Just as we now buy phones, TVs and other devices based on features and available services, consumers are increasingly choosing vehicles for the digital experiences they offer. As cars electrify, they are also creating new challenges for which their digital capabilities can provide a solution. It’s becoming clear to top automotive executives that a highly capable software platform is essential for future success in their competitive industry.
However, safety and security are key elements that must be maintained as vehicle functions shift over to being primarily software-defined. The vehicle is one of the most powerful, iconic, and challenging IoT devices that now use cyber-physical systems. When you think about it, a vehicle – especially a software-defined vehicle (SDV) – is a collection of complex computers. Attacks on IT have evolved and become more advanced over the past 30 years or so, and “mature” threat actors can take advantage of automakers who may be grappling with many of these IT-world cybersecurity challenges for the first time.
When it comes to IT, the ability to detect intrusions and block attackers before they can reach their target is critical. With organisations focusing on the development of software-centric vehicles, the same is true. In fact, the fundamental technologies to secure the complex nature of automobiles already exist and are not much different to what’s seen in IT. However, many of these technologies are not yet sufficiently adapted or adopted for automotive use cases.
In SDVs, software controls and directs what happens and when. And just like with a typical IT endpoint, various types of data are transmitted to enterprise servers, and vice versa with over-the-air (OTA) updates, as well as between other devices. It’s these interconnections and the increased volume of software – including open source – that presents a massive attack surface of potential vulnerability.
Why is securing SDVs important? The answer is that in next-gen vehicles, cybersecurity will be a significant component of vehicle safety. In the U.S, 6% of fatal crashes and 8% of injury-inflicting crashes in 2019 occurred due to distracted driving. Consider what might happen if a threat actor compromised the infotainment system in a vehicle in such a way that it distracts the driver? What might something as simple as an unexpected loud noise from the car speakers do?
This is more than conjecture. Cybersecurity researchers recently discovered a vulnerability in a connected vehicle (CV) service provided by SiriusXM that affects millions of cars. Researchers say they could exploit this vulnerability to unlock, start, locate, and honk horns of cars from various brands, in an unauthorised manner — just by knowing the car’s vehicle identification number (VIN). As vehicles become more connected and software-centric, threat actors may not need to compromise safety-critical systems to potentially compromise safety.
However, the good news is that cybersecurity practices and solutions for enterprise security are also largely applicable to SDVs.
More than ever, it is critical that we “bake cybersecurity in” at each stage of design and development, rather than try to bolt it on later. It’s not just about protecting against data theft or extortion anymore. As we move forward and technology advances, organisations need to consider the potential dangers that threat actors may pose to the physical well-being of people.
At BlackBerry, cybersecurity is in our DNA. BlackBerry QNX is a trusted supplier of commercial operating systems, hypervisors, development tools, support and services, all purpose-built for the world’s most critical embedded systems. We help customers streamline their development efforts to more efficiently launch safe, secure and reliable systems and our technology is trusted in more than 215 million vehicles around the world.