The layout of the road is regular and the flow smooth. You have the cruise control connected and you are moving relaxed at the limit speed allowed for the road. Suddenly, three hundred meters from the next corner, the car begins to accelerate on its own. Confused, it takes two seconds for you to react and apply the brake to manual control, enough time for you to enter the curved section too quickly, lose control and have a fatal accident .
This hypothetical and extreme situation could occur in the event that a cybercriminal accessed the hardware of a connected vehicle and, upon knowing the location of the car using GPS, modified the speed established by the cruise control just before a curve, leaving him without time to react, says Rafael García, CTO of the computer security company Hack By Security .
The disembarkation of the devices connected to the motor world brings with it a new challenge in car safety: if there is an internet connection there is a risk of cyber attack. This, to this day, is well resolved by the operating systems that the main brands include in their cars, as explained by the manufacturers consulted by Xataka. But the real problem appears as time passes , since the useful life of each version of a main software is usually 12 or 13 years and that of cars can be extended, in normal circumstances, more than 15.
“A car company could sell a dozen different vehicles with different operating systems each year. Even assuming that the software is updated only every two years and that the company supports vehicles for only two decades, it would need to maintain the ability to update 20 to 30 different versions of software, ”explains computer security guru Bruce Schneier in his book. Click Here To Kill Everybody: Security and Survival in a Hyper-connected World .
“It is not economically sustainable to keep these updates for so long ,” says García, who points out that another possible solution, making the different versions of the operating systems be updated every 4 or 5 years, may be feasible for some parts of the software, but not for the most critical.
And when an operating system stops updating, vulnerabilities appear over time that expose it and pave the way for cybercriminals . This was the case with the attack of the WannaCry ransomware that shook the world in 2017: although it affected other main softwares, many of the infected computers still used Windows XP, which had not been updated for three years and, therefore, was more vulnerable than others. recent ones that had been properly patched.
Car brands prepare
Vehicle manufacturers are aware of these cybersecurity challenges and, as they have explained to Xataka, they are preparing to face them. “One of the most important differences between digital products and cars is the shelf life of each product. Our operating system will be designed to be part of the long-term cycles of vehicles . For example, they will have a solid and sustainable core whose functionalities will be updated over the years ”, they point out from the Volkswagen Group.
The German manufacturer announced in 2019 the creation of a new software unit with the aim of developing its own operating system, the vw.os, and a cloud, Volkswagen Automotive Cloud. The ultimate goal of this initiative is to unify your vehicle software and control it internally , as they currently have up to 200 different external providers of digital tools.
“ The software will thus have a one-time development cost and lower maintenance costs , therefore, it will be more efficient as it is used more times. That is our strategy, with which we will have more than 10 million cars connected annually starting in 2025 ”, they continue from Volkswagen.
And they specify that all their connected models “will have their updates when necessary while the model line continues in the market “, although they do not clarify what will happen when they stop selling it.
Hyundai, for its part, has informed Xataka that its commitment is to keep the updates while the model is on the market and to provide an additional ten from the moment the vehicle production ceases .
“Our teams are covered by the MapCare program, which provides at least one annual software and map update, and at least ten additional updates since the team is no longer in production. And it is planned that we will soon provide two updates a year ”, explains Juan Pedro García, Technical Manager of the South Korean manufacturer in Spain.
Renault and Peugeot have also been consulted in this regard, but this medium has not received a response from any of the French manufacturers .
However, none of the brands has indicated what could happen to cars that survive the latest planned update. Both for matters such as this and for other cybersecurity generals in the vehicle, Rafael García believes that it is most likely that we will soon come to the development of a regulation that unifies basic criteria such as maintaining updates to connected cars for more than 15 years .
Predictable regulations on connected vehicles
The CTO of Hack By Security points out that it is foreseeable that the European Union will start working on community legislation to establish minimum computer security standards for all vehicles sold in the Member States.
“I suppose they will come up with basic standards that all brands will have to meet, and that will be applicable in 5 to 10 years so manufacturers can plan for it . And if they don’t adapt they won’t be able to sell cars. But everything will be gradual, as with diesel, because the automotive sector is very slow and making a legislative change at once can slam it, “he explains.
Manufacturers consulted by Xataka also speak for the long term. They are aware of the challenges posed by a connected car park, but they trust that the slow pace of the sector allows them to solve possible vulnerabilities in their systems with guarantees.
García also points out that, although these changes are going to be progressive, it is possible that there are brands that cannot cope with these regulations and will have to leave markets where their cars do not comply with the law until they can be adapted. Or focus on developing a few models and narrowing down your vehicle range.
“Cars are slowly becoming computers with wheels. They have many gadgets and they will be able to connect with other vehicles to know the position and speed at which they are going and make the circulation safer. And those who cannot adapt to that will have problems, because the moment you put a car that is not connected in a connected ecosystem, you generate insecurity , because that vehicle is not predictable for others, “he points out.
How are updates carried out?
Today there are already many cars on the market that use an operating system for some functions of the vehicle, but the number of connected cars is even less. For this reason, the software updates are carried out in the periodic reviews of the machine .
However, many brands are already working on over-the-air systems , whereby vehicles will receive remote updates via a SIM card. “The silver lining to this is that car operating systems will update automatically and immediately, but it can also lead to major security issues if not done correctly,” explains the CTO of Hack By Security.