US-based Arxan Technologies specialises in application security. Its solutions are used to protect a number of applications across a range of industries, including automotive. With an increasing number of cars fitted with wireless connectivity, Matt Clemens, security solutions architect at Arxan Technologies explains the security risks and what a driver can do to stay safe.

Can you give us an introduction to Arxan Technologies?

Arxan Technologies is the leader in mobile and IoT [Internet of Things] application security. In addition to mobile and IoT applications, we protect desktop and server apps. By including self-protection security controls into applications, our solutions empower applications to protect themselves in today’s highly distributed, untrusted environment. Our application security solutions are running on more than 500 million devices throughout industries such as automotive, banking and payments, healthcare and medical devices, gaming, digital media, and others, ultimately helping enterprises safeguard sensitive data and IP while assuring that the integrity of the application is maintained.

We hear a lot of about the Internet of Things along with some potential threats to the motorist. How can a hacker take over control of a car?

The Internet of Things introduces many new opportunities for how technology is used, but connected devices are also under more risk of attack. Connected vehicles are one of the most serious cases as there could be a real threat to human life. There are various ways of attacking a vehicle’s systems, but actually taking control is achieved by rewriting the vehicle’s firmware and using it to send commands through the internal computer network to physical systems like the steering or accelerator.

Presumably once a hacker has gained access to your car, they will have complete access? What or where are the security vulnerabilities in a car?

The level of control a hacker can take depends on the configuration of the vehicle and the way the systems are connected. The infamous Jeep Cherokee hack enabled the [prearranged] hackers to take complete control of everything from the air-con and radio to the transmission and brakes under certain conditions. In other less severe cases, the Mitsubishi Outlander’s security alarm and other systems could be remotely disabled, and the Nissan Leaf’s journey data could be spied upon, as well as systems like the heater being activated to drain the battery.

A common vulnerability in a connected car’s security is the infotainment system, which was used to access the Jeep Cherokee’s systems. The OBD2 port [which provides physical access to the systems], and connected mobile applications also provide possible attack vectors to break and take control.

With an increasing number of cars fitted with wireless connectivity, what can a driver do today to stay safe?

Many exploits arise from outdated software, so drivers should check with their manufacturer or the app developer to ensure their software is kept up-to-date. Drivers should also avoid “jailbreaking” software – taking it outside the normal restrictions to use unauthorised apps – as this exposes it to more threats, and also voids the warranty.

Finally, security-conscious drivers can also check with manufacturers and developers to see if pre-installed and third party apps have been equipped with application self-protection security controls, which are a series of security measures that can be implemented to make them significantly harder to hack.

What products are you proposing to prevent such situations?

We provide a variety of solutions that help to keep the software and mobile applications of connected vehicles safe.

Without changing source code or disrupting software development, we embed a collection of interdependent protection routines, called Guards, directly into an application, and then obfuscate or scramble the result. These Guards appear to be normal code to an outsider, but enable the application to defend itself, to know if it is attacked, and even to heal itself if it is modified. This prevents attackers from making unauthorised changes to the programme functionality – one of the key elements of an attack on a connected car.

Who are your customers?

Our technology is embedded into applications running on more than half a billion devices around the world, including connected vehicles, gaming and digital media services, healthcare and medical devices, and financial services.

Is there a silver bullet to keep drivers safe on the road, i.e. the ability for new cars to have their software securely and safely updated?

Because there are so many different approaches open to hackers, there is no single silver bullet approach that can ensure complete security. However, cryptographic protection is probably one of the most reliable methods. If the car’s software and any associated applications have critical data encrypted, it is much more difficult for an attacker to tamper with the car’s systems. Equally important is to make sure cryptographic keys are not susceptible to discovery during run-time. Protection against this can be achieved by using a robust white box cryptographic solution.

We have all heard of some high profile cases of cyber-attacks on certain car models.  Does the auto industry need to change its approach to prevent such attacks, i.e. be overcritical about their processes and early assumptions?

The variety of security issues that have been discovered show that manufacturers and developers should leave no stone unturned when it comes to hunting for potential bugs and flaws. We believe more attention should be paid to mobile apps, including both official apps and third party tie-ins for things like navigation and media streaming.  Advanced application security techniques such as obfuscating the binary code to make it unintelligible to hackers, installing self-protection security controls, and white box cryptography should be standard measures across the industry.

Given the rising tide of consumer concern around the threat of hacking, could cyber security become a differentiating factor for automakers? 

The remainder of this interview is available on just-auto’s Global light vehicle OE connectivity market – forecasts to 2030