US Senator Puts Car Manufacturers on Notice Regarding Software Security

On December 2nd, 2013 US Senator Edward Markey (D-Mass.) put the automotive industry on notice that the issue of software security for automotive systems has reached the top levels of the United States government. Senator Markey did this by sending out official letters to 20 major automobile manufacturers asking for answers to very pointed questions about their security and privacy protection methodologies (press releaseletter to Volvo).

The background to Senator Markey’s concern is the Internet’s march into all aspects of technology, going beyond even computers and smartphones. One of the latest buzzwords in the technology industry is the “Internet of Things” (IoT). The vision behind IoT is that all sorts of machines with embedded computing capability will be connected to the Internet and right now one of the most promising markets within IoT is the automotive market. This is partly driven by consumer demand. Consumers are now getting used to having modern high-performance computing devices (otherwise known as smartphones) with them wherever they go, allowing them to remain in constant contact with their friends and relatives as well as have access to all of their favorite content anywhere anyplace. They are now expecting that this connectivity and content be accessible while they are driving their cars. Automobile manufacturers are working to meet this demand and are partnering with technology companies such as Apple and Microsoft. Toyota has even gone as far as to release a concept car called the “Fun-Vii” which their CEO described as a “smartphone on wheels.”

However, as anyone who has had their computer infected with malware well knows, there is a dark side to the Internet. In the wrong hands, automobiles can become deadly objects and having one of those hands being a piece of malware is a frightening thought indeed. While you may not think of your car as an electronic device, according to Senator Markey’s letter, “today’s cars and light trucks contain more than 50 separate electronic control units (ECU),” which are networked together. While this can provide a number of targets for a bad actor, it is generally thought that the difficulty of accessing the networks of current vehicles to get at the ECUs is enough of a deterrent.

However, Senator Markey points to a couple of studies done by security researchers working for DARPA (Defense Advanced Research Projects Agency) which poke holes in this common sense argument. One showed that unauthorized third parties could access a car’s CAN bus (a networking technology commonly used in automobiles) via a Bluetooth connection, an Android smartphone synched to the car’s infotainment system, the OnStar network or even a malicious file on a CD placed in a car’s stereo ). The other one showed how a bad actor could gain access to a vehicle’s computer system and then control various critical systems of the car such as the engine, brakes and steering system. With this access, the DARPA researchers reported could make a car suddenly accelerate and turn while at the same time disabling the braking system (see report). The Senator also expressed concern about the threat to privacy given the ability for services to either, purposefully or through exposure by malicious acts, provide information about the driver including such details as location, speed, seat belt usage etc.

The Senator’s letter states “As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code and more avenues through which a driver’s basic right to privacy could be compromised.” Given this threat, and his concern that automobile manufacturers aren’t adequately addressing it, Senator Markey asks a total of 18 questions requesting specific details around the security practices of automobile manufacturers. The companies are requested to respond no later than January 3rd, 2014, promising a busy holiday season for some corporate staffers. While it is not clear now just what Senator Markey will do with the information once he receives it, it is possible he might use it as a basis for hearings or legislation

While we think it is true that much of the software written for automotive systems so far has been developed with relatively little consideration for security and Senator Markey is right to call attention to this issue, it is not an insolvable problem. The increasing popularity of networked devices has led to development of a security industry which understands the challenges facing embedded developers, including automotive developers, and we can help by providing the ever more sophisticated tools needed to meet these challenges.