The public’s sense of security was shattered when, in 2015, white hat hackers remotely attacked a Jeep vehicle through its computer system. The infiltration seemed harmless at first — loud music blared and windshield fluid erupted uncontrollably. What first seemed nothing more than annoying turned more ominous as the engine was forcibly turned off on the highway with traffic coursing by at 70 mph.
While the attack was carried out merely to demonstrate the vulnerability, it cast a deep shadow across the entire automotive industry and raised serious questions about vehicle safety. As automobiles become more high-tech, more connected, and more reliant on applications for their everyday functions, how reliable and safe are they? What can automakers do to stem the growth of new application security risks in automobiles?
Technological Advancements Improve Safety and Present New Dangers
There’s little doubt that technology has made cars safer, more comfortable, and more efficient. Today’s motor vehicles, like the computers and mobile devices we use every day, are almost entirely reliant on software.
Consumer demand for safety and convenience has long pushed cars toward greater complexity and sophistication. In the past, this meant seatbelts and airbags; now, it means computerized and connected systems including navigation systems, entertainment centers, remote key fobs, and more. While the features on vehicles have kept pace with modern demands, many manufacturers haven’t scrutinized the security of these new systems and the software they use.
This lack of security has raised red flags by consumer groups and the government. In 2016, the FBI went so far as to issue a PSA warning drivers that their cars can become the next target of a cybersecurity attack.
Safety First Means Security from the Start
The computer is the epicenter of the modern car responsible for function, comfort and entertainment. These systems require an extensive number of complex applications. For example, IEEE noted that premium vehicles perform their technical ballet around a staggering 100 million lines of code.
While vehicle systems may undergo testing after development, they are rarely designed with security in mind from the start. This is a problem, because some software vulnerabilities may not even be identified in the post-development stage. These vulnerabilities can be broad-ranging and expensive to address. (For example, many drivers connect their cellphones to the on-board computer, making them vulnerable to identity theft.)
Although manufacturers are concerned about driver safety and vehicle reliability, business demands require them to produce cars quickly, and this can mean overlooking application security. This might serve immediate goals and drive profits in the short term, but the long-term consequences of producing vulnerable automobiles will have damaging consequences to the car manufacturers, their supply chain partners, dealers, and customers.
The cost of a recall can be particularly damaging to a company’s bottom line. Consider Chrysler, which had recall costs of over $660 million in 2016. Now, imagine how many exploitable vulnerabilities exist within those 100 million lines of code and the consequent number of recalls necessary to correct a laundry list of issues with an entire fleet of vehicles.
This is a problem for corporate image, too, as well as the entire industry of highly technical and (eventually) self-driving cars. No automotive company needs an incident like the Target data breach in 2013, which resulted in the stolen identities of millions of shoppers. These shoppers were among the legion of consumers who began to close their wallets to Target, which ended up costing the company more than $160 million in the year following the breach.
Although automotive companies might think of themselves as immune to headline-making breaches, their growing reliance on software exposes them to a multitude of threats. Unless they start building secure software now, it’s just a matter of time before we see automakers fall victim to attacks resulting in data breaches or, even worse, safety issues.
Shifting Security Left
Addressing the complex application security problems facing vehicle manufacturers begins with a “security first” mentality. Software security must be designed into automotive applications from day one, and this means enforcing software development processes that identify and fix vulnerabilities during design and coding rather than testing and repairing vulnerabilities later. The standard practice at most organizations — automotive or otherwise—is to rely on code scanners like Static Analysis Security Testing and Dynamic Analysis Security Testing tools, but these only catch 46% of application-level risks. And 46% is not safe enough when there are people behind the wheel.
In the world of agile development, continuous delivery, and DevOps, the concept of “shift left” has emerged. “Shift left” is a mindset that considers security from the onset and is pervasive throughout the software development process. This is what it means to “build security in” from the start.
When software development teams start far left, organizations can embed the appropriate security considerations into the requirements phase. Starting with solid security requirements as early as possible allows organizations to make sound design decisions up front that will help eliminate technical debt and reduce the cost to maintain software.
To minimize application security risks, organizations should manage the entire software development life cycle to ensure that developers build in security requirements from the start, without wasting valuable time on vulnerability remediation or risking a recall later. Incorporating security into the software development processes to stop attacks and boost driver safety is a win-win situation for vehicle manufacturers and customers alike. It’s time for the auto industry to change gears and shift left when it comes to software security.
Rohit Sethi, COO of Security Compass, is responsible for setting and achieving corporate objectives, company alignment, and driving strategy to execution. He specializes in software security requirements management (SSRM), working with large companies in various industries to … View Full Bio