As 2023 draws to a close, it’s a given that 2024 will bring a whole new world of cyber security issues. As soon as manufacturers develop new technologies, or fix broken ones, cyber criminals develop counter techniques to break those technologies – and the motor industry is no exception.
For a number of years now, the advances in tech in our vehicles has accelerated rapidly, but the attention to security has been quite slow to keep up.
Every manufacturer has had issues when it comes to vehicle security – in recent months, Jaguar Land Rover (JLR) has had a major issue with keyless thefts – The issue has become such a problem that many Range Rover owners have had insurance refused because thefts are such a common occurrence – in 2022 (according to DVLA statistics) Range Rovers were the 2nd most stolen vehicle in the UK.
Earlier this year, JLR had to scrap their own brand insurance policy as their underwriters (Verex) refused to extend their policies. To combat this JLR has now announced that they will provide their own policy under the title of Land Rover Insurance. This policy is now available for owners of Range Rovers, Land Rover Defenders, and Land Rover Discovery models.
The insurance scheme comes after JLR CEO Adrian Mardell told company investors in March that “theft of our vehicles in large cities has become a problem“, singling out London and Manchester as the two worst-affected locations.
Old architecture
Mardell said that “mostly old-architecture” (meaning previous-generation) cars were at risk of theft, and it’s these that will benefit from the company’s investment in improved security.
This year, JLR says it has upgraded the security of more than 65,000 cars built between 2018 and 2022, including those out of warranty, to ensure “the same levels of protection as current models. However, a sizeable amount are still outstanding; we’re still working hard to reach clients who haven’t yet taken up their updates”.
Security updates
As mentioned before, the thefts were being conducted by thieves targeting the keyless entry system and driving away without a key, but an update to the car’s Body Control Module (BCM) makes this no longer possible.
This technology means car keys don’t need to be stored in a Faraday pouch, but the company still recommends owners use the JLR app to make use of vehicle lock reminders and Guardian Mode, which sends an alert if there’s any “unauthorised interaction” with the car.
Enter WP.29
WP.29 – or to give it the correct title “The UNECE World Forum for Harmonization of Vehicle Regulations” is designed to provide the legal framework allowing Contracting Parties (member countries) to establish regulatory instruments concerning motor vehicles and motor vehicle equipment.
The regulations cover a vast array of items ranging from Pollution, to Noise, Lighting, Signalling, Safety, Autonomy, and Security.
WP.29 is one of many vehicle safety programs which are being managed under the Vehicle General Safety Regulations (VGSR) which was introduced in 2022 to improve road safety and enable fully driverless vehicles in the EU.
WP.29 is an opt-in within GSR2 that the UK hasn’t yet signed up to. However, the vast majority of cars sold in the UK meet EU standards by default and it’s likely only a matter of time before WP.29 is adopted in UK law.
The regulations stipulate that all cars sold in the EU must be hardened against 70 potential cyber security risks. Those threats can be roughly grouped into hacking and physical system breaches, both intentional and accidental and they cover the entire life of a car – from design to scrap yard.
WP.29 is particularly concerned with the hacking of car manufacturers’ back-end IT systems and servers, corrupted over the air updates, and theft of vehicle users’ personal data.
Accreditation process
All vehicle manufacturers have to submit an comprehensive cyber security risk assessment and risk management plan as part of the approval process. Certification lasts for three years, at which point manufacturers will have to re-submit their risk assessments again. Any changes to the car’s hardware or software have to be certified, as well.
Failure to comply with the regulations can result in a fine of €30,000 for every non-compliant vehicle sold.
Knock-on effects
Whilst these new security measures are to be applauded, members of various motor industry bodies have raised a few concerns about how the security will affect things like the 2nd hand market, the rental markets, and independent garages.
When selling or renting a vehicle, there will need to be measures in place that protects any personal data that may be held within the vehicle such as mobile phone data, GPS data, camera footage, etc. So when selling a vehicle on to either a private buyer, or trade entity – There must be a way to quickly and easily erase all data pertinent to the seller – this is something already available in many vehicles, but it must be made obvious to the seller and purchaser that data has been purged.
Garages will have to have new, specialised IT systems to run diagnostics, and their own cyber security measures in place to ensure the safety and security of the data relating to these new “hardened” vehicles.
Access to the CANBus will be harder and may require a unique PIN to be able to access data on the system.
The days of “chipping” a vehicles ECUs may be coming to a close, as the systems will need to be protected in ways that will lock out any after-market tinkering and may start to include encrypted communications that make tweaking settings something only the manufacturers can do.
WP.29 comes into effect in the EU on the 1st July 2024, so expect a flurry of information about new safety and security on vehicle adverts in the 1st quarter of the New Year.
