The automotive industry has a lot to learn about software patching throughout the supply chain before connected cars reach critical mass, security experts have warned.

Car manufacturers will struggle to “switch from hardware to software”, Bart Jacobs, professor of Computer Security at Radboud University Nijmegen in the Netherlands, said.

His concerns coincide with the news that BMW’s ConnectedDrive interface went offline across the UK following a European data migration during a system upgrade.

The incident presented an inconvenience, rather than a danger, to BMW customers.

But as software becomes a more integral part of all cars, the incident is an acute reminder of the robustness needed from IT to keep connected cars operating systems online, safe, and secure.

Last year, Jacobs and his research team in Radboud were blocked from publishing a car security vulnerability. Volkswagen obtained the injunction from the UK court after it said the information could be used by criminals.

“Instead of working on security problems, companies are killing the messenger. The IT industry is known to take vulnerabilities very seriously and listen to warnings and fix things as quickly as possible. That’s the attitude needed for software-based products” Jacob said.

Car makers are sitting on a legacy of mechanical craftsmanship. Development lifecycles can take around 27 months - a stark contrast to software. The industry will have to break with tradition to bring these incongruous lifecycles together, and Lars Reger, auto business lead at semi-conductor producer NXP, is not certain it is ready.

“You need to have upgradeability and patching concepts in place. The idea of ‘I sell a car and it lives untouched for the next 10 years – it cannot work this way anymore,” said Reger.

“NXP patching will have to go through the entire supply chain.”

Major car manufacturers like BMW, General Motors and Volkswagen either have a connected car on the market or are in the late stages of developing one.

But some, like Ford, are researching the BYOD market, so consumers can connect their own devices. Rather than offering an entire connected product, cars will have embedded modems to recognise devices. The car will use the device’s operating system so that relevant car and traffic apps can be used through an interface on the dashboard.

BYOD - a liability?

“Car enthusiasts have been playing with things like engine control units (ECUs) for a while now, but as vehicles become more connected, they’ve become a more attractive target from a security perspective,” said Tim Brown, head of research at Portcullis Computer Security.

“It is worth considering that most of the new in-car entertainment systems are likely to be based on off-the-shelf software stacks, like Android, that don’t perhaps have the best track record either against physical or internet delivered attack.”

As machine-to-machine services increase, so will hackers' interest in hardware, he said.

“Modern vehicles share many of the properties of industrial systems. Specifically, they have moving parts that can be repurposed and a control system that is increasingly digital in nature. Clearly, it is desirable to fire gap [a term used to ‘physically separate two networks’ so you cannot access the car alarm system through the entertainment system] the most sensitive of these components from any entertainment systems that are present, but whilst security researchers realise this, it remains to be seen if the news has filtered down to the manufacturers," Brown said. 

"Historically, they [hackers] may have relied upon their adversaries’ lack of knowledge combined with a minimal attack surface, but as we’ve seen with the Internet of Things more generally, this is no longer the case and researchers are now pivoting into attacking hardware.”