The automotive industry is undergoing an evolution from traditional cars that use mechanical devices to software-defined vehicles (SDVs) that use software platforms to control the performance of the vehicles. Software-defined vehicles have different layers of software and cloud connections, and this has enabled the industry to realize advanced technology such as autonomous cars. However, with this technology, there are emerging cybersecurity challenges that need to be taken into account.
For a broader market perspective, see the Software-Defined Vehicle Market analysis.
Expanding Attack Surface in Connected Vehicles
One of the most significant challenges that the cybersecurity field faces in the SDV environment is the rapid growth in the attack surface. In the modern vehicle, connectivity solutions such as cellular networks, Wi-Fi, Bluetooth, and vehicle-to-everything communication are becoming more popular. While these connectivity solutions provide a greater vehicle experience for the driver, they also provide a number of different avenues that could be exploited by a hacker.
In the traditional vehicle, electronic control units were isolated from external connections. In SDV, a centralized computing platform is the primary method for connecting to external networks and the cloud. Each software interface, application programming interface, or connected service that is introduced into the SDV potentially represents a number of different vulnerabilities that could be exploited by a hacker. In the modern vehicle, as the vehicle becomes more connected, the hacker will attempt to exploit these vulnerabilities to gain access to the vehicle’s systems.
Risks Associated with Over-the-Air Updates
Software updates over the air are a vital feature of software-defined vehicles because it allows for the provision of new features, security patches, and performance updates. However, the update mechanism can be a potential entry point for cybersecurity risks if not well-protected. The attackers may target the intercepted packages of the software updates. If the compromised software is installed in the vehicle, it can alter its operation or introduce backdoors for attacks.
Therefore, it is vital to ensure authentication, encryption, and integrity checks in the software update over the air update mechanism. The automaker must also develop an effective rollout strategy to ensure that the packages of the software updates are validated and tested before the rollout process.
Legacy System Vulnerabilities
Another issue arises from the integration of old automobile communication protocols with modern digital communication. Old automobile communication protocols, such as CAN or LIN, are not secure since they were not originally intended to be used in a network with security as an issue.
When old automobile communication protocols are integrated with modern digital communication in an SDV, there is a potential risk that could be used by a cyber attacker to gain access to the network through an external interface and then pivot into an important network, such as the braking network, steering network, or power network.
These issues could be resolved by designing a new vehicle architecture with a secure communication gateway to protect the old communication protocol from external attacks.
Supply Chain and Third-Party Software Risks
Software-defined vehicles have a complex supply chain that involves various vendors and software developers. It is estimated that a vehicle could be comprised of software from dozens of different vendors and developers, including open-source software.
While this is a positive factor for the development of vehicles, it also brings along the risk of a cyber-attack. “Third-party code and development software can contain 'hidden security risks embedded in the vehicle system.’”
Automakers must adhere to “strict software supply chain management disciplines such as code audits and security testing, as well as the use of software bills of materials.”
Data Privacy and Safety Concerns
Software-defined vehicles produce a large amount of data pertaining to the location of the vehicle, the behavior of the driver, infotainment, etc. While this data can be useful from the point of view of analytics and digital life, it has some risks involved, as well.
In case unauthorized access to this data is possible, then this data can be misused, or the location of the vehicle can be tracked. Even in the worst case, safety can be compromised because of cyber-attacks, leading to accidents or affecting other critical functions.
Data privacy and functional safety are of great concern to automobile manufacturers while designing the cybersecurity of a software-defined vehicle.
Final Thoughts
Cybersecurity is becoming a major issue in the evolution of software-defined vehicles. Indeed, with the integration of advanced vehicle connectivity, cloud computing, and software-defined vehicle architectures, the number of vulnerabilities that could compromise the security of these vehicles is considerable.
To deal with these challenges, car manufacturers will need to implement a security-by-design approach that includes the integration of encryption, secure boot mechanisms, monitoring, and supply chain management. In fact, regulatory measures and industry standards are starting to emerge to help define the cybersecurity practices for connected vehicles.
Therefore, cybersecurity will become a critical factor for maintaining the trust of users, ensuring the safety of vehicles, and enabling the evolution of software-defined vehicles in the coming years.
Contact Us