What's Under Your Hood? Security & the Connected Car

Connected CarPicture this: you’re driving your newly purchased, fully equipped, top-of-the-line automobile. You’ve just filled your tank, thanks to the crowd sourcing app GasBuddy, and you’re about to begin the commute to work. But first— coffee. Thanks to SYNC3, Ford’s latest infotainment system, you easily order by stating “Alexa, ask Starbucks to start my order.”

Your connected car and the barista waiting on the other end of the app happily oblige, and before you know it, your usual drink order is waiting at the Starbucks location closest to work. You drive through with ease; the only words exchanged between you and the barista are a simple thank you. This “day-in-the-life” anecdote isn’t where technology is going; it’s where technology is today. Developers and auto manufacturers have combined to produce an entirely new experience for motorists, however, it begs the question: how do these features work?

There can be up to millions of lines of code that keep a car, and its passengers, safe, connected, and on time. Back-up sensors, infotainment systems, and tire-pressure monitoring are all being run on a mixture of open source and proprietary code. Code is code; if vulnerabilities exist, code can be hacked. Using open source code doesn’t make these cars any easier or harder to hack. If anything, the use of open source has made the development process of these vehicles much more efficient. However, the momentum of the automotive industry could come to a screeching halt if a hacker exploited a vulnerability in an un-patched vehicle — or worse yet, in an entire car model or for a manufacturer.

Just like any other applications being developed, it is vital that the code being utilized is continuously scanned for vulnerabilities. The software development life cycle, for a vehicle, doesn’t end when a car drives off the lot. As Jeep hackers Chris Valasek and Charlie Miller showed the auto industry in 2015, vulnerabilities can be exploited while a car is being driven. It is now up to the auto manufacturers and any entity involved in the development of the vehicle to properly vet and remediate the vehicle’s software before an exploit can occur.

Connected Car Security ReportThe manufacturing of vehicles presents a unique challenge to the typical development processes that software developers are accustomed to. For example: Apple can push out application updates and patches as vulnerabilities are discovered. It then becomes the responsibility of the owner of that iPhone to push “Download and Install” until they upgrade to a new unit a few years later. A piece of hardware that is traveling down the interstate at 70 mph is a different story, especially when you consider that the average lifetime of a vehicle is ten years, not two. Over-the-air updates are not always possible or practical, and the average driver won’t know that their vehicle is vulnerable unless they receive a recall notice.

So, what can vehicle manufacturers do? Because the use of open source is pervasive across the automotive industry and is essential to the development of differentiating features, it’s important to continuously check the code to ensure the safety of its passengers. Our eBook, the Connected Car Security Report, can help inform you on the risks associated in connected vehicles, and guide you on what measures companies can take in order to ensure the safety of passengers.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Open Source Research Leads to Innovation at FLIGHT 2017

| Oct 31, 2017

Open source is changing the way we build and deliver software and services. Regardless of the benefits, open source-based solutions present potential challenges, such as security vulnerabilities, data privacy issues, legal compliance questions and software quality concerns. Join us next week at 

| MORE >

Legal Minds Examine Open Source Management at FLIGHT 2017

| Oct 26, 2017

Open source is widely incorporated into applications built by organizations around the world. Join us at Black Duck FLIGHT 2017 and learn strategies from general counsels and legal firms that can help clients understand code integrity, identify open source licenses and surface security

| MORE >