Connected cars that alert drivers to potential dangers or even automatically brake to avoid them promise greater automobile safety and efficiency. But the risks these advanced vehicles pose shift dramatically from driver attention and road hazards to cyber threats and the integrity of vehicle control systems. This threat was demonstrated when researchers were able to remotely take control of environmental, entertainment, and engine systems on a 2014 Jeep Cherokee.
Assessing related risks and controls is similar to other technology development initiatives. Internal auditors for automakers, equipment manufacturers, and business and government customers should learn the basics about connected cars and what can be done to address their risks.
By definition, connected cars are linked to internal and external systems and services. Inside the vehicle, there's the Controller Area Network (CAN) bus that links internal micro-devices such as the engine control unit, transmission, braking, and diagnostic systems to various monitoring and control systems. This structure was originally developed in the early 1980s to accommodate the growing number of connected components while reducing the amount of wiring needed to connect onboard components. CAN relies on a serial bus protocol for message transport, fault/error detection, timing, etc. Because the CAN protocol does not support security, security must be designed into devices connected to the bus. As such, a security review should be part of any audit of devices connected to the CAN bus.
Also internal to the vehicle are physical ports for diagnostic and peripheral connections. On-board diagnostics (OBD) is a physical connection present in all vehicles produced since the early 2000s. OBD provides a standard connection for service technicians to attach diagnostic equipment and read status and error code information generated by sensors on the vehicle. OBD's direct access to the vehicle's internal sensors and control devices could make this connection susceptible to exploit.
Another risk is the Universal Serial Bus (USB) connectors that are common on many entertainment systems found in newer vehicles. These interfaces not only support streaming audio for entertainment, but they also can be used to update engine and system controls software. Given reports of how USB ports can be compromised, auditors should consider related risks in their connected car program.
Moving on to external...