Challenges of securing cars

Interestingly Autocar's Matt Prior has just written on the subject - here

Following on from my earlier post about the challenges of securing the software used in cars, here's my thoughts in more depth:

The car just becomes another piece of software to maintain - You may well have seen a number of stories in the press recently about software in cars being hacked.  The biggest story was the one affecting Jeep, needing to recall 1.4m vehicles (link).  The details of the hack are scary, in that the security researchers that found the vulnerability didn’t need physical access to the car, just a connection to the Sprint mobile network, and then could target any of the 1.4m Jeep vehicles.  It’s staggering to think this level of security testing wasn’t undertaken by the vendor.

However Jeep weren’t the only company found out recently.  Ford (link) and BMW (link) have also had to release security patches.  What concerns me most is; what appears to be happening to the car industry now is what happened to the software industry about 15 years ago, when Microsoft was in the press almost weekly with reports of it terrible software security.  Back then in 2002 Bill Gates wrote the famous ‘Trustworthy computing memo’ which stated “… if we don’t do this, people simply won’t be willing - or able - to take advantage of all the other great work we do,”.  Microsoft took the unprecedented decision to stand down all 9,500 Windows developers for 8 weeks to focus purely on security. (1,300 man years of work). 

However with car manufacturers having to integrate diverse vendor’s software (infotainment, ABS, Steering, Throttle, climate control, stability, traction control systems, all of which may be written by different suppliers), not only so they work safely (although that doesn’t always work - see this long and very scary article on Toyota which essentially says it wasn’t even possible to test if their software was roadworthy).  Alongside the challenge of integrating disparate software, which is certainly not a skill most car makers will have extensive experience of, combined with needing to think about security at all stages, rather than just testing before the car gets released, is a huge mind-shift change, and one illustrated by the Microsoft example that takes time and huge investment, neither of which the car industry has.  The final danger is that the motor industry is a very marketing and consumer demand led business, so I can easily see a situation when ease of use for the customer trumps security, and weaknesses are consciously built into systems, making them far easier to attack.

What can be come about this? well it will be interesting to see how the industry evolves.  Tesla, so often the darling of the car industry was also shown to have vulnerabilities this week, but this required physical access to the vehicle which is much less of worry.   Tesla are in a better position as software was designed in from the inception of the vehicle so the design team are already thinking about security from the when the car was on the (virtual) drawing board.  I wonder if traditional car manufacturers can keep up with the software development world, This article on LinkedIn (link) illustrates the number of lines of code in a modern car (a staggering 100 million), which is greater than the combined lines of code of a Boeing 787, the space shuttle and Windows Vista, which I find a terrifying statistic.

Tesla are turning this to their advantage.  A recent tweet from Elon Musk their charismatic CEO told owners of their P85D cars “0-60 acceleration time will improve by ~0.1 sec soon via over-the-air software update to invertor algorithm”.  While quite cool that you get additional performance ‘for free’, and they are currently talking about adding a collision avoidance feature in a future update, it does ask an interesting question of insurers. 

Historically when you bought your car the features stayed constant over its lifetime, so insurers needed little data beyond make, model and year.  However with the concept of over-the-air updates how will insurers price car insurance? Will you need to declare that your car is running the latest firmware or to have to guarantee that you will keep in updated within 30 days of an update being released ?  And as we all know from updates to our mobile devices you probably don’t want to upgrade on day one in case there’s a bug in the software which renders your car un-driveable.  This is certainly a topic that's going to gain many more column inches over the coming months.