Safety, Security & Open Source in the Automotive Industry

Safety, Security & Open Source in the Automotive Industry

Today’s cars are as much defined by the power of their software as the power of their engines. Almost any car feature you can name is now digitized to provide drivers with easier operation and better information. Technological innovation is accelerating, enabling automobiles to monitor and adjust their position on the highway, alerting drivers if they’re drifting out of their lane, even automatically slowing down when they get too close to another car.

More and more vehicles are “connected,” equipped with Internet access, often combined with a wireless local area network to share that access with other devices inside as well as outside the vehicle. And whether we’re ready or not, we’ll soon be sharing the roads with autonomous vehicles.

Built on a Core of Open Source

Driving the technology revolution in the automotive industry is software, and that software is built on a core of open source. Open source use is pervasive across every industry vertical, including the automotive industry. When it comes to software, every auto manufacturer wants to spend less time on what are becoming commodities — such as the core operating system and components connecting the various pieces together — and focus on features that will differentiate their brand. The open source model supports that objective by expediting every aspect of agile product development.

But just as lean manufacturing and ISO-9000 practices brought greater agility and quality to the automotive industry, visibility and control over open source will be essential to maintaining the security of automotive software applications.

Managing and Securing Open Source in the Automotive Industry

Innovation May Be Outpacing Security in Cars

When you put new technology into cars, you ran run into security challenges. For example:

  • When security researchers demonstrated that they could hack a Jeep over the Internet to hijack its brakes and transmission, it posed a security risk serious enough that Chrysler recalled 1.4 million vehicles to fix the bug that enabled the attack.
  • For nearly half a decade, millions of GM cars and trucks were vulnerable to a remote exploit that was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.
  • The Tesla Model S’s infotainment system contained a four-year-old vulnerability that could potentially let an attacker conduct a fully remote hack to start the car or cut the motor.

Vehicle manufacturers need to adopt a cybersecurity approach that addresses not only obvious exposures in their car’s software, but also the hidden vulnerabilities that could be introduced by open source components in that software.

When Safety Is a Function of Software, Security Becomes Paramount

When a supplier or auto OEM is not aware all the open source in use in its product’s software, it can’t defend against attacks targeting vulnerabilities in those open source components. Any organization leveraging connected car technology will need to examine the software eco-system it is using to deliver those features, and account for open source identification and management in its security program.

Auto OEMS and their suppliers should adopt management practices that inventories open source software; that maps software against known vulnerabilities as well as alerting to new security threats; that identifies potential licensing and code quality risks; and that can maximize the benefits of open source while effectively managing risks.

For a more in-depth look, Black Duck’s complimentary report, Managing and Securing Open Source Software in the Automotive Industry examines the rewards and challenges of open source use in the automotive industry.

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

| Jul 21, 2017

We have two CVEs of the week this week, CVE-2017-9765, better-known as “Devil’s Ivy,” and CVE-2017-11421, dubbed “Bad Taste” by its discoverer. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library from gSOAP. When exploited, it allows an attacker

| MORE >

Black Duck Teams with Google, Connected Cars, FinTech Compliance

| Jul 14, 2017

Black Duck and Google partner so that open source vulnerability management can be integrated directly with build and deployment activities in the cloud. Connected car news includes BMW adding on to its connected car services; concerns on how code vulnerabilities might lead to driving dangers; and

| MORE >

Top Picks for Black Hat, GDPR & Open Source Webinar, UN Cybersecurity Report

| Jul 7, 2017

Our vulnerability of the week is CVE-2017-7526, which resides in the Libgcrypt cryptographic library used by GnuPG. Exploiting the vulnerability, security researchers were able to successfully extract the secret RSA-1024 key to decrypt data. Libgcrypt has released a fix for the issue in Libgcrypt

| MORE >