A connected car authorization framework is in development that can provide a conceptual overview of various access control decisions and enforcement points needed for dynamic and short-lived interaction in a smart car ecosystem.
“Driverless and connected cars are increasingly becoming a part of our world, where cybersecurity threats are already a reality,” said Ravi Sandhu, Lutcher Brown Endowed Professor of computer science at the University of Texas at San Antonio and founding executive director of the UTSA Institute for Cyber Security (ICS), who is working on the framework study with Maanak Gupta, doctoral candidate at The University of Texas at San Antonio. “It’s imperative that we support research that addresses these concerns and presents a strong, innovative solution.”
Cars with Internet connectivity, also known as “connected cars,” offer potential for many conveniences and innovations. They could allow for real-time and location-sensitive communication between drivers or even pedestrians, which could help make the roads safer for both. The connectivity could also allow the cars to capture safety and environmental conditions around the vehicle, including road obstructions, accidents, which also enables real-time vehicle-to-vehicle interaction on road.
“Connected cars have almost infinite possibilities for creative technological applications,” Gupta said. “Companies could even take advantage of the connectivity to implement location-based marketing tactics, providing drivers with nearby sales and offers.”
However, the reality is as soon as cars are exposed to Internet functionality, they are also open to cybersecurity threats that loom over computers and cell phones. For this reason, Gupta and Sandhu created the authorization framework for connected cars which provides that conceptual overview of various access control decisions and enforcement points needed.
“There are vulnerabilities in every machine,” said Gupta. “We’re working to make sure someone doesn’t take advantage of those vulnerabilities and turn them into threats. The questions of ‘who do I trust?’ and ‘how do I trust?’ are still to be answered in smart cars.”
Gupta and Sandhu’s framework shows an access control oriented architecture for connected cars and proposed authorization framework, which is a key to determine what and where vulnerabilities can be exploited. They further discuss several approaches to mitigate cyber threats in this ecosystem.
Using this framework, the team at ICS is working to create and use security authorization policies in different access control decision points to prevent cyber attacks and unauthorized access to sensors and data in smart cars.
“There are infinite opportunities in this new IoT (Internet of Things) domain but at the same time cyber threats will have serious implications in smart cars. Can you imagine if someone controls your car steering remotely, or shuts down the engine in the middle of the road?” Gupta said. “There should not be absolutely any open end to orchestrate attacks on these cars.”
The authorization framework can also be applied to driverless cars, noting these vehicles may be even more vulnerable to cyber threats, Gupta said.
“If we’re going to open the world to cars driven by machines, we must be absolutely certain that they aren’t able to be compromised by a malicious attack,” he said. “That is what this framework is for.”