The Connected Car, Part 3: No Shortcuts to Security
For consumers, the connected car is all about extending the mobile connectivity lifestyle. For the auto industry, it's all about monetization. For automobile manufacturers, it's all about safety, security and brand protection. "It all comes down to enabling the communications from that vehicle to a given termination point ... that is completely locked down," said Airbiquity's David Jumpa.
08/19/14 4:58 PM PT
The connected car is becoming a reality, but the gadget-filled roadways it travels will be paved with several options for in-car technologies. These choices pose challenges for carmakers. Whichever technology wins the race, one of the biggest concerns for OEMs is their electronic security.
The Linux Foundation wants an open source platform in the pole position. The nonprofit consortium already has a fully functional Linux distribution, called "Automotive Grade Linux," or AGL. It is a customizable, open source automotive software stack with Linux at its core.
Google has its own plan for connecting cars to mobile devices and the Internet. Google's Android Auto is a dashboard navigation and entertainment system powered by an Android smartphone. It is very similar in concept to competing designs from Apple and Microsoft.
Carmakers and application developers are vying for the driver's seat to cash in on the prize money. More user information will be plugged into and fed out of the connected car than consumers now amass from mobile device activities. Carmakers and app developers want a sizable chunk of the profits the data derby will generate.
To handle this traffic jam of data, car manufacturers are testing technologies like Broadcom's Automotive Ethernet and The Car Connectivity Consortium (CCC)'s MirrorLink among others. Similarly, QNX Software Systems has a foot or two in some vehicles with its QNX Car Platform for Infotainment.
Securing the connected car will involve much more effort than locking the doors and parking in a garage. Data thieves will target the goodies that travel with passengers. The connectivity will go beyond infotainment apps provided by Microsoft, Google or Apple. It will combine cloud-based services that enhance automotive safety and driving convenience with a broad range of supplemental services.
"Security is one area where solutions are needed. There will be great potential for stealing credentials and user information stored in apps," said Jim Smith, vice president of marketing at Ixia.
Insecure Data Highways
One of the big challenges the auto industry faces is figuring out how to identify the real threats to the systems in their connected cars. That same challenge extends to the OEMs' websites, according to Smith. Then how do you build an infrastructure hardened enough to protect all of the data?
"I think you are going to have to see the auto industry testing for unknown vulnerabilities and security," he told LinuxInsider.
Security is a major worry for both carmakers and connectivity providers, said Lonnie Schilling, CEO of BirdStep Technology.
How well the security risks are addressed depends on how the in-car connectivity is wired. The wireless method to reach the cloud is another factor.
"This is an embryonic industry. Systems can lock down a car's connectivity -- but how well or when it does this depends on the model the OEM chooses to install in the car," Schilling told LinuxInsider.
Opportunities for hacking in-car connections are ample, so security concerns are valid, said David Jumpa, chief revenue officer of Airbiquity.
Carmakers already are careful about who gets the data, he noted.
"OEMs do not allow direct access to the vehicle connection bus for all of the embedded systems. They rely on a wrapper. The API commands are limited to only certain functions," Jumpa told LinuxInsider.
However, that protective nature is a factor that OEMs may not be able to maintain with the connected car's broader reach, he pointed out. Smartphone integration brings a new element to connected car breaches.
For example, Apple and Google want the OEMs to sit back and just let the smartphones handle entertainment and app delivery within the vehicles. Some of that pressure comes from consumers.
"Nobody just wants plain AM/FM radio service," said Jumpa.
A Reach Too Far
Just how far the connected cars reach could be the basis of security solutions. The important issues depend on whose perspective you address, Schilling said.
For consumers, it's all about extending the mobile connectivity lifestyle. For the auto industry, it is all about monetization. For automobile manufacturers, it is all about safety and security, in terms of protecting their brands.
"It all comes down to enabling the communications from that vehicle to a given termination point, such as a cloud provider, that is completely locked down -- that can be made highly secure. It all depends on the security services used. We can lock down the connected car the way we do for our military customers," said BirdStep Technology's Schilling.
The Linux Legacy
The Linux Foundation's AGL solution will grow in stages to become a full-service car connectivity platform. Phase one is a complete infotainment system. Later phases will include the embedded space and telematic services.
"The auto manufacturers can take all of that and then modify it and add their own features. Then they will harden it by fixing bugs and addressing security issues," Dan Cauchy, general manager of automotive for the Linux Foundation, told LinuxInsider.
Security concerns are obviously valid, but Cauchy thinks they are a little bit overblown in terms of what actually can occur with connected car technology.
"Yes, systems can be hacked -- but in terms of hackability, Linux is one of the most solid operating systems out there," he said.
A Fragmented Field
Consumer demands also can be a contributing factor to securing the connected car. One of several consumer-driven trends is the additional appeal that the applications and other connected services create for the consumer, noted Jeff Kavanaugh, VP and managing partner for the manufacturing and high-tech consulting units at Infosys.
"You have a situation where people do not care what they have under the hood. All that matters is how the car becomes their new living room," he told LinuxInsider.
The connected car mentality is not about one favored technology. It is about a series of them, added Kavanaugh.
For example, telematics is the signal carrier working in conjunction with all the ancillary parts of the various service systems. So no one technology is involved.
The technology includes the cloud. There is no one holy grail -- no "one platform fits all." It is the combination of networks that delivers a better experience at an acceptable cost, Kavanaugh said.
Everybody Fits In
Two parts of the technology matter. Security measures have to fit both of them. The head unit is the in-dashboard unit that handles the hardware and software. The other part is the handset.
"It is not as simple as selecting one operating system over another for your desktop. You need a heterogeneous solution. You also have to factor in future-proofing. The challenge is avoiding a situation where somebody comes along in a few years with a phenomenal innovation, but you can not take advantage of it because of your platform," Kavanaugh said.
With that in mind, Linux could be the perfect connected car operating system for connectivity. User device interoperability is part of why AGL exists, suggested the Linux Foundation's Cauchy.
"Having a single open source platform for everyone to use will prevent fragmentation. This is Linux technology.
So, if you want Car Play or Android Link or Mirror Link to connect to your phone, those are all software stacks. They run on Linux and can be ported to AGL. That will be up to the car manufacturer," he said.
Carmakers have to provide an all-inclusive mobile device connectivity platform. Carmakers then have to ensure that all of the in-car system networks are isolated from hackers. In addition, carmakers have to ensure that the connected car's wireless connectivity is secure for both infotainment and in-app communications.
"We are starting to hear from Tier-1 providers that the issues are too complicated. The Tier 1s and Tier 2s are starting to say that their head units can not handle both services. From our perspective, we really do not care which technology provider ends up owning the space. Our goal is to help OEMs manage the space they select to support," said Airbiquity's Jumpa.
Another critical factor in securing devices is the interconnectivity factor. Outside of the vehicle, it is easier to ensure interoperability. Inside the car adds complicating factors.
"One of the challenges now that we see in the industry is the competing device and OS developers, like Apple and Google, trying to make the vehicle an extension of the mobile phone," said Schilling.
That is going to cause a problem, mainly for consumers, he predicted, but it may have an indirect consequence for the automobile makers as well. The more mobile device platforms consumers have, the more intricate securing them and their data through the connected car will be.
"Everybody today is looking at the vehicle as the end device. The reality, though, is that the vehicle is a moving network. It has a number of IP hosts and networks. In the next two or three years, we are going to be talking about the need for mobile routers in the vehicle to manage all of these things, as opposed to treating it as one single end device," Schilling added.
Target Rich Data
Both consumer devices and the car's user data need to be secured, but that requires cooperation among all of the industries.
"We need to continue [working] on all of the regulatory issues involved. Much of the technology has to be embedded in the vehicles. We have to organize the Big Data involved in all of the follow-up," cautioned Schilling.
Being able to analyze what is happening with the vehicle and to the vehicle and in the vehicle is going to become critically important. Other factors involve issues around tethered and untethered, and embedded and unembedded hardware.
"Most important is going to be the enablers," said Schilling. "For instance, how do you deal with remotely provisioned SIMS anywhere in the world? There are technology needs that will enable all of the different business models used."