Alexa, are you protected against cyber attacks?
Virtual assistant technology has improved steadily from its humble beginnings more than 30 years ago (does IBM Simon ring a bell?). Both at home and at work, today’s digital-savvy millennials have come to expect to receive highly personalized services provided by AI-powered virtual assistants and chatbots.
Virtual assistants integrate machine learning and natural language processing to accept voice commands and perform the desired actions (e.g., play song, open app, set alarm clock). The first modern digital virtual assistant installed on a smartphone was Siri (2010), quickly followed by Amazon’s Alexa, Microsoft’s Cortana and others. Since then, the technology has also found its way to smart homes, where virtual assistants are being used to control thermostat, lights and other IoT-enabled appliances remotely via smartphone apps.
As these AI-driven technologies continue to improve (ChatGPT represents the latest leap), new possibilities have opened up for innovative solutions across domains.
Amazon Alexa Brings Voice AI into Vehicles
Of particular interest for consumers is the integration of virtual assistants within vehicles. As cars increasingly become an extension of our home and office, drivers expect a way to be more productive while sitting behind the wheel – sometimes for hours every day.
To help drivers close the gap between car and home, vehicle manufacturers (OEMs) have begun to integrate voice-activated personal assistants, such as Siri (Apple CarPlay) and Alexa, and connect them to their vehicle systems. This enables drivers, for example, to remotely lock or unlock doors, start the engine, and adjust the cabin temperature before they leave the house. Or, if you had to leave home in a hurry, Alexa can lock your front door, turn on your porch light, and activate your alarm system from the front seat of your car.
While on the road, Alexa can make route recommendations and even help alleviate EV drivers’ biggest worry – finding the nearest charging station. Alexa not only directs you to the station, it can also pay for the service with a simple voice command.
The Growing Risk of Vehicle Cyber Attacks
Software-defined vehicles are no longer the future – they’re already here and will set the tone for the automotive industry in the years to come. The average number of lines of software code per vehicle doubled from 100 million in 2015 to 200 million in 2020 (source: Goldman Sachs). And with electrification and autonomous vehicles, this increase is expected to accelerate in coming years.
The growth in software-driven, connected vehicles increases their exposure to cyber risks. Vulnerabilities in-vehicle software could lead to cyber attacks that compromise critical vehicle functionality and functional safety (e.g., airbags, braking system), possibly endangering lives and resulting in expensive recalls.
Over the past month, critical vulnerabilities have been found in several high-profile global car manufacturers, including remote execution on core systems and improperly configured SSO authentication. Researchers also discovered at least 20 API vulnerabilities affecting millions of vehicles from 16 manufacturers, potentially allowing hackers to remotely control, track, and transfer vehicles, start or stop engines, and leak personal information.
The current threat landscape, together with the need to detect and mitigate software vulnerabilities as mandated by UN R155 and other automotive cybersecurity regulations, places a premium on cyber security. Each line of code, connectivity, software-based service or OTA update requires that OEMs have the proper cybersecurity measures in place.
Securing Virtual Assistants Prior to Vehicle Integration
The integration of Alexa and other virtual assistants into our cars further expands vehicles’ ever-growing attack surface. Since these technologies interface with numerous vehicle functions as well as external connected devices (EV chargers, smart homes, etc.), these vehicle-integrated virtual assistants must be cyber-secure.
Amazon was among the first to recognize this essential security principle and implemented a strict set of security requirements that OEMs must comply with prior to integrating Alexa within their IVI systems.
These security measures tie in neatly with OEMs’ current efforts to align their systems with UNR 155 requirements. This includes implementing security testing processes to ensure that third-party software is free of vulnerabilities and doesn’t introduce risks to vehicle safety or data privacy.
The First Amazon-Authorized Security Lab for Alexa Auto Integration
To ensure compliance with Amazon’s security standards, OEMs are mandated to conduct and pass a security assessment with one of Amazon’s authorized third-party labs. The assessment is based on the OEM’s ability to meet a comprehensive set of security requirements covering access control, software update mechanisms and vulnerability management, among others. PlaxidityX is proud to be the first automotive-focused security vendor to be certified by Amazon as an authorized security lab for Alexa auto integration. This approval allows us to directly provide automotive-specific security testing services to OEMs looking to integrate Alexa within their vehicle systems. Leveraging extensive domain knowledge, cybersecurity know-how, and pentesting expertise, the PlaxidityX services team conducts independent security assessments to help OEMs meet the security requirements for Alexa Auto Integrations. (See also: automotive security compliance readiness)