Even your connected car will need antivirus software

Connected cars can talk to each other (vehicle-to-vehicle, or V2V), and they’re starting to be able to talk to the city they’re driving around (vehicle-to-infrastructure, or V2I). That also means baddies can potentially talk to our cars, as we’ve seen in the experimental hack of a Jeep. But hacking isn’t the only danger, because wherever there’s a computer, there’s certain to be a computer virus lurking.

This is the problem Argus Cyber Security is working to address. Granted, there aren’t many viruses being spread from car to car right now, since connectivity in automobiles is still new. But Argus VP Yoni Heilbronn notes in an email interview that by 2020, around 70 million of the 90 million cars projected to ship that year will be connected. While a virus on your computer means someone could steal and misuse your data, which is bad enough, when it happens in your car, there’s potential for physical harm.

That’s still no reason to give up on cars completely and commute on a big-wheeled velocipede bicycle; car companies and tech companies have been working together for a few years now to solve the problem. “There is no silver bullet to cyber security,” says Heilbronn. “You’ll want multiple ‘bullets.'” That includes security that’s baked into the hardware along with layers of software security. “If the software that is baked in is able to be updated remotely, then it is a powerful tool for a car maker or fleet manager,” Heilbronn says.

Consumers won’t necessarily know that Argus or other security software is on board their new connected car unless they ask, since it’s ultimately the auto manufacturer who is responsible for the safety and security of the vehicle. “Although the consumer may not know we’re there,” Heilbronn says, “like the Greek myth, Argus will be the watchful eyes making sure the system is doing what it is supposed to do and absolutely nothing more.” As security needs and standards change, you might soon be able to buy Argus software for your car just as you would McAfee or Kaspersky for your computer.

Aftermarket security could become important soon, since we’re already bringing all kinds of vulnerabilities into the car ourselves. Take the “dongles” that fit into the OBD II port under the dashboard. These often come from insurance companies for usage-based rates, or there are units like the Zubie I tested that tracked my driving habits and vehicle stats. These devices communicate with the outside world, which means the outside world could communicate with them.

“Since the dongle is physically connected to the automobile and to its internal network,” according to Heilbronn, “any malware that successfully breaches the dongle’s security measures or its communication link could potentially inject malicious code onto the vehicle’s CAN Bus [the protocol automobiles use to let on board microcontrollers communicate] and cause unwanted effects to vehicle operations.” Note that as of now, he still says “potentially,” so that’s encouraging.

But about two years ago, Argus did indeed find a vulnerability in a Zubie device, showing that it could be remotely attacked to take full control of the vehicle. Argus made a responsible disclosure to Zubie, which fixed the issues and announced the improvements.

Connectivity is more than just hooking your phone up to your car wirelessly (that’s another potential vulnerability, by the way). V2V and V2I communications are going to be key technologies for autonomous automobiles. Making sure those communications are trustworthy is yet another consideration to add to the conversation as we drive forward.