It’s widely believed that connected and autonomous cars are one hack away from hitting a catastrophic road block. And while the hysteria from last year’s rash ofresearch-based car hacks—most notably the notorious Jeep hack by two prominent and publicity-savvy security researchers—has subsided, the specter of bad guys running vehicles off the road continues to haunt the general public, policymakers, and automakers.
I believe that the car-hacking threat is serious, if overblown. Geoff Thorpe, head of NXP Semiconductors’ Security Center of Excellence, shares a similar disdain for sensationalism of the subject. But he’s apprehensive about the “metadata” being generated by connected cars and its potential to be mined by marketers and other meddlers.
“The thing with the Jeep hack that was uninteresting was that someone was able to physically compromise a car since it was engineered in the old school of technology,” Thorpe told me this week at NXP’s FTF conference. “But I don’t hold anything against the engineers who were behind whatever it was that fell through there.”
The larger issue, according to Thorpe, is that automakers and their suppliers approach connectivity from a device rather than a network perspective—or more specifically, a combination of the two.
The Internet of Things (IOT) “means precisely the meeting of those two worlds: take the stuff that was traditionally offline and bring it online. It’s also what IOT security is based around,” he said.
“With offline devices, you have to get it right before it ships,” Thorpe said. “On the network side, you have to live with the opposite reality of no matter what you do, you have to update the moment you find problem. How do you reconcile these two? Everyone, not just the car companies, is being dragged kicking and screaming into IOT, without realizing it.”
Thorpe characterized those on the device side as “somewhat blind, particularly in automotive. They’re blind to the fact that the real security begins once you deploy. On the network you have to think differently.” The solution is “to certify the process, not the product, and the process is post-production as well as preproduction.”
What Thorpe and NXP hope to bring to the table is expertise in device and network security. For example, the company’s chips are used in most of the secure passports used around the world, and its network security products are the gold standard in industries ranging from healthcare to aviation.
NXP recently acquired its largest competitor, Freescale, and the combination of the two companies now make it the dominant automotive chipmaker. Thorpe sees this as an opportunity for the car world to benefit from NXP’s experience in broader device and network security.