This post results from the project “Automotive Cybersecurity”(ACS) within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on cybersecurity topics for connected cars.
This week I got the opportunity to interview Dr.-Ing. Mohammad Hamad, a Postdoctoral Researcher in the Embedded Systems and Internet of Things group in the Faculty of Electrical Engineering and Information Technology at the Technical University of Munich (TUM). Dr.-Ing. Hamad is researching autonomous vehicle security and IoT security, both of which are rapidly developing fields.
After introductions, I started the interview by asking Dr.-Ing. Hamad about his goals and why he works at the University. Hamad stated that he loves working with bright students and having the opportunity to work at a highly recognized institution creates lots of networking opportunities–something to note is that TUM is a global university, with a large international student body.
[in terms of vehicle endpoints] What would you consider the biggest automotive security vulnerability to be?
Hamad emphasized that approaching vehicle cybersecurity is a holistic process– if a vehicle is interconnected, whether it’s via IoT devices or built into the car itself, the entire vehicle is a part of the attack surface and is considered a vulnerability. According to Hamad “security is used to be a second thought” and is implemented retroactively as opposed to following security-by-design logic. He further elaborated that “pushing toward more user comfort without caring about security opens the door to attacks,” anything that adds convenience such as vehicle-2-cloud or vehicle-2-everything grows the attack surface.
Hamad’s philosophy reflects that of recently published modern regulations and security standards: a system that is 99% secure isn’t really secure, and the responsibility to uphold cybersecurity trickles all the way down to developers. Part of the issue Hamad addressed was that programmers may not be fully aware of proper cybersecurity implementation and IT professionals aren’t necessarily security professionals. “Even in the best companies, people cannot always care about security,” said Hamad. Consider most business models: there’s always going to be other priorities such as profitability, maintaining lower prices for consumers, and accelerating innovation to consider that often conflict with cybersecurity goals. Hamad is trying to explain that cybersecurity is often not the priority it should be. Hamad’s reasoning for why the automobile as a whole is the biggest vulnerability was that patching one hole won’t fix the larger problem, since there will be always zero days attacks and “we are fighting the future” when it comes to cyberattacks.
Do you think what is currently being done in terms of regulations and standards is enough to mitigate the potential for catastrophic damage?
“In 2013, 2014, when I started my PhD, we were depending on ISO 26262, it was not enough.” Hamad stated that thanks to the recent standards and regulations such as ISO 21434 and UN-R-155, companies and their employees are forced to care more about cybersecurity, including further down the supply chain. Furthermore, attack likelihood is lower when people are forced to be aware. “It’s not enough [the regulations], but it’s an important step forward– people have to care,” said Hamad. He explained that advancements such as machine learning introduce a new attack surface, and rapid development presents real dangers. At the end of the day, Hamad believes that those involved in vehicle components need to forget the most basic concepts and reconsider their approach with security in mind as opposed to rushing into enticing new technology without understanding the associated security risks. “I hope in 5, 6, 10 years, maybe things will get better.”
“There’s a miscommunication between industry and academia,” was a standout comment made by Hamad during our interview. He explained that most people who are working on standards and regulations often come from the industry, with fewer academics in their development process. Hamad also shared his concerns about the government point of view, citing the dangers of vehicle fleets being targeted by terrorists if automated vehicle technology is released too soon, and without adequate cybersecurity practices in place. “No autonomous car should be on the road if the car is not secure.
What advice do you have for OEMs/suppliers? People involved in automotive cybersecurity? The general public/future smart vehicle owners?
“For the OEM, I’m perhaps biased, but they need to come talk to us,” Hamad said. He stated that oftentimes, security positions are filled by existing employees, employees who aren’t specialized in automotive cybersecurity. “Look at the people. Hire the right people,” referring to those who work in cybersecurity, beyond engineering. He also emphasized that existing workers must understand security basics in order to integrate security as a whole into their work. Additionally, “it is our duty as a university to teach automotive security as part of our study program. I always try to do that as part of my courses that I teach here at TUM.”
Hamad and I discussed how in the past, hacking a computer had a limited impact on someone’s safety– most instances resulted in a financial loss or in more extreme cases, identity theft or loss of confidentiality. In the realm of automotive cybersecurity, there is a direct impact on human life when the vehicle is compromised. Bluntly, everyone needs to work together to ensure that the passenger won’t be killed by a hacker.
Hamad explained to me that OEMs need to treat your vehicle like a bank treats your money– to treat security like they treat safety. Ultimately, any user should understand on a general level how the vehicle works to protect you, just like how most people understand what financial institutions do to protect your assets.
Should vehicle cybersecurity be handled differently than the way we handle our PCs and mobile devices?
Hamad began by referencing the differences in systems: for example, automobiles use the CAN protocol for internal communication, something that isn’t shared in the world of smartphones and personal computers. He also addressed some of the similarities: automotive ethernet is a possibility, and could utilize some of the same protocols that existing devices use today. According to Hamad, applying existing knowledge such as TLS protocols to the automotive industry has some potential benefits, but precautions still need to be taken. Broad functions such as system administration would likely look different in vehicles, especially since monitoring capabilities may not scale the same with vehicles. Hamad said “system function and complexity is different [between cars and other devices], but this doesn’t mean that we need to create a new solution from scratch.”
What recommendations do you have for students like myself who are looking at automotive cybersecurity as a potential career, and is there anything else you’d like to add?
As is true with many careers, Hamad recommended that expanding upon your knowledge outside of your specialization is critical to success– speaking to others in different circles, finding places to apply your learning, and always seeking to expand your understanding of cybersecurity were key elements he mentioned. It was just as important to Hamad that students understand the broader scheme and not just focus on networking, forensics, or programming. Despite this last statement, Hamad emphasized that vehicle forensics is critical to automotive cybersecurity. Attacks are inevitable, and someone will have to be held responsible: both directly for the crime, and the developer of the vulnerable system.
Here are some final notes from Dr.-Ing. Hamad that will likely resonate with readers:
- Be proactive about security issues, we can’t wait for people to be killed to take action
- Even if we can achieve fully autonomous vehicles (Level 5 autonomous vehicles), they likely won’t be able to be properly secured if we do not take security seriously.
- Business models are affected by security: cheap products aren’t typically secure, since they aren’t tested as vigorously
- We need to agree on rules and standardization in order to be successful
I’d like to thank Dr.-Ing. Mohammad Hamad for taking the time to share his opinions and perspective on automotive cybersecurity with me. This has been an excellent opportunity to hear an international perspective and collaborate with the Technical University of Munich.
Follow us for more updates on this project! For further questions about Munich Cyber Security Program, or this project please feel free to contact email@example.com
–Written by Parker Soares ‘24 //Computer Networking & CybersecurityFollow Us!