Posted by Rob Hawkins on August 2, 2017
Fiat Chrysler Automobiles (FCA) announced recently that it was recalling 7,802 Dodge Challengers to “update transmission software,” in response to vehicle movement (“rolling”) after drivers shifted into park. While 7,802 pales compared to the 811,000 recalled from inadvertent “rolling” last year, the concept of pulling cars away from customers for a software upgrade is beginning to catch broader attention. Investment banking firm Stout Risius Ross reported that software issues accounted for 15% of total recalls in 2015, up from 5% in 2011.
Minimizing recalls, which overall totaled more than $900M for General Motors (GM) alone in 2016, would be a significant cost saving opportunity. One remedy for software related recalls is Over the Air (OTA) updates, which would eliminate the need to bring vehicles into dealerships for software updates and allow data driven improvements to minimize maintenance. According to IHS Markit, OTA updates could save the global automotive industry more than $35B by 2022.
The challenge is that, while many automakers already have OTA capability in infotainment systems, the rest of the vehicle is still out of reach for OTA updates (although still vulnerable to attacks). No wonder GM announced this week that it is targeting to have OTA updates to engine software by 2020. On the other end of the spectrum, Tesla has built a connected car from the ground up and is well aware of how OTA updates can be used to add value to the vehicle throughout its life, including sending security patches to software vulnerabilities identified by researchers.
Tesla is also well aware of the public’s growing concern over the security of connected vehicles, as noted by the news coverage of the breach revealed at last week’s Black Hat conference. Even Hollywood has been eager to sensationalize what a cyber attack on connected cars would look like. Many firms have taken notice. Waymo’s public awareness campaign in Arizona, along with others across the industry, may be preemptive efforts to try to curb any backlash and demonstrate the industry’s awareness of the value of positive consumer (and voter) sentiment. To maintain favorable public perception for the 160M connected cars with advanced OTA capabilities by 2022 (according to IHS), similar investments must be made in less consumer facing aspects, specifically cybersecurity.
Continuous monitoring of open source code is a critical step in the security fabric of these hardware assets that will be on the road for over a decade. During that long useful life, many new vulnerabilities will inevitably be identified, and industry players must respond quickly with software updates that keep drivers safe (hopefully via OTA update). Knowing code composition through continuous monitoring will be critical for fast and efficient responses.
Get the latest Software Integrity news, thought leadership, and more.