Junko Yoshida, Chief International Correspondent at UBM Electronics, recently reported that the automotive industry is still “ill equipped” to protect connected vehicles from hackers. Indeed, according to a survey conducted by the Ponemon Institute, only 41 percent of developers agreed secure software was a priority for their companies, while 28 percent disagreed.
“Even worse, 69 percent of these developers believe securing applications are difficult/very difficult and nearly half believe that a major overhaul of the car’s architecture is required to make it more secure,” Yoshida wrote in a recent EE Times article. “The survey further revealed that at least 44 percent of the developers queried believe hackers are actively targeting automobiles.”
Perhaps not surprisingly, the survey concluded OEMs and their suppliers “do not yet have the desire, skills, tools or processes to make a secure car.” Nevertheless, companies are not simply sitting back and completely ignoring the problem.
To be sure, 63 percent of respondents confirmed running automated software scans during development, with half executing scans after an application launch and 36 percent conducting penetration tests. Unfortunately, only a quarter of those surveyed said they adhered to secure coding standards and conducted assessments such as threat models.
Egil Juliussen, director research & principal analyst at IHS Automotive, told Yoshida that carmakers – in general – chose complacency over action during the past several years. According to the analyst, specific reasons included “it can’t happen here,” “too much effort for too little reward” and “no known actual breaches.”
Although Juliussen acknowledged successful auto hacking still “requires lots of time and expertise,” he emphasized that “good” hacking tools and expertise would be fielded in three to five years. In the meantime, says Juliussen, “deployment is lagging and may take a decade to catch up.”
Commenting on the Ponemon survey, Craig Rawlings, a Sr. Director of Business Development at Rambus’ Cryptography Research Division, told us that security approaches based on integrated hardware were originally limited to the smartcard space before ultimately expanding to digital content protection and beyond.
“It is interesting to note that movie studios were also considered early adopters –incorporating an integrated hardware and software approach for securing high value video content,” said Rawlings. “With the advent of smartphones and other connected mobile devices, the industry is currently experiencing a new wave of Internet-of-Things (IoT) related security activity.”
Rawlings also noted that Ponemon Institute survey and Yoshida’s EE Times article does a great job of highlighting the importance of robust digital security in the automotive sector.
“It helps make security less esoteric, more real and increasingly tangible. The urgency for security robustness in our cars is made all the more poignant by both the lagging security standards within the automotive industry and the introduction of a new wave of smart, semi-autonomous connected cars,” he added.