Your IT and/or security department has to provide security for the devices you offer your employees – computers, smartphones, and so on. Has the time come to begin considering the security of the company car, too?
The simple answer is yes. After the announcement of the vulnerability found in the Nissan LEAF, Windows IT Pro got it right when writing that our vehicles are now just another IoT device. The problem with the electric car, the article stated:
was the ability to remotely control the climate facilities in the car as well as pull the driving history, all with no more than the vehicle identification number or VIN.
According to eSecurity Planet, the vehicle’s heating and air conditioning systems are vulnerable, meaning a third party can gain the ability to control the functionality of the HVAC.
We’ve heard about car hacking concerns before this. Last summer, Wired reported on an experiment that showed hackers messing around with a Jeep’s control system and a Dark Reading article showed that even older cars are at risk of an attack. There are skeptics out there who don’t think that hacking into a vehicle is possible, at least not on the scope where someone is going to take over your vehicle and crash it into a tree. But, while I personally think that could happen in the not-too-distant future (after all, there were skeptics about the need for security on smartphones, and we’ve seen how that’s evolved), I do think there are other types of risks to look for as our vehicles become smarter. Craig Young, cybersecurity researcher for Tripwire, told me in an email that the Nissan Leaf vulnerability showed how privacy and security are serious issues in connected car technologies, adding:
Generally speaking any service (but especially services pertaining to connected cars) should not be authenticated based on non-private data. For example, with a service like this, it would be better to have an authentication token provided to clients upon login and then used as an access control to prove that the client is authorized to perform actions on that VIN.
Cars are just the latest in that long line of IoT devices, and as John Barco, VP of Product, ForgeRock, told me in an email comment, expect them to become more attractive targets for hackers, just like every other IoT device, stating:
Manufacturers need to include more effective security into their IoT-enabled vehicles from the ground up with the help of experts in the identity management industry.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba