June 26, 2017

Automotive Cybersecurity

Automotive cybersecurity is a dynamic environment and is rapidly evolving. While there are no well established standards to secure vehicle information access and sharing as of the writing of this article*, we expect the automotive industry to embrace best practices and adopt approaches used by the IT industry for securing user and vehicle information over the cellular network and the Internet.

Vehicle Connectivity

Vehicle cybersecurity

Vehicle cybersecurity

Building on the developments in cloud and mobile computing technologies, vehicle connectivity platform requires flexible design approach and information architecture to adequately support automotive industry’s need for real time data collection and synthesis with emphasis on security, high throughputs from underlying big data analytics and telecommunication infrastructure. Additional requirements include highly reliant cloud software infrastructure, automotive data taxonomy, open car standard interfaces, mobile cross platform application frameworks, real-time datastore access, and vehicle connectivity links for OBD II standards compliant plug-in devices via Bluetooth and WiFi communication protocols and cellular networks.

As the industry evolves to support smartphone integration with in-car systems for connected and autonomous vehicles and Intelligent Transportation Systems in the future, it should be possible to extend vehicle connectivity platform to link with vehicular communication systems and federated cloud services.

The following sections refer to industry standards, vehicle connectivity model and data access points used to satisfy connected car use cases. These are separately identified in the report.


  • Bluetooth, WiFi communication protocols (IEEE 802.11x, 1609.x).
  • Vehicle connector standards based on SAE J/1939. J/1962, J/1850, J/2480, and ISO 14230, 9141, 15765, KWP2000, 11898 CAN Data Link.
  • SAE J/2735 specifications for V2V, V2I wireless interfaces.
  • SAE J/1979 specifications for OBD II PIDs.
  • Open standards OBD II libraries.

Vehicle Connectivity Model

  1. OBD II and CAN Bus Architecture.
  2. Open CAR APIs for connectivity with infotainment systems.
  3. Open iOT APIs for connectivity with devices.
  4. Direct integrations with third party appliances and solutions.

Vehicle Data Control Points

  • Infotainment System Operating System.
  • Software algorithms and interface hooks, data sharing links.
  • OBD II Internal Hardware, External Devices and Firmware.
  • ECM/ECU, CPU, Other Control Units.
  • Vehicle Sensors and Actuators.
  • Vehicle Position Data.
  • Human Machine Interface (HMI) links.
  • GPS, Geospatial, Geolocation, Geofencing Digital Data Mapping Services.
  • App Stores, Gaming and Automotive Applications.
  • Applications in-car, Mobile applications and Content.
  • In-Vehicle Network, Data Gateways.
  • WiFi Hotspots, Payment Gateways.
  • Cloud Data Networks.

Automotive Cybersecurity Model

Securing vehicle data and in-car systems vulnerable to external attacks require solutions to:

  • Prevent unauthorized electronic access to vehicle systems.
  • Prevent firmware updates other than those from authorized OEM networks.
  • Leverage Public Key Infrastructure to secure peer communications.
  • Use of digitally signed code for network and vehicle communications.
  • Application level access controls for users, vehicles and iOT devices.
  • Infrastructure level security for data systems.
  • Data tier access controls for users, vehicles and iOT information.
  • Vehicle level security for monitoring threats.
  • Park and abort type systems for securing hacked vehicles.
  • Global monitoring of rogue interference and vehicle network infiltration.
Secure Vehicle

Secure Vehicle

OBD II Connected Systems Vulnerable to Threat

As an industry, our ability to firewall access, track, monitor and log users and data streams accessed is dependent on the choices available to collaborate and work with the automotive partners and security infrastructure ecosystem.

Evaluating and securing the various access points inside vehicles is important to prevent unauthorized interference from connected services. Some of the systems that may be vulnerable to being hacked or hijacked are listed below.

  • ECU’s.
  • OBD II Ports.
  • Aftermarket devices.
  • Firmware.
  • Applications and tools used to read and inject data streams.
  • Cloud Infrastructure.
  • Unencrypted and Weak Passwords.

Explore Your Options

The lifecycle of mobile applications and the automotive industry are challenging with new features being rolled out more regularly on smartphones OS by Google and Apple than by the car manufacturer. In a way, it is a positive development because investments on mobility features can last longer for customers. A modular approach allows users to choose from mobile application features to go along with a range of functions or specific operations with connected devices. These include reading of live data from vehicles, over-the-air updates, data analysis, remote diagnostics, quoting services, provisioning across cellular carriers, and such.

Looking Forward

The structure of the automotive industry is very different. It is global and the vehicles have a mix of diverse systems and OEM specific implementation with different approaches based on local regulations. Automotive Cybersecurity is a complicated issue and it requires careful review of the privacy policies proposed by the industry, state and federal legislative agencies around the world, and approaches implemented by the car manufacturers.

In addition to bringing together the best connected car technology, we wanted to identify opportunities and challenges facing the automotive industry, the growing need for cross-industry collaboration on security, data and network information systems that would be necessary to overcome the current teething problems, the importance of bridging the fragmented ecosystem together on a common platform and build this industry to deliver on its enormous potential to generate revenues and build stronger relationship with the customer.

This article is not a complete report and contains material from research and development of innovative telematics platform by founders at SHIFTMobility Inc. Any opinions, findings and conclusions or recommendations expressed in this article are those of its author(s) and do not necessarily reflect views of the automotive industry. 

*Automotive Cybersecurity for Connected Car, Internal Report, 19 March, 2015

Arvind Jain and Pavana Jain, Co-founders, SHIFTMobility Inc.