Who is Responsible for Securing the Connected Car?
The cars of today differ drastically from those automobiles of yesteryear. With their computerized capabilities and virtual connectivity, today's vehicles, which are called connected cars, feature unheard of technology and innovative designs that make them fun and easy to drive.
In fact, the connected cars of today can be viewed more as computers on wheels  than vehicles that simple get you from Point A to Point B. Cars coming off the production lines right now possess 300 million lines of code, four times the amount of the code base found in a Boeing 747 jet and equivalent to the computing power of 20 personal computers.
But while today's connected cars undoubtedly have their benefits, their technology also raises two worrisome alarms that could put drivers and their private data at risk. Cyber thieves can hack into the cars' systems and not only steal car owners' credit card, banking, and other sensitive information; they can also take over the cars' operations and render them dangerously unstable or undriveable. 
In fact, the automotive industry recently witnessed several cases of cyber-hacking that made driving connected cars dangerous if not impossible. Companies like Jeep, Volkswagen, and Tesla all have recently dealt with cases of hackers taking over cars and stopping them while the cars were in use as well as stealing customers' Social Security numbers, financial details, and other sensitive information.
These cases of connected car cyber-hacking thus raise the question of whose responsibility it is to secure today's connected cars.
The Role of Manufacturers in Connected Car Security
To answer this question, the International Data Corporation recently conducted a study  to get consumers' viewpoint on who bears the responsibility of securing today's connected cars. Perhaps unsurprisingly, a large majority of connected car owners argued that the obligation for this security lies directly in the hands of connected car manufacturers.
Their argument appears to be substantiated by the 2016 Connected Car Report.  This report agrees that security for connected cars today belongs solely to the original equipment manufacturers, or OEMs. It expands on this debate by saying that, apart from the involved technical issues, securing today's connected cars demands that OEMs create the best project environment in which security software can be developed, tested, and maintained.
Moreover, it can be argued that one of the main problems that connected carmakers face today centers on the fact that they do not so much build connected cars as they assemble them from parts that come from other companies. Not all of these companies may view it as their responsibility to address cyber threats that could arise several steps down the connected car supply chain.
For that matter, connected cars are created through a cooperative effort of OEMs and a wide range of third-party operatives, namely Tier One car parts suppliers as well as tech and software businesses. No one company or supplier can be pinpointed as the sole bearer of responsibility when it comes to securing these automobiles.
The organizational process of assembling connected cars lacks the complex security needed to make these vehicles safe and off-limits from hacking from the start. As such, it can be argued that car manufacturers need to embed security somewhere in the car development process. Moreover, many of the issues that OEMs face today do not stem from their effort to create the most secure software. Rather, the security problems arise from the very way that all of the involved companies design and assemble any new car, much less one that features the connectivity and technology of today's connected vehicles.
Even so, OEMs also need to build and boost their cyber security capabilities. Many of the carmakers in today's automotive market lack the necessary development capabilities. They are not software developers whose talents lie in the rapid creation, design, and implementation of the complex computer codes needed to get these cars off the production line and onto the streets and in the hands of today's drivers. 
In fact, just updating the software itself as well as the related back-end systems is a very cumbersome and complex process that slows down a connected car's response to threats. Further, the task of coordinating the internally developed security software with the security efforts undertaken by third-party suppliers of the car's systems and services only adds immensely to the development challenge found in manufacturing connected cars.
Once proper testing of these systems and services is completed and security software is implemented in the vehicles themselves, software teams will continuously need to keep the software updated as new cyber-threats emerge and make their way into the systems of the connected cars.  This duty promises to be a difficult challenge given the technical complexity of that very software as well as the need to coordinate updating processes utilized by third-party suppliers and the long product life cycles of the cars. The OEMs bear the responsibility for consistent procedures and strict enforcement of the distribution process.
Customers' Role in Connected Car Security
While the 2016 Connected Car report and the study conducted by International Data Corporation both support the argument of car makers bearing responsibility for connected car security, it also can be suggested that car owners themselves must do their part to keep their vehicles safe from cyber threats. Drivers marvel at the fact that they can download apps to their cars' systems and use those applications to make driving safer and more fun.
However, they should be careful about what kind, and in what manner they purchase and download those apps. Ideally, any applications that they want to buy and use in their cars' systems should be purchased and downloaded from reputable sources like the iStore and Google Play. Any third-party app that they are interested in should first go through a pre-processor to verify that it is safe and not a threat to the car's cyber security.
Additionally, just like they should update their computers and mobile devices, connected car owners should update any connected components in a timely manner. This prompt updating will help keep the software and systems operational, and lower the risk of them being hacked.
The success of the connected car lies in strong cyber security.  The reliability and strength in these vehicles' cyber security keep the cars and their growing number of services safe from hackers.
It also instills a high level of trust that is vital for customer retention and loyalty. People who feel confident that they and their families will be safe while driving the cars, and also that their private banking and financial information will be kept secure, are more likely to buy another connected car in the future.
However, given how complex the effort is when it comes to securing these cars as well as the large number of entities involved in keeping the vehicles connected, keeping the connected cars of today secure must be a collaborative effort. By all accounts, the OEMs are in the best position to spearhead this effort. However, they must be willing to accept full responsibility for this enormous task and also be willing to be held accountable if or when things go wrong.
The OEMs bear the final responsibility in keeping these cars safe and secure from cyber hackers. However, this fact does not excuse the responsibility that other involved parties, namely the supplies and car owners themselves, should bear in keeping hackers and identity thieves at bay. Ultimately, the OEMs must make sure that everyone that plays a role in making, owning, or driving connected cars does their part.
SeaCat - application security for connected cars
TeskaLabs’ SeaCat is the core technology behind SeaCat Mobile Secure Gateway and IoT/M2M Application Security Platform, which protects mobile, IoT/M2M applications, the communication channel and application backends. SeaCat has successfully fenced off other critical open source bugs like Heartbleed, Glibc, and DROWN, warned by security experts of the impact they have on the world's IT infrastructure.
About Author: Born and raised in Detroit, David had no choice but to become a car enthusiast. As a young freelance writer, he is on a mission to turn his passion for cars into a career. You can follow him via Twitter @davidcmoss.
If you’d like to get a true assessment of the security of your car app and its application backend, please check out our Mobile App Security Audit service. Alternatively, request a FREE Demo to know how we can assist you with the security of your connected car mobile solutions.
Are you interested in security for connected vehicles? Visit this page
Most Recent Articles
- From State Machine to Stateless Microservice
- Entangled ways of product development in the area of cybersecurity #3 - LogMan.io
- Entangled ways of product development in the area of cybersecurity #2 - BitSwan
- Entangled ways of product development in the area of cybersecurity #1 - Asynchronous or parallel?
- State machine miracle
You Might Be Interested in Reading These Articles
A zero-day, also called zero-hour, vulnerability is a security flaw in the code that cyber criminal can use to access your network. Zero-day attacks call for new technologies built from the ground up for today’s advanced threat landscape. There is no known fix, and by the time hackers attack, the damage is already done
Published on May 12, 2015
TeskaLabs with a great pleasure announces that we succeeded in the public tender with our product SeaCat as a supplier of cybersecurity for a C-Roads platform in the Czech Republic.
Published on August 21, 2018
OpenSSL DROWN Vulnerability Affects Millions of HTTPS Websites and Software Supporting SSLv2 (CVE-2016-0800)
DROWN is caused by legacy OpenSSL SSLv2 protocol, known to have many deficiencies. Security experts have recommended to turn it off, but apparently many servers still support it because disabling SSLv2 requires non-default reconfiguration of the SSL cryptographic settings which is not easy for common IT people who have limited security knowledge and don’t know the location to disable this protocol and the way to disable it.
Published on April 12, 2016