In her front-page article “Your New Car’s Best Tech Feature May Be the ‘System Off’ Button” (Wall Street Journal, May 11, 2017), Christina Rogers raises several important points: one, that some of the safety features built into modern cars are so annoying to drivers that they turn them off and, two, that drivers are not able to operate critical functions if the driver-interface systems fail. I recently experienced such an interface failure when the family car’s touch-screen broke and we couldn’t adjust the radio or heating system. Fortunately, safety-related features were not affected directly in this case.
Interestingly, the Consumer Reports lab is conducting a fair amount of useful research into both driver-assist technologies and drivers’ responses to them. In the August 2017 issue, there is an article with the title “A Decision That Could Save Your Life” by Mike Monticello that discusses the latest safety technologies such as forward-collision warning and automatic emergency braking, and whether drivers found them helpful or annoying and the extent to which consumers are satisfied with the systems.
However, it is what the WSJ article implies rather than what it says that is of much greater concern. As electronic controls become more pervasive in road vehicles, safety-critical functions, such as braking, steering, accelerating and exiting the vehicle, become vulnerable to intentional or accidental malfunctions and failure of electronic controls, as well as to cyberattacks and manufacturer hacking, as with VW’s diesel emissions deception. While hackers have demonstrated that they are able to gain control remotely of many functions in newer vehicles, which could be a problem, I do not see such threats as dominant, especially as errors in design and coding are more likely to affect many vehicles at the same time than would an in-vehicle or remote hack. Regrettably, makers of automotive software do not sufficiently account for many security and safety aspects of their systems. It is time that much more stringent standards were developed and enforced, as they are with avionics.
While attacks against individual vehicles may be overly hyped, in my opinion, the prospect of take-over of traffic-management systems, as graphically illustrated in the movie “Live Free or Die Hard,” or of “cloud” systems, such as interference with GPS systems (as might have occurred in a couple of cases where Iran is suspected of diverting a U.S. drone and a naval ship), is of much greater concern due to their potential for creating havoc on the roadways.
Those designing and manufacturing advanced automotive and smart transportation systems need to anticipate everything (yes, everything) that could go wrong with their systems and determine how to protect against dangerous situations, whether such situations are intentional or not. And we need industry groups and government agencies to get ahead of the technology with universal standards and the means to enforce them effectively.
Another suggestion, noted in an article “The Weak Spot Under the Hood: The code that runs new cars is susceptible to manipulation, by hackers or automakers themselves” by D. Geller, H. Tabuchi and M. Dolan, appearing in the Sunday Business section of The New York Times as long ago as September 27, 2015, is to “open up the source code to the public,” which might have caught VW’s nefarious code earlier and might unearth other malware more quickly. However, there are two sides to that argument; the other being that open source code could make it easier for miscreants to fiddle with the systems. I believe that it would be better to have a trusted third-party scan program code for errors, intentional workarounds and malware rather than make source code of safety-critical software, in particular, available to everyone. Also, manufacturers are highly unlikely to want to share proprietary source code, which they see as providing competitive advantage.
It is clear that the current state of affairs with respect to policing and protecting automotive code in unacceptable. It’s about time legislators, regulators and industry groups took these issues more seriously and acted on their concerns. The risks relating to automotive and transportation-system software are only getting worse and mitigating those risks is becoming increasingly costly in terms of funds correct problems and the consequences of errors and hacks to human safety.
*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: http://www.bloginfosec.com/2017/09/25/where-auto-auto-security-and-safety-risks-lie/