We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Several months ago, I bought my first new car in years. I had planned to buy a used one, but decided a shiny new vehicle would be a pandemic treat. I’ve been amazed by the connected car technology, all the embedded software-driven programs that essentially have turned the car into APIs on wheels.
I thought about this more in late January when a 19-year-old in Germany made international news with a creepy revelation: He was able to remotely access more than 25 Tesla vehicles and, if he wanted, could have controlled some of their functions, including unlocking the doors, opening the windows and even starting keyless driving.
The story had a happy ending. The teenager, David Colombo, is a white-hat hacker who uses his skills to identify security flaws. That’s how he discovered the holes in a third-party data logging app available to Tesla owners, TeslaMate, that allowed him to push commands to the cars. Colombo notified TeslaMate and Tesla, and a fix was quickly issued.
The proliferation of connected cars
But the incident has served as an unsettling reminder that security vulnerabilities are a clear and present risk to all the connected cars that are reshaping the auto industry, and the very nature of driving, and that better safeguards must become a higher priority.
The technology disruption sweeping the automotive sector is accelerating rapidly. In August, President Biden signed an executive order aimed at making half of all new vehicles sold in 2030 zero emissions, including battery, electric, plug-in hybrid electric or fuel-cell electric vehicles. The administration followed that up in February with a plan to allocate $5 billion to states to fund electric vehicle chargers along interstate highways.
The New York Times, in a story [subscription required] headlined “Why This Year Could Be a Tipping Point for Electric Cars,” reported in February that “battery-powered cars are having a breakthrough moment.” The newspaper said a dramatic jump in the number of electric cars sold worldwide, from 2.5% of all new cars in 2019 to 9% last year, signals that 2022 could be “the year when the march of battery-powered cars became unstoppable, erasing any doubt that the internal combustion engine is lurching toward obsolescence.”
The proliferation of software in cars
Even before electric vehicles started gaining momentum, the amount of software code in today’s cars had reached about 100 million lines [subscription required], and many experts expect that number to hit 300 million by 2030. To put that into context, a passenger plane has roughly 15 million lines of code, and a modern fighter jet has about 25 million.
Many modern vehicles now have more than 100 electronic control units embedded throughout to control everything from seat belts to the infotainment system. Advances in cloud computing and 5G wireless technology will allow vehicles to keep getting smarter and connect more with the world around them, such as networks and services in homes, businesses, infrastructure and other vehicles. If software is eating the world, as entrepreneur Marc Andreessen famously observed [subscription required] in 2011, it is absolutely devouring the automobile.
These innovations are wildly exciting and should bring a range of societal benefits, including cleaner air, less fuel consumption, safer roads and greater economic productivity. However, all this additional connectivity carries security and privacy challenges that have yet to be adequately addressed.
Cars as “information clearinghouses”
“The influx of digital innovations, from infotainment connectivity to over-the-air software updates, is turning cars into information clearinghouses,” a McKinsey report said. “While delivering significant customer value, these changes also expose vehicles to the seamier side of the digital revolution. Hackers and other black-hat intruders are attempting to gain access to critical in-vehicle electronic units and data, potentially compromising critical safety functions and customer privacy.”
The current dearth of security and privacy regulations and standards is a Wild West that won’t cut it for the long haul. That’s why I think lawmakers at the federal and state levels will soon become more aggressive in considering legislation to harden these systems against intrusions.
Deja vu all over again
We’ve seen this movie before with rising new technologies. In the early days of the internet of things, the tech industry was slow to focus on security and too often shipped devices with weak password protection and other vulnerabilities.
The auto industry can’t make the same mistake. The stakes are extremely high: Carmakers have not only a business rationale but a legal and ethical one to make sure the new breed of vehicles is safe and deserving of consumers’ confidence.
The discovery of the Tesla vulnerability came six and a half years after security researchers on a laptop 10 miles away caused [subscription required] an SUV to lose power, change its radio station, and switch on the windshield wipers by using the vehicle’s entertainment system that connected to a mobile data network.
Why this sort of thing is still happening is a serious question that needs to be answered.
The need for security regulations not just for autonomous cars, but for all connected cars
In April 2018, California implemented regulations mandating that autonomous vehicles meet appropriate industry standards for cybersecurity. That’s great, but such thinking needs to be broadened to the much larger universe of connected cars.
The United States demands technology transparency in other industries, such as the federal Centers for Medicare and Medicaid Services’ regulations governing data transfers using application programming interfaces (APIs). It seems inevitable that more rigorous oversight is coming to automotive technology as well – and not just where security is concerned, but in the area of data privacy. Automakers and their third-party partners will be collecting enormous volumes of data in an automotive API ecosystem that will grow exponentially.
The industry would be wise to buckle up for the coming action.
Kin Lane is chief evangelist at Postman, an API-first development platform whose user base recently surpassed 20 million software developers.