Connected cars are here, but a recent study suggests they may not be ready.
The problem? Security, of course. Research from The Ponemon Institute indicates that 84 percent of those surveyed from the automotive industry are concerned that software security is not keeping pace with the evolving technologies automakers are adopting.
What’s more, 30 percent said they don’t even have an established security team devoted to product development, and 63 percent said they test less than half of the technologies they use for vulnerabilities. This despite the fact that 62 percent said they expect a malicious or proof-of-concept attack against automotive technology within the next year.
“When we talk about the potential for disaster, these numbers are unacceptable,” said Ponemon Institute Founder Larry Ponemon in prepared comments shared via video during a well-attended session Wednesday at the RSA Conference in San Francisco.
This lack of focus on security becomes even more alarming when considering how much technology is embedded in modern vehicles. The race to connect vehicles is driven in large part by safety, as connectivity powers features such as lane assist and collision avoidance.
“The average modern day car has 130 million lines of code, so you can see that cars are just rolling off the assembly line,” Ed Adams, CEO of software security training firm Security Innovation, told the gathered attendees. Adams and Ponemon were jointly presenting the findings of Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices, a study Ponemon completed early this year on behalf of Synopsys.
Worse, it’s not just what automakers are doing or not doing that’s of concern; it’s also what they will or won’t be doing down the line. Another of the study’s findings speaks loudly to this: just 33 percent of the surveyed automakers said they educate their developers on writing secure code.
“It’s very concerning,” said Ponemon. “This could be a big problem.”
In fact, it’s already looking to be a potential marketing issue, as 28 percent of the consumers who were surveyed said they’d never again buy a car from any brand that had been hacked. And those consumers indicated they take security seriously. They were asked to rank on a 1 to 10 scale their level of concern about various aspects of connected cars, and the average score for security was 6.68, implying significant fear.
As this debate, and the work behind the scenes on connected cars, continues, the U.S. Department of Transportation has been moving ahead on its own approach to road safety by pushing for implementation of V2V (or vehicle-to-vehicle) broadcast systems. Using the open-source Dedicated Short Range Communications wireless protocol, this technology constantly broadcasts anonymous data about a vehicle’s location, speed and trajectory to provide alerts to drivers about potential collisions.
It broadcasts this data 10 times per second, and Adams noted that there is no central trust authority, although the technology is designed with privacy in mind. There is no logging of data, and no information about the vehicle make or the driver is broadcast.
V2V is currently being pilot tested in Michigan, New York and Wyoming, as well as in numerous locations in Europe and Asia. Adams estimates the technology adds about $300 to the cost of producing a vehicle, and will first appear as a feature in higher-end vehicles.
Additionally, Sen. Ed Markey (D-Mass.) has championed the unfortunately named SPY Car Act (for Security and Privacy in Your Car), which seeks to incorporate cyber security and privacy standards into vehicle production, as well as a dashboard sticker that will show how well a given car protects security and privacy.
Adams said one of the remaining challenges to making initiatives like the V2V and the SPY Car Act work is the inherent difficulty in effectively in managing governance of public key infrastructure without a centralized trust authority. He even suggested that blockchain may be a possible solution.
In the meantime, there are reasons to take a breath and have faith that the problems facing connected vehicles will be addressed. For one thing, Adams said he’s seeing plenty of evidence that vehicle manufacturers have been increasingly proactive in addressing the security challenges, such as investing more in educating developers on how to write secure code.
Additionally, the V2V pilot programs are proving the value of the technology. For instance, the effort in Ann Arbor, Mich., has involved 30,000 vehicles, and not one of them has been involved in a collision during testing.
Perhaps most importantly, the bad guys apparently haven’t gotten to the point where they pose a large-scale threat — at least not yet.
“It’s very difficult to hack cars en masse,” said Adams.
Make no mistake, though: that will change. The question is whether the automotive industry will be ready, and the answer to that remains very much in doubt.