In recent news, Honda has been discovered to have a vulnerability that allows cyber security hackers to remotely start vehicle engines and unlock them at close range. The process involves taking control of the remote keyless entry system and capturing signals sent from the owner’s key fob.
This particular issue affects nine Honda models, including the Honda Civic LX and Honda Civic Hatchback. Experts have advised owners to protect key fobs with sleeves and even reset them at a local dealership if they think they’ve been hit.
With this issue in mind, we spoke to Bernard Montel, Technical Director of Tenable EMEA, to discuss the issue of automotive cybersecurity and what more could be done to address this issue.
Just Auto (JA): Could you explain your role to us?
I’m Tenable EMEA’s CTO, which means I’m in charge of Tenable’s voice at industry events, marketing events, and also customer and press events. Internally, I work to support the field and also liaise with product managers – the people who develop the solutions.
I have worked in cybersecurity for over 20 years. I previously worked for another US security vendor and sold in two different spaces. One is what we call identity and access management, all the protections around identities.
The other is another area called threat detection or response, which identifies threat detection, detects attacks, and tries to respond to those attacks when customers detect them with tools and technologies.
Why is cybersecurity becoming so important to automotive industry security lately?
I think it’s happening now because we’re in a process of transformation in the automotive industry. I worked for Renault in insurance as a consultant, but that was a long time ago around 1999. At that time, we were talking about the transformation of the platform; back then the cars used the same platform, but today we are in a period of transformation, the car is truly connected.
We are in a global business transformation for automakers. We are seeing exactly the same type of transformation that we have seen in any type of industry and on a global scale. IT transformation offers many opportunities, but it also comes with risks.
What are the biggest hacking risks for car owners today?
I think everyone’s focus is on the car itself, but if we take a step back, connected cars aren’t just connected to nowhere, they’re connected to infrastructure, which most of the time is the Cloud.
One of the major risks is really the infrastructure around the cars because the more infrastructure you have to connect the cars, the “attack surface” gets bigger. It’s not just the number of cars that are connected, it’s the number of services and the infrastructure around it that is very important.
One of the main targets would be the infrastructure to get the data, as this is very sensitive data. Because it is sensitive data, attackers want to monetize the data.
The second area concerns the type of service that connected cars can offer. I have an app here and I myself have a connected car; I can open the car, I can open the windows, I can run the fan, I can do a lot of things. By doing this, I know there is potentially a risk so this level of risk must be managed and reduced as much as possible – but we know in our business that zero risk does not exist.
Are new cars and electric vehicles (EVs) more at risk?
The risk for electric vehicles is higher because the infrastructure is larger due to the charging infrastructure. Keeping in mind that the number one goal of attackers is to get money, there are plenty of ways to do that. You can steal data and try to monetize the data you just got, you can shut down the infrastructure and every minute that infrastructure is down there is a cost to the business.
Classic cars, they don’t need as much infrastructure, they just need fuel. The VE needs a huge network to be recharged. If this network is targeted and shut down, then immediately all electric cars are impacted, even without having to penetrate or directly hack the car itself.
Now, the second part about electric cars is that they are inherently more connected; Electric cars have a new business model. The more connected devices or services you have, the greater the attack surface.
What should the industry do to prevent cybersecurity threats?
The number one attacks we’ve seen so far are mostly related to third-party software supply chains. For now, these are the majority of attacks.
When using third-party software, you really need to monitor these technologies. The second point is that there is no system without any vulnerability. Imagine you have a map of your system and that map is getting bigger as you have more and more upgrades. You need to know exactly what assets you are in charge of to be sure that if there is a vulnerability, which is raised by security, the researchers fix it immediately because otherwise you leave the door open for some malicious activity.
There are two elements to my responses to this. Number one is really third-party software. Number two is really to manage and understand the complete picture of your infrastructure and immediately remediate if there is a vulnerability.
Do you envision hardware and software vendors collaborating on automotive cybersecurity in the future?
I think the automotive industry will follow other industries so far; it’s a very competitive landscape. In the last 25 years nothing has really happened, now the industry is in the midst of a transformation and a lot has happened, not only because of electric vehicles but because of the new business model and connected cars who arrive.
Many don’t collaborate, but very quickly they will realize, at least in the area of cybersecurity, that there is no industry today that does not share what we call “customer intelligence”. threat “.
The banking industry has shared this for decades. They used to have a quarterly meeting where they shared what they were suffering from, what the new threats were, things like that. If they really want to defeat such threats, they should sit down together and discuss it.
What do you see the future of this issue?
The automotive industry will continue to grow and offer more services for sure, so the attack surface will continue to grow; it means that this problem will persist so hackers can continue to monetize, that is their main goal.
From the data we have, we can see that the number of cyberattacks against cars has increased by 125% from 2018 to 2021, that’s a huge increase. Car manufacturers have to change models and they have to do it quickly because the competition is very strong.
The greater the attack surface, the higher the risk. We need to manage these vulnerabilities as much as possible in advance to be able to reduce this risk.
Additionally, as all technologies use cloud-based systems, developers now typically code applications privately in a company’s proprietary cloud (not the public cloud), the company’s private cloud. Most of the time, these vulnerabilities I’m talking about are mistakes made by people in the proprietary cloud. So if we can detect faulty code as far in advance as possible, developers are better prepared.