The automotive industry is at an iPhone moment, where the convergence of network connectivity and autonomous technology is fuelling an explosion of innovation and bringing a lot of new players into the market. What used to be strictly a mechanical device is now a computer on wheels, often carrying over 100 million lines of code.
This is good for consumers and enterprises, but these new technologies also bring a lot of new reliability, safety, and privacy risks stemming from security flaws in the software that underlies these new capabilities, says Mike Pittenger.
According to research conducted by Black Duck’s Centre for Open Source Research & Innovation, 23% of the code in the average automotive application is open source. Open source enters in-vehicle applications through a variety of paths. Automobile manufacturers rely on a wide range of component and application suppliers, who build solutions with open source components and extend open source platforms.
While open source adds tremendous value to organisations, it is not without risk. The biggest risk is not properly tracking the open source used, and not tracking new vulnerabilities reported publicly in those components. The research I reference above found the average commercial application included over 140 unique open source components (more than two times the number believed by code owners to be used).
More concerning, 67% of the applications displayed multiple vulnerabilities in the open source. These vulnerabilities could be exploited by hackers to steal information, cause unexpected behaviour, and “crash” applications. Researchers Charlie Miller and Chris Valesek demonstrated what skilled hackers can do to automobiles once weaknesses are discovered.
This doesn’t mean we should avoid open source. On the contrary, open source accelerates time to market and lowers development costs. Open source is neither more nor less secure than custom code. It’s software, and will include coding errors that can result in security vulnerabilities.
However, there are certain characteristics of open source that make vulnerabilities in popular components very attractive targets for hackers. When a supplier or auto OEM is not aware of all the open source in use in its product’s software, it can’t defend against attacks targeting vulnerabilities in those open source components.
But whether open source or commercial code, we need to be prepared for car hacking and determine how to address automotive cybersecurity early on.
Is cybersecurity really one of the biggest challenges facing the connected car and autonomous car ecosystems?
Yes, automotive cybersecurity is a significant challenge, and it’s not getting sufficient investment. As vehicles become rolling datacentres, there’s no reason to assume they won’t be subject to the same security risks we see on other computing platforms: malware, ransomware, phishing, and application security exploits. I don’t see enough attention or investment in addressing these risks.
2. What about our privacy?
A growing consumer concern of consumers is privacy. A connected car captures far more information about individuals than most devices. It records where you go, how long you stay, who you call, how fast you drive, or if you drive erratically. Protecting that data from unauthorised disclosure, or invasive marketing, will be important to consumers.
3. What makes managing cyber risk in increasingly computerised/connected vehicles such a challenge?
- Code proliferation: As I noted earlier, a new car can include over 100 million lines of code. For reference, the space shuttle had about 400,000 lines of code, the F-35 fighter jet about 25 million lines, and Windows XP around 40 million.
- Contributor proliferation: The connected car ecosystem is a mix of auto manufacturers, their traditional suppliers, and new technology suppliers like Google, Apple, and Uber. The connected car supply chain is incredibly complex and made up of vendors with widely varying levels of experience managing cybersecurity risks. While the auto manufacturers have developed mature processes for ensuring quality across their supply chain for physical parts, best practices to manage security risks with software are only now being developed.
- Product and maintenance lifecycles: Managing security risks in vehicles is also made more difficult by their long service life and the logistics of “patching” embedded software. While a smartphone or laptop might have a service life of a few years, and a smart TV of 10 years, cars are in development for years prior to distribution, and have a useable life of 20 years or more.
4. What should OEMs, startups, and others in the autonomous car ecosystem be doing to mitigate the risk?
As with safety, ensuring automotive security is going to be about visibility and control across the supply chain. Just as OEMs need to understand the security of the custom code (using tools like static analysis), they need to confirm the status of the code they don’t write, such as open source. If manufacturers don’t know what’s in the code of their connected car technology suppliers, they won’t be able to control their cybersecurity risks.
As open source use continues to increase in the auto industry, effective management of open source security and license compliance risk is becoming increasingly important. By integrating risk management processes and automated solutions into their software supply chain, automakers, suppliers, and technology companies servicing the automotive industry can maximise the benefits of open source while effectively managing its risks.
The author of this blog is Mike Pittenger, security strategist, Black Duck by Synopsys