Expert Says Connected Cars Need Better Software Security

The software security of connected cars is increasingly at risk, and automotive developers need to be more aware of the vulnerabilities, a security expert will tell engineers at the upcoming Embedded Systems Conference (ESC) in Boston.

Jay Thomas, director of field engineering for LDRA Technology, says that too little thought has been given to the issue, and that the risks are growing. “There are a lot of things that can be controlled wirelessly in just about any vehicle,” Thomas recently told Design News. “And when we get to the point where vehicles are beginning to talk to each other, the potential for exploitation will be huge.”

Thomas said that key weaknesses include vehicle communication buses and on-board diagnostic ports. Up to now, very little consideration has been given to securing the underlying wiring, he said.

Recent history lends credence to Thomas’ statements. In 2012, an OnStar communication system was used at the request of police to shut down a vehicle while it was being pursued. Experts claim that if police are able to use such methods, thieves and hackers will learn to do it, too. Similarly, during a demonstration for Wired magazine in 2015, a pair of hackers tapped into a vehicle and operated its radio, climate system, windshield wipers and accelerator. The hackers, who were located ten miles away, went so far as to disable the car while it rolled down Interstate 64 in Missouri. The incident ultimately sparked a recall of more than 1.4 million Fiat Chrysler vehicles.

“This is a vulnerability that we are really worried about – the ability to remotely access a car,” Thomas told us.

Increasingly, automakers are growing aware of such dangers and are moving towards standards for certification of vehicle sub-components. ISO 26262, which describes safety measures for electrical and electronic sub-systems, is addressing some of the issues, Thomas said. “Many of the automotive primes – GM, Ford and Chrysler – require that from their component vendors,” Thomas told us. “But when you apply it, you really need to take a hard look at the rules that apply to security.”

Thomas added that automakers and suppliers also need to be prepared to thoroughly examine software code. That’s the easiest way to stop faults from being injected. Code review standards, such as CWE (common weakness enumeration) and CERT, enable developers to identify potential problems early, he said.

“The number one thing that coding standards bring to the discussion is the ability to validate the data that goes in and out of your system,” he said. “The takeaway is that security starts at the beginning, with safe coding practices.”

Thomas contends that if those weaknesses are not addressed, hackers could gain access to other sub-systems, such as brakes and steering. They could also tap into data in phones and even homes, he told Design News. “Ultimately, our vehicles will connect to your phone and your house, which means your personal data will be at risk,” he said. “So we are already at the point where we need to ask if our car should be connecting to our home Wi-Fi.”

Thomas, who has also consulted with the aerospace industry on software security issues, says that the problem is a more daunting one for automakers. Most autos already contain tens of millions of lines of code, and that number will skyrocket as the industry attempts to move toward full autonomy.

For that reason, manufacturers and suppliers need to step up their awareness levels, Thomas said. “It’s something we need to address now, before the technology spirals out of control,” he said.

Need more on this topic? Jay Thomas will discuss Software Security for the Connected Car at the Embedded Systems Conference Boston on May 4, 2017.  Register today for this event, hosting educational tracks on embedded hardware, embedded software, connected devices & IoT, and advanced technologies, including VR, sensors, and autonomous cars.

Senior technical editor Chuck Murray has been writing about technology for 33 years. He joined Design News in 1987, and has covered electronics, automation, fluid power, and autos.