MWC Post-Mortem – Connected and Self-Driving Cars

With the dust settling on MWC for another year, one lingering question might be ‘when did MWC turn into The Barcelona Motor Show?’ At first sight it may have seemed jarring to see so many cars proudly being shown off at the show; in fact, it makes a lot of sense when you consider that more cars were connected to mobile networks than phones in Q1 of 2016. Almost every large MWC stand, connected cars featured as a headline act, in particular with reference to emergent tech 5G, on which they will rely heavily.

The truth is, connected cars are already a reality – and as we press forward, the depth of their connectivity is going to increase. Right round the corner now are self-driving cars, which present a significant security headache. Just this Monday, Nissan began testing their fleet of autonomous cars on public roads in London, clocking up hundreds of miles in a data collection exercise – the firm hopes to have everything in place to use them as taxis for the 2020 Olympics in Tokyo.

Mobile networks and car manufacturers alike were at pains during MWC to stress that testing has been extremely encouraging and mainstream driverless vehicles will be on the road within the next few years.

Interestingly, despite this week’s London tests, Nissan have not been the first to perform such trials. The front runners in the race for self-driving cars are Google and Uber, both of whom are testing their offerings on roads in the US – and neither of whom are car manufacturers. The reason for this is that the payments model for self-driving cars is, at this early stage, looking like it will lean toward an on-demand, subscription based service.

What’s certain is that from a security standpoint, a strong relationship is going to need to form between car manufacturers, subscription model service providers like Uber, infrastructure providers and whichever network provider is responsible for managing the data between the two. Intercede representatives on the floor at MWC this year were keen to press those manning the stands on their security considerations.

What they found was that there’s a lot of confusion and buck-passing regarding who in the relationship between end user, manufacturer, technology provider and service provider will ultimately assume responsibility for security. Several hopeful service providers told us that, naturally, car manufacturers and network providers would be responsible, whilst one of the world’s leading network providers claimed it would be the service provider’s responsibility.

The truth, of course, is that the responsibility lies with all of them. The problem is this: despite their claims, car manufacturers don’t have the depth and breadth of cybersecurity experience necessary to assume the responsibility alone – it will need to be a collaborative effort. And we all know that plenty of network providers have dubious cybersecurity records at best and a lot of form at letting the bad guys in at worst.

The work to ensure that every link in the connected and autonomous car ecosystems, many aspects will need to be outsourced to and collaborated on with cybersecurity companies, in order to assure that the task is approached with appropriate due diligence.

Establishing Trusted Digital Identities and authenticating them through methods such as PKI technology and digital certificates, rather than the traditional reliance on username and password, will become critical. And this gives us even more reason to believe that experts in this field will become key to the success of the IoT and autonomous tech.

The cars of tomorrow are exciting, but they put millions of lives in the hands of companies who don’t really seem to have figured out where the responsibilities lie. Before they hit the roads, we need clear standards; and cybersecurity experts need to be involved from the start.

Connected Cars and Threat Landscapes

“If somebody wants to interfere with a car today then generally they have to go to the car itself. But as soon as it’s a connected they can be anywhere in the world – your threat landscape is quite significantly different and the opportunity for a hack is much higher” said Intercede’s Chief Innovations Officer, Nick Cook, quoted in a recent BBC comment on connected car security.

A widening ‘threat landscape’ is something Intercede has been developing solutions for, over the last 15 years.  As consumers, we’ve gradually poured more and more of our lives into ‘the cloud’, relying on the security practices of our service providers and their products, often based half a world away from us. In 2017, we sit at the cusp of a seismic shift in said threat landscape: the “Internet of Things” (IoT) and with its advent our focus as a Company on securing connectivity has sharpened. 

Previously, cybersecurity practises have been largely intended to protect personal data: our banking, social media accounts, email etc. Usernames and passwords were considered generally ‘adequate’ at providing the necessary protection.   In fact, it transpires, they never were and their inherent vulnerabilities have resulted in millions of hacked records worldwide!  When you start connecting cars, pacemakers, and cameras to the internet, cyber security becomes a matter of personal security and removal of the outdated, clumsy password paradigm becomes critical.  

We’ve seen already how connected cars can have very real security flaws, as well as how harnessing the IoT with malicious intent can bring much of the internet to its knees. It’s up to manufacturers to reconsider the foundation of their cybersecurity protocol with connected things, making sure every link in the cybersecurity chain is completely secured, to ensure we’re able to reap the benefits of the IoT without unnecessary risks. 

Our solutions establish a secure digital identity between the user and service provider, without the use of passwords and right down to the device and even chip-levels.  Built with best-in-class security components such as multi-factor authentication, 2-way SSL, PKI Certification, Encrypted Keys and trusted workflows, Intercede’s solutions offer the protection for securing the IoT and its connected devices, without a single password in sight! 

To learn more, click here.

Lock down your login

Today marks the launch of a campaign dear to our hearts here at Intercede – in collaboration with the White House, the US National Cyber Security Alliance (NCSA) and more than 34 other companies and NGOs, we’re proud to announce our support of Lock Down Your Login, a campaign to encourage people to secure their online accounts.

72% of Americans think their online accounts are secure while relying only on usernames and passwords – but every two seconds, there is another victim of identity fraud. It’s time people became aware of just how insecure and antiquated a system they really are. The answer is strong two-factor authentication, and the campaign is designed to make people aware of how to start using it where it’s available.

RapID is a piece of technology designed by Intercede to give app developers and service providers the tools to implement watertight two-factor authentication into their mobile apps cheaply, securely and to whatever scope they require. To find out more, visit the website.

Establishing digital trust in a connected world

By Chris Edwards, Chief Technical Officer, Intercede.

The Intercede event at The Shard on Tuesday 24 November brought together some interesting perspectives on the subject of trust within the context of an increasingly connected world.

The Futurist’s view: considerations for a digitally interdependent world

Kicking off the event with a view into the future, Lubna Dajani encouraged us to consider the wider ramifications of the path that we seem to be inexorably pursuing towards ever greater connectivity and automation. The increasing reliance upon networked communication to monitor and control our critical services, personal environments and social infrastructure brings with it a rapidly escalating degree of fragility.  As we stack the technology tower ever higher, we need to take a serious look at exactly how solid its foundations are.

Once the more tangible and measurable aspects such as  physical interconnects and data transport are addressed, we get to the layer where measurements, commands, requests and instructions are transferred between two or more elements in the network.  Whether these are people, simple sensors, AI-based systems or industrial controllers, the data connection now requires the concept of trust. In order to establish trust, any two components will need a means of identifying one another. The desired level of confidence in these identities will vary considerably according to the nature of the communication between them, but as we move the technology into increasingly critical systems that initial authentication must become correspondingly stronger.

The discussion considered people having embedded chips as an example of more positive identification. With all such technologies though, there is a downside. In this case, the ability to operate anonymously, given that an individual has no real means to establish the trustworthiness of every system with which they might interact in such a broadly connected world. The play-off here has now moved from the two-way ‘security versus convenience’ to introduce the third corner of the triangle – privacy.

The cost of getting it wrong

Having stretched our minds into the future, the next panel considered the legal and financial impact of digital transactions and systems. It is clear that the significant data breaches of the past decade are, if anything, escalating (or at least attracting more publicity). The wider public is more aware of the risks than was the case a year or two ago. Reference was made to the Intercede ‘millennials’ consumer survey that showed the worryingly (though clearly justified!) lack of trust in the current digital ecosystem, infrastructure and service providers. It is evident that security concerns and real failures are having significant financial impact on e-commerce, both through discouraging consumers to participate, reputational damage to company’s image and through fines imposed by regulators. However, evidence seems to suggest that the reputational damage is variable – most stocks and businesses seem to recover from the impact of the initial negative publicity relatively quickly, even though the short-term financial impact can be considerable. It would appear though that as more competing service providers emerge in each sector, sustaining consumer trust is going to become ever more important to achieving commercial success.

Solving the password problem

Having considered the problems that have to be addressed, the event then moved on to discuss how current and emerging technology can be used to address many of these issues and concerns. One of the most significant factors affecting security and usability of connected services is the globally discredited use of passwords. This problem has been with us for a considerable time and for much of that period the answer has been to make passwords more complex. While this raises the bar a little to the ‘brute force’ attacks on systems, it has a disproportionate impact on the user experience. The cognitive load of recalling dozens of complex character sequences that mustn’t be reused and must change regularly has made this completely unfit for purpose.

Worse than the poor usability aspects though is the fact that for the most part passwords offer very poor security.  Whether the servers leak data or get hacked, or users inadvertently sign on to phishing sites, or key-loggers and insecure network connections allow third party interception of passwords, the net result is that everyone is exposed to a high level of risk. As long as you authenticate with some form of secret that can be stolen and replayed without your knowledge, the system is inherently insecure.

Cryptographic solutions to this problem have been available for a considerable time. Cryptographic ‘challenge-response’ solutions where a secret key is used to indirectly authenticate a user are already used in many aspects of connected life. The most obvious case in point is PKI authentication of the websites and services that are used by millions every day. Without a high level of trust in the connections to those sites, e-commerce would be unable to continue operating.  However, until recently, the difficulty has been how to achieve an equivalent level of trust in the opposite direction; how can I identify myself to the service provider with an equally high level of assurance.

This problem primarily distils down to two concerns. (a) How can I securely distribute, store and protect cryptographic keys so that only I can use them and (b) how can I limit the unwanted sharing of my personal data and behaviour either by direct information leakage or indirect data aggregation. As the third session explained, the emergence of the current generation of mobile devices has brought with it the very technology that we need to deliver these elevated levels of trust.  For a few years now, the ARM processor chips that power the vast majority of smart phones, tablets and other devices have included a ‘trustzone’ architecture in the design of the silicon. This is in effect a small, self-contained execution environment that runs alongside the main operating system and can support cryptographic operations, a trusted user interface and ‘locked down’ security components to enable key storage and even biometric authentication.

In other architectures, we have seen ‘trusted platform modules’ capable of providing a low-level hardware-backed key storage and crypto-processing services on laptops and desktop machines. These are actually mandated in the newer versions of Windows for example. What has been missing until very recently are the services necessary to exploit this inherent capability.

So the challenge is no longer ‘what can we use to authenticate’ but ‘how quickly can we deploy viable services to utilise these features’.

This is where the final section of the day’s event then focused. Intercede Labs is a new venture from Intercede (a well-established UK and US credential management software and service provider) that aims to work with partners to explore and market-test a range of innovative, potentially disruptive solutions that build upon the existing components and skills of the company. Operating from its base in Silicon Valley, Intercede Labs has already started making waves with its RapID project. RapID offers a highly secure client authentication platform for mobile apps that requires just a few lines of code to implement in the client and server, it uses a dedicated cloud credentialing service for each relying party and preserves anonymity. Better still, it doesn’t require a new communications protocol – it uses client TLS authentication that is universally implemented, but has until now been constrained by the difficulties of key distribution, storage and lifecycle management. RapID directly addresses those problems and delivers an extremely smooth user experience where a simple fingerprint or common PIN can be used to authenticate securely to multiple sites without any special knowledge or extensive infrastructure.

It looks like exciting times are ahead, Intercede Labs is actively seeking partners to collaborate on this, and other security initiatives over the coming months – if you’re interested, contact the team for further information.

Highlights of Intercede’s Digital trust…or bust! event can be viewed here on our YouTube channel.