Cybersecurity survey finds automakers and suppliers ill-prepared for in-vehicle software security
21 October 2015
Results of a recent survey by Ponemon Institute, a leading independent security research organization, suggest that automotive software developers are ill-equipped and often overwhelmed when it comes to building security into their processes and tools.
|
|
| Source: Rogue Wave Software. Click to enlarge. |
The cybersecurity survey, sponsored by software development tools company Rogue Wave Software and application security company Security Innovation, polled more than 500 automotive developers, engineers, and executives from automotive OEMs and Tier 1 suppliers. Among the key findings:
Developers are not familiar enough with their company’s program to secure software for automobiles.
Developers do not believe their companies are taking security seriously enough, or empowering them to make software more secure.
Developers want—but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained.
Automakers are not as knowledgeable about secure software development as other industries.
Security is not built into the Software Development Lifecycle (SDLC) in the automotive industry.
Enabling technologies are not being provided to developers so they can build security into their processes.
More specifically:
90% Think that it is difficult to secure automotive applications.
57% Doubt that automotive software development teams have the skills necessary to combat software security threats.
51% Consider security an add-on feature, rather than integrating it into the software development lifecycle.
44% of the developers surveyed believe that hackers are actively targeting automobiles.
Only 41% of developers polled agree (and 28% disagree) that secure software is a priority for their company. Worse, a large number of them (69%) believe that securing the applications are difficult/very difficult and nearly half (48%) believe that a major overhaul of the car’s architecture is required to make it more secure. Only 19% think that it is even possible to make a car “nearly hack proof.”
The main reason for lack of emphasis on security include pressure to complete development (24%); security takes too much time (22%); and it’s not considered important (22%).
More than half of the respondents felt that security is not integrated into the development process, but that it is treated an add-on responsibility, usually managed by someone else.
Only 28% of the automakers believe that they are as knowledgeable as other industries with respect to security.
One of the most disappointing statistics is that over half the developers don’t think their company has the necessary training or technology to ensure that the software running in our cars is secure. This means that regardless of engineering talent, companies aren’t able to secure their code.
—Rod Cope, CTO of Rogue Wave Software
Both Rogue Wave and Security Innovation are increasing investment in automotive security products and services to inform, educate, and improve the software that runs in cars. The companies will share detailed survey findings with the extended development community to stimulate an industry-wide conversation on ways to address the systemic shortcomings identified in the data.
The companies in the world that knows most about cybersecurity is Microsoft, Google and Apple. This is just one reason they need to go into the industry of making autonomous BEVs. Cybersecurity will be extremely important. It will be a life and death issue. Of cause the best security is obtained by not being online when driving so that you cannot be hacked. This is what I will do. Once parked and charging you go online and download map updates and traffic information etc. That will not work for autonomous taxi services that need to be online constantly in order to track the cars and optimise their route making. But also to provide entertainment and work opportunity for its passengers.
Posted by: Account Deleted | 21 October 2015 at 04:52 AM
A lot of these surface attacks are minimized if you have a "driver's" car, as in one with few electronic nannies. For instance, I have a 2011 WRX, so vehicle to vehicle communications and transmission control are non-issues since my car has neither (manual transmission). The tire pressure monitor is a convenience, and it's failure to function does not endanger the vehicle if the owner is on top of tire maintenance (as all good owners should).
This leaves keyless entry/anti-theft, stability control, ABS, ECU, Instrument cluster/telematics & airbag control. With the exception of the instrument cluster, most of these could be pretty scary/damaging if a hacker got control of. But once again, my car does not have an integrated system (particularly because I have an aftermarket stereo), so most of these dangerous areas require a hacker to physically connect to the OBD II. And therein lies the key - integration and communication is where the security must be strongest if consumers insist on having rolling smart phones.
Posted by: methos1999 | 21 October 2015 at 08:26 AM
I really want to know how hackers can compromise the airbag circuits... Usually they are monitored by the PCM but are completely functional without it... The PCM doesn't ignite the squibs, that's done by reed switches/accelerometers and other check safes and a separate computing system(usually its pretty analogue because of the speed requirements involved). There are multiple legs to the circuit and none have an input from the PCM...most cases its an isolated network. I guess they could un power it, but I've never seen that as a possibility. I haven't worked with every system but I'm curious how one could defeat an ultimately isolated circuit. Maybe they could tell a driver in the check circuit to fire longer than need be igniting the charge(but even having a way to ignite it would be a failure on the OEMs part.)
I will say my experience in the industry, companies are very concerned with security... Lots of proprietary info is stored on the computers, take VWs emissions "bug" for example...if it were easy to access many would know it long before the scandal. But I will say, as long as their is an OBDii port there will be room to modify parameters and ultimately change how the car operates for better or worse.
If you had the know how and $30 worth of software and tools you could change almost anything on your vehicle if you took the time to understand the information traveling on the bus. But again, if the paths are fail safe like airbags and ABS circuits... There might be only minor inconviences...one that would cause more damage that i can think of would be electronic steering. It would be hard to muscle that. And that likely is a controllable parameter that would be easy to manipulate.
Posted by: CheeseEater88 | 21 October 2015 at 09:46 PM