McKinsey reports that 95% of new vehicles sold globally by 2030 will be connected, and 64% of these cars will at least have advanced driving assistance. The technology innovations allowing for this industry transformation are exciting, bringing the promise of added convenience, entertainment features, and safety to the driving experience. But the move to connected and autonomous cars also raises some serious security concerns.
Until now, the main security issue around vehicles has been physical security. In the age of connected cars, cybersecurity and personal data are becoming a growing focus.
As our world continues to grow more digitally connected, new risks around cybersecurity have been created. Like the personal data on our phones or laptops that’s connected to a web of applications, servers, and clouds, cars have now also become connected devices.
Now that cars are trading in hardware for software, they become increasingly susceptible to cyber risks. Modern cars receive over-the-air software updates and connect with Wi-Fi, cell service, and Bluetooth. These connectivity features enable remote diagnostics while exposing vehicles to risks such as unauthorized access, data breaches, and remote control exploits. Hackers can potentially exploit vulnerabilities in the software to manipulate vehicle systems, leading to safety concerns such as unauthorized braking or disabling critical functions.
Connected cars make it easy and seamless to connect phones to our vehicles. We can receive phone calls and texts, open different apps, and so on. Most connected cars now even offer their own apps, so we can unlock the doors or turn on the AC on a hot day. These features are great for convenience, but present a huge potential cyber risk. Security researchers are finding many flaws in the APIs and apps for connected cars.
Such connected and autonomous vehicles store personal and operational data. They collect data on location, driving performance, safety, and can record video via cameras in and around the car. This data then gets shared with the automaker. Just like any other IoT device, malicious actors can try to gain access and steal this personal and private data. Or, maybe the sensitive data being recorded gets shared when it shouldn’t be, as Tesla had to own up to last year.
The new features of connected and autonomous vehicles are being added to make our lives easier and safer. But without proper security measures, this opens the door to serious security issues.
Build security in from the start
In response to both the growing risks around connected cars and the standards and frameworks for automotive cybersecurity, automakers are slowly, but steadily changing how they address cybersecurity. Much like cybersecurity for software in general, car manufacturers are finding that they must build in security from the start.
Some best practices for connected and autonomous vehicle cybersecurity to help thwart threats and meet compliance standards include:
- Encourage software-in-the-loop testing: Automotive software testing ensures that the final product, including both hardware and software, meets all functional and non-functional requirements. While hardware-in-the-loop testing is crucial, it presents challenges in scalability and integration into development processes and CI/CD pipelines. To address these challenges, full software-in-the-loop (SiL) testing setups offer a more scalable and integrative solution. Implementing SiL testing requires several innovative approaches. For instance, leveraging large language models (LLMs) can automate the generation of tests and create corresponding mocks for hardware dependencies. Additionally, developing lightweight software simulators for standard automotive frameworks, such as AUTOSAR, allows for comprehensive system-level testing entirely in software. These solutions enhance the efficiency and effectiveness of automotive software testing, making it easier to scale and integrate into continuous development processes.
- Add dynamic software testing to static code analysis: The best security testing practices involve leveraging both static and dynamic analyses to test software. For all C/C++ projects, we strongly recommend fuzz testing because it catches critical memory corruption errors such as buffer overflows, use-after-free, and double-free issues. Conduct these methods at pre-release stages to ensure that vulnerabilities don’t land in production.
- Establish a mobile security focus: Forrester’s 2023 Security Survey found that only 36% of security decision-makers with endpoint data or mobile security responsibilities use mobile threat defense on smartphones. Now, with mobile devices connecting to cars, it’s critical to educate users on security. Whether for business or personal, users need to understand the basics of proper data handling when they connect their phones to a car.
As our cars become more technologically advanced and connected, they can become more capable, convenient, and safe. We hope this trend will continue, but the industry has to prioritize proper cybersecurity practices for it to remain a reality.
Sergej Dechand, co-founder and CEO, Code Intelligence
