Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

The Latest Must-Have Car Accessory: Security

Fall is a great time of year. The kids go back to school. The weather begins to cool and the leaves change. Lord Football returns to his autumnal throne. Television shows return for a new season.

Fall is a great time of year. The kids go back to school. The weather begins to cool and the leaves change. Lord Football returns to his autumnal throne. Television shows return for a new season.

Fall is also the traditional time when the automakers release their model year vehicles. Amid all of the shiny metal and glass, it is electronics that automakers are increasingly using to differentiate their offerings. Driving the electronics within each vehicle is software, and the amount of software in automobiles is growing exponentially.

One has to wonder if this year’s consumers will look beyond horsepower and gadgetry and, for the first time, make security a criterion for their selection. I’m not talking about door locks or the ability to find a stolen vehicle. I’m talking about software security.

Car KeySoftware is not new to vehicles. My brother is a great vehicle mechanic who rebuilds vintage motorcycles, which he often buys in boxes. He was a demonstrable tipping point for me when he told me that the software diagnostics in newer vehicles and the amount of solid state components made him hang up his car-fixing tools. This was fifteen years ago. 

The latest angle to all of this software is connectivity. For those of us in IT security (aka cyber) we know that connectivity means infiltration. We also know that software will have vulnerabilities. The combination of software and connectivity means that there is a path for bad guys to exploit those vulnerabilities—including the ones in your car.  

I was talking to a bright millennial about cars recently and was shocked by his stance. He was willing to pass on advanced electronics and other features for security. He was looking at older cars with minimal or no connectivity so he would not run the risk of having his vehicle hacked.

For some, this may seem like an extreme position, but I don’t think he is alone. There have been scores of public vehicle hacking demonstrations, and the associated publicity has seeded awareness of automobile security into the public discourse. As more news about the hacking of automobiles emerges, consumers are increasingly aware of the risks.

As soon as the automakers see a pattern of buying decisions based on security considerations, I am quite certain they will respond. In fact, while I was writing this article, Volkswagen announced they had created a new company dedicated to the security of next-generation (connected) vehicles. Volkswagen put wood behind the arrow by hiring three Israeli security experts to head the company. I take this as an indication that Volkswagen sees security as a factor in car buying behavior.

I can say that my thinking has certainly evolved. I had a co-worker who purchased a Porsche that featured steering by wire. Instead of the steering wheel being mechanically connected to the steering mechanism, its sensors in the steering wheel sensed the direction and speed of the movement of the wheel and processors. This translated the sensor data into physical activation of the steering mechanism.

Advertisement. Scroll to continue reading.

My first thought was, “I hope there are redundant systems.” I have been around software and electronics long enough to know failure is a very real option. That was four years ago. I wonder, after the hacking demonstrations on braking systems and other critical functions, what my first reaction would be today. I might actually consider the security of the software before I questioned the reliability. 

The auto industry has seen this before. When I first started driving, fuel efficiency was not a huge consideration at $0.19 a gallon. Sure, some people calculated the miles per gallon, but fuel efficiency did not become a real buying criteria until the fuel shortages of the late 70s. When automakers like Volvo and Mercedes differentiated themselves through the safety of their vehicles, consumers forced the other automakers to respond. Crash test data is now a critical measuring stick for vehicle selection. It is notable that fuel efficiency and crash test data are now more prominent on a new car window sticker than the shiny accessories and extras.

When will automakers speak up about the measures they have taken to test the software embedded in their vehicles? So far, software security has resisted the establishment of a commonly applied certification, but consumer influence could push automakers to create some criteria. After all, safety claims were largely subjective until crash test ratings were created.

So, as the temperature begins to cool and you are parked in front of your TV to watch football, pay attention to the new vehicle commercials. You’ll see a fair share of husky pickup trucks hauling important stuff to ranches and oil rigs. You’ll see sleek cars turning the heads of others as the driver smugly looks ahead to some distant horizon. And you’ll likely see Matthew McConaughey doing something inexplicable and completely unrelated to cars. 

But what you might also see is the first mention of security and steps taken to protect infiltration and exploitation of the vehicle software. That would give Mr. McConaughey something really worth contemplating.

Related: Chinese Researchers Remotely Hack Tesla Model S

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.