Posted by Synopsys Editorial Team on November 7, 2017
Picture this: you’re driving your newly purchased, fully equipped, top-of-the-line automobile. You’ve just filled your tank, thanks to the crowd sourcing app GasBuddy, and you’re about to begin the commute to work. But first— coffee. Thanks to SYNC3, Ford’s latest infotainment system, you easily order by stating “Alexa, ask Starbucks to start my order.”
Your connected car and the barista waiting on the other end of the app happily oblige, and before you know it, your usual drink order is waiting at the Starbucks location closest to work. You drive through with ease; the only words exchanged between you and the barista are a simple thank you. This “day-in-the-life” anecdote isn’t where technology is going; it’s where technology is today. Developers and auto manufacturers have combined to produce an entirely new experience for motorists, however, it begs the question: how do these features work?
There can be up to millions of lines of code that keep a car, and its passengers, safe, connected, and on time. Back-up sensors, infotainment systems, and tire-pressure monitoring are all being run on a mixture of open source and proprietary code. Code is code; if vulnerabilities exist, code can be hacked. Using open source code doesn’t make these cars any easier or harder to hack. If anything, the use of open source has made the development process of these vehicles much more efficient. However, the momentum of the automotive industry could come to a screeching halt if a hacker exploited a vulnerability in an un-patched vehicle — or worse yet, in an entire car model or for a manufacturer.
Just like any other applications being developed, it is vital that the code being utilized is continuously scanned for vulnerabilities. The software development life cycle, for a vehicle, doesn’t end when a car drives off the lot. As Jeep hackers Chris Valasek and Charlie Miller showed the auto industry in 2015, vulnerabilities can be exploited while a car is being driven. It is now up to the auto manufacturers and any entity involved in the development of the vehicle to properly vet and remediate the vehicle’s software before an exploit can occur.
The manufacturing of vehicles presents a unique challenge to the typical development processes that software developers are accustomed to. For example: Apple can push out application updates and patches as vulnerabilities are discovered. It then becomes the responsibility of the owner of that iPhone to push “Download and Install” until they upgrade to a new unit a few years later. A piece of hardware that is traveling down the interstate at 70 mph is a different story, especially when you consider that the average lifetime of a vehicle is ten years, not two. Over-the-air updates are not always possible or practical, and the average driver won’t know that their vehicle is vulnerable unless they receive a recall notice.
So, what can vehicle manufacturers do? Because the use of open source is pervasive across the automotive industry and is essential to the development of differentiating features, it’s important to continuously check the code to ensure the safety of its passengers. Our eBook, the Connected Car Security Report, can help inform you on the risks associated in connected vehicles, and guide you on what measures companies can take in order to ensure the safety of passengers.
Get the latest Software Integrity news, thought leadership, and more.