Today I saw an article detailing how security researchers were able to hack into Fiat Chrysler’s Uconnect enabled vehicles by scanning Sprint’s cellular network in the US to identify remote end points running the Uconnect system. Once inside of Uconnect they could turn the engine off, turn the brakes on or off and take control of the vehicles information display and vehicle system.
Vehicle hacking has been going on for ages – but until now all hacks have required physical access to the target vehicle to wire into the control systems. This latest attack – remotely over the cellular network, is one of the first documented cases where the concept of an anonymous hacker taking remote control of your car whilst you’re driving at speed on a motorway and potentially taking your life and those of your passengers has become a potential reality.
Its sobering stuff. Even more so, because in the very near future all new vehicles will come with internet connected capabilities, widening the attack surface and the number of possible vectors for a hacker to gain access to your petrol bomb on wheels.
Of course the optimist in me hopes and expects the car manufacturers to come together and build a coherent cross industry approach to vehicle cybersecurity, afterall the idea of securing remote cellular and wireless networks is hardly new, and there are numerous best practise examples that exist detailing how to isolate and secure key applications, services and data in any network.
Should Passenger Wi-Fi and Telematics ever be combined?
However – the biggest issue I have with in vehicle internet access provisioned like this by the manufacturer -using their cellular hardware and sims from their data partner is this, Why would I ever want to mix my high bandwidth internet traffic with low volume telematics data in the first place? It just doesn’t seem to make sense at any level.
I love telematics
Yes I want my car to be connected, to share fault codes with my local garage and book in services automatically when it needs them. Yes I want to be able to track my car when it gets stolen or when my newly licensed daughter takes it for a drive to go shopping in case the shops she wants to visit are 100miles away outside of her boyfriends university. And yes, if my car’s in a crash I want it to dial the police automatically sharing its location when whoever’s driving it is unable to do so themselves. I even like General Motors Onstar solution with manned concierge services only a dash mounted button push away – but I want all of that functionality to be separate from my own in vehicle internet access.
I also love data security
Why? Well firstly for the sake of security obviously. A dedicated cellular internet connection used just for in vehicle services like these, secured on a private APN, and with inbound and outbound ports locked down to the bare minimum reduces the potential attack surface compared to a connection on the public internet. The amount of bandwidth required for these services is also greatly reduced, which should make any service costs for this functionality over the lifespan of the vehicle lower too and I am a big fan of cheap motoring.
I want to be connected – everywhere.
Secondly, particularly here in the UK where provider coverage is highly variable, I want to be able to use sims from different cellular providers at the same time to allow me to maintain connectivity as I move in and out of a single providers coverage areas. Any manufacturer level cellular data deal will always be between them and a single cellular operator to take advantage of the economies of scale such a partnership brings. A single sim is rarely enough. Even now I carry devices that use multiple sims simultaneously to aggregate bandwidth using multiple connections whilst squeezing every last drop of value out of the currently available pay monthly and pay as you go data deals from all of the mobile network operators.
I want to own my network – especially when it extends into my car.
Thirdly, I want to use my own cellular router- an enterprise grade product with enhanced security and functionality, and I want to be able to upgrade that router myself in two or three years time when more capabilities are available in the latest model and when new cellular data standards are released (like 5G) opening up even more bandwidth possibilities. I want to use the same industry standards for security and VPN connectivity in my car as I do in my home and business so I can connect to my work and personal data when on the road and directly access all of these internet connected toasters and coffee machines I will allegedly have in my house by 2020.
For me, the real value of in vehicle internet access can only be realised when I can both obtain a high bandwidth connection (from any combination of suitable mobile network providers) for all internet based activity (be that for work or play), and also maintain that connection across multiple providers coverage areas whilst at the same time connecting securely to my home and place of work. And for all of this to be remotely possible, I need to own the relationship between my data usage, my hardware and my data provider- technically and commercially.