In the light of Tesla finally rolling out integration of 2FA into its car app, the discussion on the access point security via mobile authentication is picking up again. Let’s talk about the dangers of improperly incorporating and securing mobile ID when it comes to self-driving cars.
The news that Tesla is finally rolling out two-factor authentication to its car app made waves around the world last week. And it’s great news — although we would have loved seeing it sooner.
Even more importantly, it reopened earlier discussions around cybersecurity in this expanding market. Did you know that it is predicted that the Global Connected Car Market will grow from an estimated $63 Million in 2017 to $225 Million in 2025 at a 17.1% CAGR?
With the number of automatic vehicle (AV) users growing, it’s easy to see why discussing and improving AV cybersecurity, and possibly even imposing regulations on minimum security requirements, should be of utmost importance to everyone involved.
However, cybersecurity in self-driving cars is considered problematic by many. Historically, these cars haven’t fared well against hacking attempts, both at access points and throughout the ride.
That means that not only could someone hack your car to access it, but they could take over control of any part of the vehicle at any time, which raises various other safety concerns. All things considered, it’s no wonder that end-to-end security protocols of each connected part of the AV are the main topic when talking about cybersecurity of connected AI and IoT devices in general.
Be that as it may, today I’ll focus on what I know best: mobile ID management for AV access control and continuous AV app user verification. Let me take you through the needs and dangers of improperly incorporating and securing mobile ID when it comes to AVs.
AV Driver Identity Authentication Lagging Behind the Current Cybersecurity Trends
Whereas most online services today are already relying on various authentication, user verification, and fraud prevention options, the best of which utilize secure multi-factor authentication protocols, AV driver identity authentication is lagging behind.
As mentioned above, Tesla, the leader in this field, has only now implemented 2FA, which is far from the state-of-the-art authentication that we would like to see in connected devices.
Not long ago, we saw demonstrations of how easy hacking cars can be.
For example, security researchers Charlie Miller and Chris Valasek remotely hacked the Jeep Cherokee of a Wired journalist, taking control of everything from the window wipers and radio to the accelerator and brakes. Moreover, we’ve also seen how phishing could be used against Tesla owners.
Now, with SMS-based 2FA, SIM swapping becomes another huge issue, further increasing the cybersecurity risks associated with AV cars. If hackers manage to take over the phone number of an AV car driver, they could intercept the one-time SMS code and get into that driver’s car.
Besides the car itself, other sensitive data stored by the car phone app could be at risk as well. I’m talking about location history and information, in-car payment information, and a lot more.
Furthermore, if a criminal were to remotely take control of your car, major safety concerns arise. The criminal could reprogram the autopilot or even tamper with your accelerator or brakes as in the demonstration above.
Unlike personal bank or phone accounts, if an AV is hacked and compromised, the breach can put not only the driver in danger, but passengers, pedestrians, and other drivers as well This potential for destruction and liability is why security and mobile identity control must be of the utmost importance to AV and the entire car industry.
So, what can be done to improve the authentication security of self-driving cars? Let’s first go over the access point security measures currently in place and see what can be done to improve them.
Secure Mobile ID to Strengthen Access Control Security of AVs
Currently, there are two ways to unlock your Tesla: the phone app key and the key fob. As for the key fob, it comes with a passive entry option that will automatically lock and unlock your car whenever you come into proximity. However, the fob is easy to lose, and having to carry it with you at all times is a detriment to user experience.
Phone app users will soon be able to turn on SMS-based or third-party authenticator app-based 2FA.
While 2FA is in every way better than nothing, users should avoid using SMS-based 2FA, which has been proven ineffective on countless occasions. Authenticator app-based 2FA is a lot more secure.
Other than that, Tesla comes with an option that requires the user to put in a PIN number to be able to drive. While this could definitely come in handy, the question of how effective this PIN would be against criminals has to be raised.
What other options are there to increase AV security with strong mobile ID?
In keeping with current trends in the authentication industry, biometrics are being talked about as a potential way of managing AV security. However, biometric authentication options are still limited to concept cars.
While we’re waiting to see biometrics actually incorporated into commercial self-driving cars, it’s worth noting that while the user experience is vastly improved with biometrics, concerns like potentially having your biometric data stolen may outweigh the good UX.
That’s why we’re pushing for multi-factor authentication (MFA), where multiple authentication points cover for each other’s weaknesses, as a superior mobile ID solution for securing the access points of self-driving cars.
In particular, when individual authentication points are capable of continuously verifying the user’s identity based on contextual clues, the security increases exponentially.
In practice, this means that a driver could use some type of biometric authentication on their phone to unlock their self-driving car. Based on contextual clues and the assessed risk, the driver’s mobile ID could be reverified in the background while driving. If the assessed risk passes a certain threshold, the driver would be required to re-verify their identity using biometric authentication or some third authentication method.
All in all, it’s simple.
For self-driving cars to truly fulfill their potential, users will need to trust them. For users to trust them, self-driving cars must ensure maximum safety and flawless security, end-point to end-point. And if we’re talking about continuously authenticating the driver’s identity, I strongly believe that their mobile ID is the way to go, always verified through MFA.
IPification fits in perfectly as part of this continuous, multi-factor authentication system. It’s capable of picking up contextual clues and ensuring continuous security by verifying a user’s mobile ID via their SIM card and device data. Best of all, it’s ready to be integrated into your mobile app within days.
Want to know more? Let’s talk.
