Posted by Jim Ivers on October 6, 2016
Originally posted on SecurityWeek
Fall is a great time of year. The kids go back to school. The weather begins to cool and the leaves change. Lord Football returns to his autumnal throne. Television shows return for a new season.
Fall is also the traditional time when the automakers release their model year vehicles. Amid all of the shiny metal and glass, it is electronics that automakers are increasingly using to differentiate their offerings. Driving the electronics within each vehicle is software, and the amount of software in automobiles is growing exponentially.
One has to wonder if this year’s consumers will look beyond horsepower and gadgetry and, for the first time, make security a criterion for their selection. I’m not talking about door locks or the ability to find a stolen vehicle. I’m talking about software security.
Software is not new to vehicles. My brother is a great vehicle mechanic who rebuilds vintage motorcycles, which he often buys in boxes. He was a demonstrable tipping point for me when he told me that the software diagnostics in newer vehicles and the amount of solid state components made him hang up his car-fixing tools. This was fifteen years ago.
The latest angle to all of this software is connectivity. For those of us in IT security (aka cyber) we know that connectivity means infiltration. We also know that software will have vulnerabilities. The combination of software and connectivity means that there is a path for bad guys to exploit those vulnerabilities—including the ones in your car.
I was talking to a bright millennial about cars recently and was shocked by his stance. He was willing to pass on advanced electronics and other features for security. He was looking at older cars with minimal or no connectivity so he would not run the risk of having his vehicle hacked.
For some, this may seem like an extreme position, but I don’t think he is alone. There have been scores of public vehicle hacking demonstrations, and the associated publicity has seeded awareness of automobile security into the public discourse. As more news about the hacking of automobiles emerges, consumers are increasingly aware of the risks.
As soon as the automakers see a pattern of buying decisions based on security considerations, I am quite certain they will respond. In fact, while I was writing this article, Volkswagen announced they had created a new company dedicated to the security of next-generation (connected) vehicles. Volkswagen put wood behind the arrow by hiring three Israeli security experts to head the company. I take this as an indication that Volkswagen sees security as a factor in car buying behavior.