Subscribe to our Newsletter | To Post On IoT Central, Click here


In May, after nearly 10 years and a 147,000 miles, I sold my 2008 Mazda CX-9. It was a great car for me and my family. Our new car is a truck, the Ram 2500. It’s a beast, not just in size and towing power, but a beast of electronics and connectivity. Sure the 2008 Mazda had Bluetooth and a GPS, but cars today are so much more connected with onboard services like WiFi, custom car applications, and even consumer applications like Yelp! Mind you, this is a Ram Truck I’m talking about, not a Tesla or a Prius.

With connectivity increasing and self-driving cars on the fore, how do we keep improving on the convenience while keeping it secure. For that we turned to Sam Shawki, the founder and chief executive officer of MagicCube, a digital mobile security start-up located in Silicon Valley. Prior to his current role, Sam was head of Visa’s Global Remote Payments business unit, where he drove the company’s global initiatives in mobile and remote payments.  Before Visa, Sam served as Chief Innovation Officer of VimpelCom, the sixth largest mobile network operator in the world, with over 214 million customers in 18 countries.

We asked him about connected cars, mobile security, and what’s in store for the future.

When people talk about connected cars and especially self-driving cars, many worry about the safety around driving, without immediately thinking about the security behind all of the connections that are required for the connected car’s infrastructure to thrive. How does mobile security play a part?

Whether the smartphone is at the heart of what makes cars connected, or an embedded system created by automotive manufacturers like your car’s dashboard or even a digital car key takes over the identity hub, many of the car systems and subsystems are getting smart which means such systems are now attackable.  

What are some of the challenges car companies are facing today that may require different thinking?

The right technologies to protect these systems cannot come from legacy ideas like inserting a secure chip in each system or relying on pure encryption like white box of multi-party computation alone. It needs to be designed specifically for scale and with security specific to mobile and IoT deployments. This is the different thinking that the connected cars ecosystem has no choice but to embrace, and quickly.  

What can car companies and governments learn from other industries when it comes to connected cars?

Security breaches in any industry should be viewed as a clarion call to the automotive industry. There are lessons to be learned there. For example, look the recent eATM breach from the financial sector. This is believed to be related to technology that used legacy ideas that adhered to minimal security requirements. The difference between security breaches on ATMs and on self-driving cars of course is that a security breach on a car going 70 mph is truly a matter of life and death.

Who’s doing connected cars well?

It’s too early to tell. Many are on the right track, yet security remains a huge concern.  I’m excited to see who figures this out first and our team is working hard to make sure MagicCube is empowering such success.

Your background is in payment technology. Does that throw people off when you talk to car companies about MagicCube?

Although I know a lot about it, my background is not on the financial side, but rather in innovating new technologies and business models across many industries. I was part of the initial teams at Netscape where we enabled the masses to experience being connected for the first time, Shoretel where VOIP for the enterprise was invented and at Siebel Systems where CRM and e-business were made mainstream. My experience at Obopay or Visa comes from my work in enabling the security and digitization, not the other way around. The beauty of such experience is that the financial industries historically pioneered other industries like aerospace and connected cars, and established standards that other industries adopt. This is helping us at MagicCube navigate industries where standards and protocols are just starting to take shape.

Explain how MagicCube came about and why it’s called MagicCube?

While running global remote payments for Visa, which was under the digital and innovation side of the business, Visa and MasterCard created tokenization and figured out how to secure those tokens by asking device makers like Apple to house the tokens in their hardware. In Apple’s case this became Apple Pay. The next logical step was to figure out how to secure the Visa and MasterCard tokens without having to depend on hardware. This when we discovered that no solution existed and I was told it is impossible to have the same level of security in pure software. Given my background, I was motivated to solve this problem properly. In talking to Nancy Zayed, a distinguished engineer in her field, she figured out how to solve the problem using her years of operating systems knowledge at Apple, Cisco and other companies. Just to be able to visualize something virtual, the “cube” is what we called the secure software container that replaces the need for a hardware chip. Since we seem to have achieved a technology that we were told was impossible, what came to our minds was Sir Arthur C. Clarke’s quote, “Any sufficiently advanced technology is indistinguishable from magic.”  Hence MagicCube.

Anything else you’d like to add?

I’m excited by the evolution and the social impact potential of self-driving cars. When it comes to autonomous cars, we still have a fair way to go, mainly because car systems will need to process data without attackers gaining any form of control on the car or any of its systems. That is where the success, and even the viability of self-driving cars will be measured.

 

Email me when people comment –

David Oro is the editor at IoT Central.

You need to be a member of IoT Central to add comments!

Join IoT Central

Comments

  • Hello David and Sam,

    A good way to prevent attackers from gaining control on a car or its systems is to only allow access to the data, and only indirectly.  Why should any person or program ever have access to the car itself, or any of its devices?  Mr. Shawki's thinking is correct here―when it comes to security for the IoT, legacy ideas have to give way to different thinking.  

    The traditional mind-set among financial and industrial applications is that connected systems must follow a server-client model.  The server has the data, and the client needs to connect to the server to get it.  However, applying this model to the IoT means that every automobile, refrigerator, light switch or kidney machine must expose an attack surface.  

    A better approach is have the device send the information out to a secure location, and pick it up from there.  Rather than trying to secure thousands or millions of devices, just secure that location―a cloud service.  Programs or people who need access to the data can be authorized to access it from the cloud, never from the device itself.  And if necessary, they can still send data back to the device without exposing the device to attack.

    Science fiction?  No, this IIoT approach has been available for years in the industrial space.  Maybe connected cars can learn from industrial systems as well as IT.

    Bob McIlvride
    Skkynet

    Industrial IoT
    Your industrial IoT solution that is secure, fast, and fully integrated within the plant and beyond. Try it Free
This reply was deleted.

Upcoming IoT Events

More IoT News

IoT Career Opportunities