Hacking into a car these days is a little like breaking into a home where half of the doors and windows don’t have locks. There are a multiple entry points for hackers to gain remote access to a connected car—which was demonstrated earlier this year when white hat hackers Charlie Miller and Chris Valesek (now security lead at Uber Advanced Technologies Center) took control of a Jeep Cherokee from miles away.
The Jeep Cherokee hacking not only showed the weakness of this particular SUV’s digital defenses, it also raised questions about what, if anything, other connected car manufacturers are doing to protect their vehicles.
So, is it possible to build an unhackable car? And has any automaker achieved a truly secure car?
Fortune and TheDrive, a newly launched Time Inc. automotive web site, kicked off the LA Auto Show and the Connected Car Expo with a panel aimed at answering that very question. The private dinner, hosted at the Wolfgang Puck Bar & Grill at LA Live in downtown Los Angeles, brought together executives from the automotive and tech industries, including many from the Connected Car Expo’s top 10 automotive startups.
The takeaway? Automakers are working to make cars more secure, but their disparate, fragmented process has left a number of security gaps, according to panelists Andy Gryc, the director of the Connected Car Expo, Danny Shapiro, senior director of automotive at Nvidia, and Jack Pokrzywa, director of cyber security standards at the Society of Automotive Engineers.
The only fix is to change the entire approach to building cars—specifically the connected bits within them—to incorporate cybersecurity methodology in product development, and to find ways to use advanced technology such as artificial intelligence to guard against attacks, the panelists say.
Right now, carmakers take a piecemeal approach to fixing security issues. “They really need to look at how these vehicles are being architected and start from a base platform to build up and create something that is totally secure,” says Shapiro. “It requires a wholesale change in the way of thinking about it and architecting the car to really plug these gaps in the system today.”
Tesla Motors, an Nvidia customer, is one company that has taken a holistic, ground-up approach by starting with a computing platform and building the car around it, Shapiro says. This allows the all-electric automaker to make frequent upgrades to the car’s performance and functionality through over-the-air (OTA) software updates, a technology that many automakers are playing catch-up on.
“Tesla has really reinvented the whole chain themselves,” Shapiro says. “It’s not a 100% bulletproof system, but it’s far better than anything else out today.” Shapiro contends that more traditional car companies operate in silos, so people working on the center stack, for instance, aren’t talking to engineers working on other components of the car.
And that leaves vulnerabilities that will only increase as more companies deploy OTA technology, and the number of connected cars grows.
There are several kinds of OTA, including software updates for maps, telematics, infotainment, and the electronic control unit. And some are more complex than others and are being adopted at different rates. For instance, remote software upgrades for app OTA—embedded applications that are part of infotainment systems such as head units or telematics systems—have been available for several years. The software programs are relatively small in total memory and there are limited associated safety issues, making this the easiest segment to implement, according to an IHS report released in September.
Before the decade is over, IHS expects all major OEMs to introduce app OTA updates. By 2022, IHS expects app OTA update-enabled vehicles to reach 53.8 million, up from 3 million vehicles in this year.
Meanwhile, infotainment software OTA updates are more complex than software app updates because the programs can be quite large. According to IHS, just 200,000 vehicles will be equipped with infotainment software over-the-air (OTA) capabilities this year. That figure is expected to skyrocket to more than 96.4 million enabled vehicles by 2022.
Cybersecurity takes a different sort of mindset, Gryc says, noting it’s one of the biggest problems the car industry has.
“You make an assumption that all software engineers are the same,” Gryc says. “But the mindset that it takes to actually hack into the car and to pull off exploits is very, very different from the mindset of the person who has to build against that.”
Gryc says while there are many great software engineers in the automotive field right now, there are not a lot of people within automotive who understand hacking from the other side and who know how to build systems resistant to those types of technology. Encryption helps, he says, but it’s not a panacea.
One possible solution is using artificial intelligence, technology that is more often associated with the essential piece for self-driving cars. Using powerful processors, computers in cars are able to take large data sets, analyze them and make predictions. That same deep learning capability could be used to determine anomalies in the car’s system.
Nvidia sells high performance chips that enable computers to process large amounts of data as well as a computing system called Drive PX that is designed to power self-driving cars and driver-assist applications. And while Shapiro raised AI as a possible solution, he wouldn’t comment on whether Nvidia was exploring this as a product.