Real risks, real threats
You might ask yourself what cyber-security has to do with cars. Think again. The two most emblematic examples to illustrate the need for in-vehicle security are real-life use cases known by many: engine tuning and odometer fraud.
It is not so difficult to boost an engine with more horsepower. What do carmakers think about this? Beyond the revenue losses they may suffer (because the customer thinks “why buy the 200HP model if I can tune the cheaper 150HP model?”), they can also face costs for engine repairs or replacements because it was badly managed by a modified EMS. And usually they are not able to prove that.
Carmakers may not care so much about odometer fraud, but would you not care when buying a second-hand car? How can you make sure this lovely affordable station wagon really has 60,000 km on the clock and not the double? In fact, you cannot. However, you may experience the difference... and finally blame the carmaker for poor quality. Would they care about this then?
What is security all about in a car? It is certainly about protecting its commercial value as a whole, not only from the carmakers’ perspective, but also for car owners and to a certain extent for system suppliers. Carmakers have an interest in protecting features from being used when they are not paid for, while ensuring that no additional warranty or maintenance costs due to illegal usage will reduce their profits even further. System suppliers have an interest in offering added-value protection systems, and they also have an interest in protecting their intellectual property. Owners feel more comfortable when they know their car is securely locked and protected when parked, and when their private data are kept confidential. Future owners would be happy to have a guarantee on used cars without having to pay for it.
Would that be all? Well, there is more to risk than money… How can a car protect against security attacks that would jeopardize the functioning of “mission critical” systems? Connection of mobile devices (phones, multimedia readers), connection to the Internet, connection to other cars and to the road infrastructure… the car is becoming part of a bigger IT system which offers access to more services and more value, but also opens up to more threats. Recent academic works [for example, see http://www.autosec.org/pubs/cars-usenixsec2011.pdf] have illustrated how the multiplication of attack vectors via external connections can potentially enable a criminal to take control of the brakes or the steering wheel. Safety is also at risk: connectivity to the car should come with the most stringent security requirements.