130 seconds. That’s the amount of time a Tesla car is fully exposed to any NFC (Near Field Communication) device. During that time, any computer intruder can be linked to the vehicle to later manipulate its functions at will. This was demonstrated in early June, when an Austrian security researcher, Martin Herfurt, tested the latest software equipped in the company’s fleet.
The expert developed a mobile application based on the same structure as the official one, with which he managed to connect to the car without the owner’s knowledge. It was a real example, but Herfurt, through the mobile, was able to unlock, open and take the Tesla with no problem.
This is one of the most recent examples of how cybersecurity will be a critical aspect in the development and construction of vehicles. Manufacturers are already moving in this direction. The United Nations Economic Commission for Europe (UNECE) approved in March 2021 two international regulations on cybersecurity in automobiles.
The first (UN R155) requires that any car that is approved in the European, Japanese and Korean markets from July 2022 has a certificate confirming that it is cyber-secure. Within two years, all vehicles would have to obtain such accreditation. If they do not have it, its sale will be prohibited. While the second (UN R156) refers to the software: it must be updated periodically to avoid vulnerabilities.
July 2024 is the deadline for new cars to comply with the regulations
“Security in the vehicle is made up of two main areas, the privacy of the user’s data and the security of the components of the vehicle, which, whether we like it or not, is connected and will be more connected every day that passes,” he puts in context Sergi Gil, cybersecurity partner at KPMG Spain.
As cyber risks will mostly affect the software, keeping it up to date is vital. “This can be prone to security flaws, not so much when it is released, but over time,” warns Kaspersky senior security researcher Marc Rivero.
Brands begin to close alliances with firewall providers
This last expert, also a member of the multinational’s global research and analysis team (GReAT), points to applications developed by third parties as one of the possible preferred ways to commit these cyberattacks. Hence, it advocates the establishment of protocols (carry out a risk assessment, implement a safe development philosophy…) so that, ultimately, the manufacturer assesses whether or not it allows an external application to be integrated into its fleet.
As regulations such as the obligation to incorporate, before July 2024, intelligent speed assistance systems (ISA) in new cars sold in the European market, to limit the maximum speed to that allowed in a certain way, Rivero stresses that manufacturers will need a greater “cybersecurity culture”. This translates, for example, into the design of roadmaps in which it is checked at each development phase whether the software is vulnerable or not.
Turning points in the future of the sector
Germany. For some years now, the country has required all its vehicle manufacturers and suppliers, especially those of components, to comply with certain minimum safety standards (Tisax and Unece). According to KPMG, whether the sector in Spain keeps pace with technology will depend on the aid received by companies.
Data. Since May 2018, the General Data Protection Regulation (RGPD) has been in force in the European Union. It will be the reference for manufacturers in order to guarantee the security of the personal data of end users, with important sanctions if they incur any breach in the development or the supply chain.
Hardware. The parts that make up cars do not seem to be the main target of a cyberattack. However, they are also susceptible to threats and, as Kaspersky points out, a hacker could modify the size of some part or it could not work in its entirety.
Training. The first online courses are already appearing so that vehicle and component manufacturers learn in detail the recent international regulations on cybersecurity. The programs are also aimed at other actors in the sector, such as dealers, workshops or insurers, who are key in applying the new culture of cybersecurity.
