solutions.  The missing component seems to be cybersecurity.  Negligible security exists today, so stakeholders are not boxed into keeping entrenched solutions that don’t work despite pouring billions of dollars into them.  This is a huge market opportunity to reset the cyber security market with something that works.  The automotive thought leaders may simply choose to adopt Validian’s simple to implement, cookie cutter security module or look to develop their own.  If they go the route alone to develop their own cyber security they lose time to market.  The real value is that the automakers have a chance to operate in unison and given their recent acceptance of the IEEE 802.3bw-2015 Ethernet Standard regarding wiring, it is realistic to see them understanding the value of a standardized cyber security protocol.  In the coming weeks, if one player senses a competitive advantage of time to market, it could spark a bidding war amongst the rivals.