Remote updates are just the tip of the iceberg – Cybersecurity of cars is generally lame

The whole world, including cars, is digitally connected. Today, we can search for and order various services directly behind the wheel, use the mobile application remotely to turn on the heating or upload the route to the navigation. However, digital access can be abused by someone else. Automakers seem to be catching up with security trends with a delay, with everything at stake from being stolen to being used in a terrorist attack.

Five years ago, two cyber security experts, Charlie Miller and Chris Valasek, spoke to the American magazine Wired. At that time, Internet connection was becoming commonplace in cars, and both gentlemen warned that vehicles were not well secured against intrusion into the system. They soon demonstrated this in practice. From a distance of ten miles, they took control not only of the radio and air conditioning, but also the steering and brakes of the Jeep, which was driven by the editors of Wired.


In response, Chrysler had to modify the software in 1.4 million cars, and the whole issue caught the attention of the authorities. At the request of the Senate, the US Road Safety Authority (NHTSA) has launched an extensive study to set binding standards. The same process is also taking place on our side of the Atlantic under the auspices of the United Nations Economic Commission for Europe.

The irony is that at that time, Tesla had been sending one update after another to its customers’ vehicles for three years, and everything ran like wires – wirelessly and remotely, of course. No hackers, no cookies. The company, founded by computer enthusiasts, simply attached security to the beginning from the beginning. Unlike some traditional carmakers, for which the internet has been a little extra so far.

Five years have passed and it turns out that the automotive giants still have a problem with the rapid development of information technologies. Last January, a study by the UAE industry association noted that only 10% of manufacturers have their own cybersecurity team. Less than a third of their programmers are systematically trained in code security. Over 40% of companies leave testing only after the car is launched on the market, while a quarter do not update security software at all. One of the causes of the problem is the absence of expertise in senior management, which specialists do not want to report.

The software update process itself is subject only to ISO standards, which companies accept voluntarily as part of quality management. Then they need a regularly updated update management system certificate and they have to prove how the impact assessment processes of each update are set up. However, if the car downloads it itself over the Internet, or uploads it to the repair shop by cable, these standards are no longer addressed.

Only the obligation to prove whether the update does not affect consumption, emissions, noise, active safety or other properties that are the subject of vehicle type approval is binding. “If the update has such an effect, the manufacturer shall inform the authority which granted the approval. The latter shall assess whether an extension of the approval is necessary and whether further tests are required. The process shall be monitored by the authority on an ongoing basis of random sampling, “explains František Jemelka, spokesman of the Ministry of Transport of the Czech Republic.

If we look at cybersecurity from this side, we will see Tesla in a less favorable light. In particular, the updates initially concerned functions without which conventional cars would not have left the factory at all and which the pioneers from Silicon Valley simply did not have time to complete. Home charging timer for the use of the night tariff, more efficient demisting of windows, hill start assistant. Or software that reduces the electricity consumption of a switched-off vehicle, which in the early days of the S model reached up to 4.5 kWh per day. Autopilot driving assistants were also activated some time after cars equipped with cameras and radar began to roll off the line. It should be added, however, that this year Volkswagen is entering a similar situation.


However, a completely non-standard process took place after the previous year’s launch of Model 3, to which Consumer Reports magazine measured the braking distance too long during the first test. It only took a few days for Elon Musk to report that an update to the relevant software was already being loaded into the cars, which should “improve” the effectiveness of the brakes. Consumer Reports repeated the test and marked the result as satisfactory.

Independent publicist Bertel Schmitt paused on the speed of the event and the formulation of its essence. “Should it improve? Wouldn’t it take a little testing first?” he tweeted to Musk, but didn’t get an answer. In an article on The Drive, he pointed out that even in the USA, intervention in the brakes should not have taken place formally at all without the approval of the authorities. And in a far more rigid Europe, where the troika was not yet available at the time, it would be completely without a chance.

František Jemelka from the Czech Ministry of Transport also agrees. “Regarding the modification of the software of already registered and operated vehicles, there is a general provision of the law that the vehicle can only be operated in the version as approved. The brakes are clearly mentioned as an area where interference with the conditions of approval can be expected.”

The same is confirmed by the practice of European carmakers. Although remote updates are technically available, for example, for all Škoda models equipped with Internet connectivity, they are used almost exclusively for uploading navigation map data. “In the future, it is possible to consider expanding the infotainment system and adding car functions that do not have a direct impact on safety or homologation regulations,” explains Martin Ježek from Škoda Auto.

Contrary to the well-established idea, a large number of remote updates is not a hallmark of a modern carmaker. On the contrary, we should need them as little as possible, rather in order to adapt the older vehicle to the newer environment. What is really at stake is the safety of all vehicles permanently connected to the Internet. Today, even small urban models offer some form of remote access. The idea of ​​how easily jihadist lunatics could send a remote-controlled car in the middle of Advent markets and the police would have no one to neutralize behind the wheel is almost encouraging.

Car manufacturers should guard this area as best they can in their own interest. The preparation of binding regulations will take some time. The relevant parts of the updated EU Council Regulation on the conditions for the approval of vehicles will not enter into force until July 2022. “As regards remote updates, UNECE proposals will be submitted for approval to the June working group meeting and, if approved, However, the actual use of the new ECE regulation will depend on when the individual states accede to it, which in the case of the EU means whether this regulation will be included in the Regulation on vehicle approval conditions,” explains František Jemelka.

Author: Nabeel K
Email: nabeel@wheelsjoint.com



Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments