Even though auto software security is important to the industry, a new report shows that the lack of resources means connected cars can be dangerously unsafe.
The original version of this post was published in Forbes.
The “connected” car—as in, connected to the Internet—is now mainstream. Ads for modern vehicles are filled with aggressive promotion of features that require connections to the online world—lane assist, GPS, collision avoidance, automatic calls to 911 if there is a collision.
They are also rich in physical safety features—seatbelts, airbags, antilock brakes and more.
But a report out this week by the Ponemon Institute titled Securing the Connected Car: A Study of Automotive Industry Cybersecurity Practices found that they are not so rich in software security. When it comes to what is needed for safe operation in an online world, those vehicles are not yet ready for prime time.
The report is based on a survey of 593 security practitioners, product development professionals and engineers within the industry.
Perhaps the most encouraging finding is that a majority of respondents are very much aware of the problem. More than two-thirds said the need for better cybersecurity is “urgent,” for obvious reasons: 62% said they think a malicious or proof-of-concept attack against automotive software, technology or components is very likely in the next 12 months.
But other key findings are less encouraging:
The significance of all this should also be obvious. The modern vehicle is a computer—actually dozens to more than 100 computers—containing more than 100 million lines of code that control everything from the infotainment system to safety systems like steering, acceleration and brakes.
That makes automotive manufacturers software companies just as much as they are transportation companies.
And software vulnerabilities could undermine the safety of those systems and features: Anything online is a target for cyber attackers. A hacker can put not just users’ personal information at risk, but their physical safety as well. Software security is easily as important as seat belts, airbags and antilock brakes.
These risks are not just theoretical. Security researchers Charlie Miller and Chris Valasek made international headlines four years ago when they remotely hacked into a Jeep Cherokee driven by a reporter for Wired magazine. They took control of the air conditioning, wipers, accelerator and brakes from 10 miles away. But they could have done the same thing from thousands of miles away.
The message at last year’s RSA Conference in San Francisco was much the same: Sergey Kravchenko, senior business development manager, future technologies, at Kaspersky Lab, said his firm had demonstrated that hackers can get control of vehicle functions like door locks, brakes and the engine. They can track a vehicle’s location through the GPS.
Still, even with multiple anecdotes like those, there has been a lack of the comprehensive data needed to understand the industry’s overall cybersecurity posture and its capability to address software security risks inherent in connected vehicles.
This report, commissioned by Synopsys and SAE International, is meant to address that gap.
Tim Weisenberger, project manager, technical programs, Global Ground Vehicle Standards at SAE, said the results provided “empirical data to validate our hunches,” which included not just problems but good news as well.
“The industry really is aware of the cybersecurity threats it’s facing in the entire ecosystem of interconnected vehicles,” he said. “Their resources may be applied a bit more thinly than they’d like, but they’re very aware of their strengths and shortcomings. I think they’re pointed in the right direction.”
And Chris Clark, principal security engineer, strategic initiatives, at Synopsys, said while the survey showed there is still much to be done, “this is not necessarily a negative thing. It’s pretty typical of what we see in other industries—it’s in the process of becoming more mature.”
Much of that maturity, both said, could come from a shift in two areas: perception and development.
The shift in perception, they said, is to move from thinking that security testing is simply an expense with no payback to realizing that it is an investment that will pay dividends with better functioning of components and far less risk to owners—risks that could result in brand damage, expensive recalls and perhaps even more expensive liability.
The shift in development would be what the security industry calls a “shift left”—to make security testing part of product development from the beginning and throughout the development life cycle, not just at the end.
Testing is an expense, Clark acknowledged. “But it is clear that effective testing is happening far too late. For the majority, testing is post product release, which can lead to a 6x–14x increase in cost.
“If we start to shift left—moving that testing earlier and earlier—we start to see a reduction in cost. Eventually it gets to where cybersecurity is just one of the standard processes, like safety testing for a vehicle. The time and expense will pay off,” he said.
And in spite of a significant list of weaknesses that need major improvement, Clark said auto manufacturers shouldn’t be upset about it. “They should look at this as a growth opportunity versus a threat to their industry,” he said.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.