The Government-sponsored Trustworthy Software Initiative (TSI) says fleets are risking their vehicles being hacked if they let them connect with external devices.
The warning comes following Ford’s announcement at the recent Consumer Electronic Show that in the future its vehicles will be able to connect with Amazon Echo, the smart device that can voice operate other devices in the home wirelessly.
TSI’s concern is that, with the advent of the ‘internet of things’, a home’s lighting, heating and white goods are all being linked to the internet – and to vehicles.
A car could connect wirelessly to the systems in a house. The theory is that hackers can use an access point in the house connected to a vehicle to get to the car’s systems.
According to TSI, the more elements connected to the internet and to each other, the more chances there are for a vulnerability to be exploited.
While most company car drivers may not have smart homes yet, TSI, which is funded through the Government’s National Cyber Security Programme (NCSP), believes technology is rushing ahead of regulation.
Tony Dyhouse, TSI knowledge transfer director and software security specialist, told Fleet News: “A car is now an internet browser on wheels.
“We’re connecting devices to everything at a rate of knots. Those home devices can be a very uncertain property and any fleet operator is taking a risk by letting drivers connect vehicles to external devices.”
Dyhouse said fleets should take the same attitude businesses have to any downloads that are made at work on PCs, with all software treated as malicious until checked.
A Ford spokesman said the company has long been aware of security threats to connected vehicles and takes security “very seriously by consistently working to mitigate the risk”, adding: “We focus on the security of our customers before the introduction of any new technology feature, by instituting policies, procedures and safeguards to help ensure their protection.
“We are not aware of any instance in which a Ford vehicle was infiltrated or compromised in the field.”
Dyhouse said the conversation is not limited to Ford. All carmakers are preparing future vehicles to connect with external devices.
He said: “It’s worth discussing concerns and getting all affected parties, including manufacturers and the Government, to discuss what’s being done to improve vehicle security.”
There have been examples of vehicle manufacturers not taking basic safety measures with software by not encrypting diagnostic data that is sent between vehicles and warranty or servicing departments, according to Dyhouse.
He says one way vehicles could be made more secure is for the operating system that controls critical features like brakes and the engine to be sectioned off separately from the controls for other features like entertainment.
He added: “Currently, if a hacker gains access to the entertainment system, they gain access to the engine and brake controls too on most vehicles.”
Dyhouse suggests there should be some sort of certificate of competence for software applications that are developed, so users and drivers downloading them can know they have at least been submitted to a strong quality check process.
Thatcham Research says it has concerns about carmakers and cyber security on future vehicles.
“The Chrysler Jeep hack showed the existing vulnerability of many current vehicle electronic and communication architectures, and carmakers will in future have to demonstrate to consumers and insurers that these vulnerabilities have been protected,” said a spokesman.
However, the company acknowledged that manufacturers are investing a great deal in an effort to ensure security between connected vehicles and home devices.
The spokesman continued: “Given the novelty of many digital devices, we understand that this is an area for constant active surveillance and management by the vehicle manufacturers.
“Thatcham Research will be working in future to create independent ways of assessing the capability of vehicles to resist hacking attempts.”