Fall is a great time of year. The kids go back to school. The weather begins to cool and the leaves change. Lord Football returns to his autumnal throne. Television shows return for a new season.
Fall is also the traditional time when the automakers release their model year vehicles. Amid all of the shiny metal and glass, it is electronics that automakers are increasingly using to differentiate their offerings. Driving the electronics within each vehicle is software, and the amount of software in automobiles is growing exponentially.
One has to wonder if this year’s consumers will look beyond horsepower and gadgetry and, for the first time, make security a criterion for their selection. I’m not talking about door locks or the ability to find a stolen vehicle. I’m talking about software security.
Software is not new to vehicles. My brother is a great vehicle mechanic who rebuilds vintage motorcycles, which he often buys in boxes. He was a demonstrable tipping point for me when he told me that the software diagnostics in newer vehicles and the amount of solid state components made him hang up his car-fixing tools. This was fifteen years ago.
The latest angle to all of this software is connectivity. For those of us in IT security (aka cyber) we know that connectivity means infiltration. We also know that software will have vulnerabilities. The combination of software and connectivity means that there is a path for bad guys to exploit those vulnerabilities—including the ones in your car.
I was talking to a bright millennial about cars recently and was shocked by his stance. He was willing to pass on advanced electronics and other features for security. He was looking at older cars with minimal or no connectivity so he would not run the risk of having his vehicle hacked.
For some, this may seem like an extreme position, but I don’t think he is alone. There have been scores of public vehicle hacking demonstrations, and the associated publicity has seeded awareness of automobile security into the public discourse. As more news about the hacking of automobiles emerges, consumers are increasingly aware of the risks.
As soon as the automakers see a pattern of buying decisions based on security considerations, I am quite certain they will respond. In fact, while I was writing this article, Volkswagen announced they had created a new company dedicated to the security of next-generation (connected) vehicles. Volkswagen put wood behind the arrow by hiring three Israeli security experts to head the company. I take this as an indication that Volkswagen sees security as a factor in car buying behavior.
I can say that my thinking has certainly evolved. I had a co-worker who purchased a Porsche that featured steering by wire. Instead of the steering wheel being mechanically connected to the steering mechanism, its sensors in the steering wheel sensed the direction and speed of the movement of the wheel and processors. This translated the sensor data into physical activation of the steering mechanism.
My first thought was, “I hope there are redundant systems.” I have been around software and electronics long enough to know failure is a very real option. That was four years ago. I wonder, after the hacking demonstrations on braking systems and other critical functions, what my first reaction would be today. I might actually consider the security of the software before I questioned the reliability.
The auto industry has seen this before. When I first started driving, fuel efficiency was not a huge consideration at $0.19 a gallon. Sure, some people calculated the miles per gallon, but fuel efficiency did not become a real buying criteria until the fuel shortages of the late 70s. When automakers like Volvo and Mercedes differentiated themselves through the safety of their vehicles, consumers forced the other automakers to respond. Crash test data is now a critical measuring stick for vehicle selection. It is notable that fuel efficiency and crash test data are now more prominent on a new car window sticker than the shiny accessories and extras.
When will automakers speak up about the measures they have taken to test the software embedded in their vehicles? So far, software security has resisted the establishment of a commonly applied certification, but consumer influence could push automakers to create some criteria. After all, safety claims were largely subjective until crash test ratings were created.
So, as the temperature begins to cool and you are parked in front of your TV to watch football, pay attention to the new vehicle commercials. You’ll see a fair share of husky pickup trucks hauling important stuff to ranches and oil rigs. You’ll see sleek cars turning the heads of others as the driver smugly looks ahead to some distant horizon. And you’ll likely see Matthew McConaughey doing something inexplicable and completely unrelated to cars.
But what you might also see is the first mention of security and steps taken to protect infiltration and exploitation of the vehicle software. That would give Mr. McConaughey something really worth contemplating.