What Will it Take to Accelerate Connected Car Security?

In late April, it was Volkswagen and Audi in the headlines, when their in-vehicle infotainment (IVI) systems were found vulnerable to remote hacking. By mid-May, it was BMW, in the thick of rolling out patches for 14 vulnerabilities discovered by a Chinese research team.

And in another couple of days, weeks, or months, it will inevitably be another automaker—because Volkswagen and Audi and BMW are not outliers. They are only a few recent examples that illustrate the security challenges involved in making vehicles part of the wave of connected systems.

Indeed, last August, it was the whole industry, confronted with a report by researchers that the CAN bus (essentially the central nervous system of the car) had a design flaw serious enough to let a hacker take control of a vehicle. The flaw, researchers said, was “vendor neutral” and couldn’t be patched until the next generation of vehicles rolled off the line.

About 18 months ago, researchers reported a vulnerability with Hyundai’s Blue Link app for mobile phones. And a couple of months before that, a similar defect was identified in the mobile apps for Tesla’s Model S. Researchers demonstrated that they could locate and track a car, open the doors, and enable its keyless driving functionality from a distance just by stealing the user’s authentication token.

And of course, we can’t forget the remote hacking of a Jeep in 2015, with a reporter driving, or rather, trying to drive it.

Bottom line? Connected cars promise, and to some extent have already delivered, greater convenience and prevention of accidents. But so far, they haven’t delivered the robust security needed in the tens of millions of lines of software code that run the sensors, functions, and communications in modern cars.

According to a 2016 VDC Research white paper, many original equipment manufacturers (OEMs) are struggling to evolve and adapt R&D resources as engineers expect the amount of in-house code to grow nearly 20 percent in upcoming projects.

Many OEMs lack enough software engineers and development best practices to scale effectively. All the while, vehicles remain a “target-rich environment” for hackers. If they are penetrated, they could allow surveillance, theft of personal information, and yes, catastrophic physical harm.

Amid all the ominous signals, however, are encouraging signs. The automotive industry is not just aware that it has a problem—it is responding to it. Multiple industry groups are working on standards for themselves and their supply chains.

Still, it won’t be easy, and it will take time. The challenges of connected vehicle security are as vast and varied as both the industry and the internet. Modern cars have more than 150 computers and sensors that control everything from accident avoidance to brakes, steering, and acceleration. They are an amalgamation of open source software components, commercial or outsourced components, and propriety code that glues them all together—a system of systems, with tens of millions of lines of code originating from up to hundreds of sources in a complex software supply chain.

The attack surface they offer is broad. It comprises not just the IVI, the CAN bus, and mobile apps. It can also involve the onboard diagnostics (OBD-II) port, which is under the steering column of every domestic U.S. car built since 1996.

In fact, a couple of years ago, Carnegie Mellon released a report commissioned by the federal Department of Homeland Security (DHS) that found a laundry list of compromises possible through the OBD-II interface, ranging from locking and unlocking doors to turning the vehicle on or off and affecting vehicle GPS tracking.

So what should the industry be doing? In some ways, it’s already started, in pushing for standards and focusing on better security in the supply chain.

Another promising development is the impending move to an Ethernet protocol that will replace the CAN bus protocol. But an Ethernet protocol comes with its own vulnerabilities and security challenges. It will require more active methods of protection and building security in from the beginning of the design of the network architecture.

Some companies are also offering over-the-air (OTA) software updates, which is a great concept but not nearly as simple as patching your computer. With computers, you simply download an update, reboot, and move on. With vehicles, software updates can be far more complicated, in part because there are so many interactions between different subsystems, even if they are from the same manufacturer.

The key takeaway here is this: Vehicle manufacturers know that if a vehicle is disabled or taken over by hackers, it is worse than useless—it can become a weapon. Consequently, they’re aware that robust software security is as important as any other safety system on vehicles: seat belts, backup cameras, ABS, and so on.

I’ll leave you with a point of optimism identified by VDC Research. They found that as of 2016, integrated IDE security, configuration management, and static analysis were the most prevalent types of tooling used in current automotive software projects. This is a good sign that manufacturers are literally building security in from the beginning.