The auto industry constantly debuts new entertainment and safety features, but how secure is connected car software? How do you build in connected car security?
Picture this: You’re driving your new, fully equipped, top-of-the-line automobile. You’ve just filled your tank, thanks to the crowdsourcing app GasBuddy, and you’re about to begin the commute to work. But first—coffee. Thanks to SYNC3, Ford’s latest infotainment system, you easily order by stating, “Alexa, ask Starbucks to start my order.”
Your connected car and the barista waiting on the other end of the app happily oblige, and before you know it, your usual drink order is waiting at the Starbucks location closest to work. You drive through with ease; the only words exchanged between you and the barista are a simple thank-you. This “day in the life” anecdote isn’t where technology is going; it’s where technology is today. Developers and auto manufacturers have combined forces to produce an entirely new experience for motorists. However, these new features raise the question: How do they work?
The lines of code that keep a car, and its passengers, safe, connected, and on time can run into the millions. Back-up sensors, infotainment systems, and tire-pressure monitoring are all run on a mixture of open source and proprietary code. Code is code; if it contains vulnerabilities, it can be hacked. Open source code doesn’t make these cars any easier or harder to hack. If anything, the use of open source has made the development process for these vehicles much more efficient. However, the momentum of the automotive industry could come to a screeching halt if a hacker exploited a vulnerability in an unpatched vehicle—or worse yet, all vehicles of a particular model or manufacturer.
In applications for vehicles, just as in any other applications being developed, it is vital that the code be continuously scanned for vulnerabilities. The software development life cycle for a vehicle doesn’t end when you drive a car off the lot. As Jeep hackers Chris Valasek and Charlie Miller showed the auto industry in 2015, vulnerabilities can be exploited while a car is being driven. It is now up to the auto manufacturers and all other parties involved in the development of a vehicle to properly vet and remediate the vehicle’s software before an exploit can occur.
The manufacturing of vehicles presents a unique challenge to the typical development processes that software developers are accustomed to. For example: Apple can push out application updates and patches to iPhones as vulnerabilities are discovered. iPhone owners only have to click “Download and Install” until they upgrade to a new unit a couple of years later. A piece of hardware that is traveling down the interstate at 70 mph is a different story, especially when you consider that the average lifetime of a vehicle is ten years, not two. Over-the-air updates are not always possible or practical, and average drivers won’t know that their vehicles are vulnerable unless they receive a recall notice.
So what can vehicle manufacturers do? Because the use of open source is pervasive across the automotive industry and essential to the development of differentiating features, it’s important to continuously check the code to ensure the safety of its passengers. The Connected Car Security Report will inform you of some of the risks associated with connected vehicles, and guide you on what measures you can take to ensure the safety of passengers.