Ford Motor Rolls Out New Security Features To Prevent Car-HackingFord Motor Rolls Out New Security Features To Prevent Car-Hacking
Automaker enhances security for new lines of WiFi-enabled vehicles
March 8, 2010
Automobile giant Ford Motor this year will debut vehicles with built-in WiFi -- along with enhanced security features to prevent data breaches via its new cars.
Ford has offered the so-called Sync technology service it co-developed with Microsoft in most of its Ford, Lincoln, and Mercury vehicles since 2008. The technology lets drivers run their Bluetooth-enabled mobile phones and digital media players via their vehicles and use voice commands to operate them, for instance.
The automaker announced today that the second generation of its Sync technology -- due out later this year and to include a full Windows CE operating system with a new driver interface called MyFordTouch -- will come with a built-in browser and secured WiFi access. It will first debut in the 2011 Ford Edge and 2011 MKX Lincoln, and later, in the 2012 Ford Focus.
"We really began to focus on the security side when we began launching Sync, and it was [originally] for working with phones and media players," says Jim Buczkowski, director of Ford electronics and electrical systems engineering. "Now we're extending that system connectivity to include WiFi as another data path for customers in their vehicles ... and we're extending that security model for protecting WiFi."
The WiFi will be broadcast via Sync using a USB-based modem, and Ford has updated its on-board firewalls to protect both the WiFi network as well as the vehicle's operations. The WiFi network is set by default to WiFi Protected Access 2 (WPA2) encryption for secured access to the wireless network. It also will provide anti-malware protection for the MyFordTouch system.
Sukhwinder Wadhwa, manager of the Sync platform and technologies at Ford, says Ford doesn't consider security to be an add-on feature. "We work closely with the Ford enterprise IT security [group] to use basically the same guiding principals for security" as they use for the enterprise security, Wadhwa says.
"Any software is first verified by Ford engineers and signed by Ford enteprise servers before it gets installed [in the vehicles]," he says.
Wadhwa says Ford also uses internal ethical hacking teams as well as third-party consultants to test out the security of the Sync features.
"They are proud that they enable WPA2 and a firewall by default on the access point, perform pairing over Bluetooth, and have some arbitrary DRM for preventing swapping hard drives of MP3s. It all sounds like pretty vanilla stuff, anything a decent home network set-up has," says Nate Lawson, principal with Root Labs.
Wadhwa says Ford isn't aware of any car-hacking incidents with its vehicles to date. "We do not want to have any incidents in the first place," he says. "We are connecting consumer-grade devices [in the vehicle], and we want to make sure out of the chute we are protected from any bad devices out there, like memory sticks or whatever they put [into the vehicle]," he says.
Wadhwa says the hardware-based firewall technology is made up of two "separate entities" so that the consumer side of the firewall that handles what can connect can't pass information to the vehicle's processor, or vice versa. "
All of Ford's vehicles in the next five years will come with the secure WiFi option, according to Ford.
Meanwhile, the automaker's Sync service, which comes standard in some higher-end models and for an optional monthly fee in other models, already comes with phone-pairing protection, an encrypted jukebox hard drive for the driver's music library, a valet-mode option that locks all programmed navigation destinations from view, an engine immobilizer, and keyless entry features.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023