Why the automotive industry must take the wheel on software security
Security is the new must-have car accessory. This doesn’t refer to door locks or car alarms, but rather software security. When you hear about software security you tend to think of computer software, not software in cars.
However, software is not new to vehicles. As the connected cars become more of a reality, manufacturers can’t afford to be complacent when it comes to software and app security, as evidenced by the hacking of the Mitsubishi Outlander hybrid.
Back in June, Mitsubishi was urged by security researchers to recall at least 100,000 cars after hackers were able to remotely turn off the alarm system, control the lights and drain the battery.
Ken Munro, the security expert leading the investigation on Mitsubishi, found he could geolocate a car and track it, meaning a hacker or thief would easily be able to do the same. Mitsubishi is just one example but other car manufacturers have suffered similar problems.
The latest angle to software is connectivity. It is well-known in the cyber-security industry that connectivity means infiltration, and that all software will have vulnerabilities.
With the emergence of connected cars, the combination of software and connectivity means there is a potential path for hackers to exploit. Rather than accessing personal or confidential data, connected car hackers can take control of the vehicle, making unexpected stops or turns, which could result in an accident.
As a result, consumers are beginning to pass on advanced electronics and other features in favour of security. At the RSA Conference in Spring 2016, it was stated that 51% of consumers are hesitant about autonomous or self-driving vehicles.
Consequently, some are reverting back to older cars with minimal or no connectivity to avoid running the risk of having their vehicle hacked.
This may be seen as an extreme stance to take however, as more news about the hacking of vehicles emerges, consumers are increasingly aware of the risks in vehicle security.
Many also feel the vehicle manufacturer holds responsibility for securing a vehicle from hacking.
The importance of updates
Even with software security installed in cars, drivers will not be completely safe from a potential hacking unless the software is monitored and regularly updated. Like any other software, avoiding updates will allow hackers to access data, enabling them to control key car components.
Furthermore, even with such security in place, hackers will always try to identify and exploit new vulnerabilities. In order to prevent the hacker from doing just that, it is essential that the in-vehicle systems continue evolving and learning new ways to fight back.
For this to happen, the software in the connected cars needs to be continuously updated. The most effective way to do this is to use over-the-air (OTA) updates that will ensure connected cars always have the latest cybersecurity features.
It could be said that once automakers identify a pattern of buying decisions based on security considerations, they will respond to the new consumer demands.
In September, Volkswagen announced it had created a new company dedicated to the security of next-generation (connected) vehicles. Volkswagen concentrated a huge amount of effort on this, hiring three Israeli security experts to head the company and to further develop its cyber security capabilities.
This indicates that Volkswagen sees security as an important factor in car buying behaviour.
The auto industry has seen this sort of evolution before. Before the 1970s, fuel efficiency was not a huge consideration as it was so cheap; it did not become part of the buying criteria in the US until the fuel shortages in the late 70s.
Likewise, safety was not widely considered until automotive companies like Volvo and Mercedes differentiated themselves by stressing the safety of their vehicles.
Following this, the car-buying criteria of the consumer changed, forcing other car manufacturers to respond. Nowadays fuel efficiency and crash test data are more highly considered than the shiny accessories and added extras.
Overall, consumers want a car safe from all complications, security attacks or malfunctions.
So far, software security has resisted the establishment of a commonly applied certification, but consumer influence could have a similar effect as with fuel efficiency and safety, consequently pushing big car companies to introduce and follow new security criteria.