How Cyber Secure Is the Software in Your Car?

This past July marked the first cyber security recall in automotive history.  Fiat Chrysler issued a formal voluntary recall of 1.4 million vehicles after security researchers Charlie Miller and Chris Valasek demonstrated to WIRED how they could exploit a software vulnerability in Chrysler’s Uconnect dashboard computers and remotely hack into a 2014 Jeep Grand Cherokee over the Internet, taking over dashboard functions, transmission, steering and brakes.  Most notably, they did so from their basement while WIRED author Andy Greenberg was driving the vehicle on the highway!

Though this was first time an automotive manufacturer issued a recall for cyber security, it’s not the first time security risks have been found in automotive software.  As I’ve pointed out in my previous article “How Much Software Is in Your Car?” nearly every vehicle less than 30 years old on the road today depends on lots of computer software and thus is potentially vulnerable to hacking, especially newer models that are connected to the Internet.  

With all of this complex software comes the need for automotive manufacturers to employ systems engineering and sophisticated project, program and portfolio management carefully balanced against the triple constraint of schedule, effort/cost and quality.  Unlike some other industries, auto industry executives do not have the luxury of focusing exclusively on quality when developing estimates and plans for vehicle development.  Being late to market with innovative technology may mean that a competitor captures the majority of market share.  If development effort and costs are too high, it puts more pressure on sales volume to reach an acceptable margin.  Software reliability issues, to include security vulnerabilities, can result in expensive recalls and even lawsuits that tarnish a company’s reputation and impact future sales.

One automotive manufacturer that has been very proactive with cyber security is Tesla Motors.  The Tesla Model S was built to be a connected car from the ground up and the protection of owners’ security and privacy was a top priority.  Tesla Motors has had strong collaboration with security researchers during development and after auditing the cyber security of the Tesla Model S, Kevin Mahaffey, co-founder and CTO of mobile security firm Lookout, concluded that “the Tesla Model S has a very well designed security architecture that we believe should serve as a template or others in the industry…overall, I feel more secure driving in a Tesla Model S than any other connected car on the road.”  

Examples of good architecture decisions in the Tesla Model S observed by Mahaffey and his colleague, Marc Rogers, principal security researcher for CloudFlare, included: an over-the-air update process to patch security vulnerabilities quickly, isolation between vehicle systems and infotainment systems, account password rotation, and the ability of the car to handle sudden power loss in a graceful way enabling the driver to safely pull over to the side of the road.

However, even the Tesla Model S had a number of areas where cyber security could be improved.  While the Model S has good perimeter security, Mahaffey and Rogers demonstrated how someone with physical access to the interior of the vehicle could plug into a diagnostic Ethernet port behind the instrument cluster and hack into the infotainment systems.  From there they exploited a number of vulnerabilities in the infotainment systems enabling them to remotely start and stop car, unlock the doors and open the trunk and frunk.  In response, Tesla immediately pushed out an over-the-air firmware security patch to all Model S owners and Tesla CTO JB Straubel publicly thanked Mahaffey and Rogers for their findings at the Def Con security conference in Las Vegas.

So what can we do to improve cyber security across the entire automotive industry?

Some best practice recommendations for consumers:

• If you learn of a cybersecurity vulnerability applicable to your vehicle model year, promptly install the security patch from your vehicle manufacturer as soon as it is available.
• In the same way you wouldn’t allow someone you don’t trust to have unsupervised physical access to your home computer, don’t allow anyone you don’t trust to have unsupervised physical access to your car.
• When considering the purchase of a new vehicle, don’t be afraid to ask tough questions about cyber security and privacy in the same way that you might ask questions about the vehicle’s safety rating, fuel efficiency, cargo capacity, etc.
• Encourage best practice collaboration between industry, government and security researchers.  Consider supporting projects like the Five Star Automotive Cyber Safety Program.  There is also an automotive anti-hacking bill that was recently introduced in the U.S. Senate.

Some best practice recommendations for automotive manufacturers:

• Incorporate cybersecurity across the entire software development life cycle (SDLC).  Find and remove cybersecurity vulnerabilities early in the SDLC when they are less expensive to fix.  Include cybersecurity requirements in the criteria for peer review inspections and testing.
• Identify, quantify and prioritize cybersecurity requirements as a formal part of the scope of a planned project release.  QSM’s software sizing infographic is a useful reference on how to quantify software requirements.
• Build cybersecurity into the software architecture.  Mahaffey posted the following architecture best practice recommendations in his Lookout blog:
  • Establish an over-the-air update process to ensure security patches can be pushed out quickly
  • Insolate vehicle and infotainment systems and ensure that any gateway between them undergoes an intense security review.
  • Harden the security of each individual component so that if one component is hacked, the others are still protected.
• Create a predictive model that forecasts software reliability.  Researchers at Colorado State University found that between 1% and 5% of total software defects were cybersecurity vulnerabilities.  Any software process improvement or management decision that reduces the total number of defects will likely reduce the number of potential security vulnerabilities.
• Ensure there is adequate budget to address cybersecurity requirements.  For each planned software release, use a scope based parametric software estimation tool to analyze various estimation scenarios that balance schedule, effort/cost and quality. 
• Do not overstaff the project to try to compress the schedule.  QSM’s quantitative research has repeatedly shown that large teams produce significantly more defects than small teams when building the same project scope.  An increase in the total number of defects will almost certainly result in more cybersecurity vulnerabilities.