Cleantech Market Intelligence
Time for Automakers to Get Real on Vehicle Security
Recently, the annual Black Hat and DefCon computer security conferences took place in Las Vegas, and this week the National Highway Traffic Safety Administration (NHTSA) announced a notice of proposed rulemaking regarding vehicle-to-vehicle (V2V) communications. Hacking cars was once again one of the hot topics at the two security conferences this year, in part because automakers don’t appear to have done much to improve the security of the vehicles we drive. Each year researchers announce some newly discovered vulnerability that gets blown out of proportion by the mainstream media.
Fortunately for drivers everywhere, none of the issues discovered so far have actually amounted to anything worthy of concern. However, as vehicles continue to get increasingly advanced in the coming years, the potential for attackable flaws will only increase. Automakers are notoriously quiet when it comes to publicly discussing anything that might potentially be deemed a flaw in any of their products, but it’s time to change that attitude when it comes to electronic security.
Calling All Cars
Over the past half-decade, advanced driver assist systems such as adaptive cruise control, automatic parking systems, and lane departure warning and prevention have rapidly migrated down-market from expensive European luxury models to mainstream, high-volume family cars, such as the Toyota Camry and Ford Fusion. With the addition of just a few extra sensors and a lot more software, these are the building blocks for tomorrow’s fully autonomous vehicles.
One other piece of that puzzle is the V2V communications that the NHTSA would like to mandate. Along with vehicle-to-infrastructure communications, cars will be able to send and receive messages that can influence the behavior of the vehicle. Initially, the plan is to send these alerts only to drivers. However, it’s only a matter of time before that expands to include autonomous vehicle capabilities like automatic braking or steering to avoid a collision.
Anyone who’s ever worked on software will acknowledge that it’s virtually impossible to write absolutely perfect and bug-free code, and the task gets exponentially more difficult as systems get more complex. Automakers often like to brag about how many millions of lines of code are in the latest and greatest new vehicle and how many gigabytes of data are processed every second. They neglect to mention how every additional byte of code means more potential for mistakes or security flaws.
No Such Thing as Bug-Free
Companies with vast software engineering expertise, including Google, Facebook, and Microsoft, have acknowledged that they cannot possibly find every potential issue in their products. The impact of a Facebook or Google breach can be annoying, and potentially expensive, but not life threatening.
It’s time for automakers to follow suit and acknowledge that despite their best efforts to secure vehicles, the potential does indeed exist for security vulnerabilities. Tesla Motors started on the right track this year with the hiring of security expert Kristin Paget away from Apple. The company also sent a team of recruiters to the Black Hat and DefCon conferences to find more talent.
Each automaker should also set up a bounty program similar to those established by the big tech firms, which pay researchers cash rewards for disclosing security vulnerabilities to the companies. The corporate lawyers might not be crazy about the idea, but with the recent flood of vehicle recalls from General Motors and other manufacturers, the increased focus on safety and quality might actually make this an ideal time to do this.