Learning Library

← Back to Library

Securing the Connected Car Era

12mUnknown Channelsecuritydeep-diveintermediateWatch on YouTube ↗

Key Points

  • Modern vehicles function as complex computers, containing 70‑100 onboard systems and roughly 100 million lines of code, which makes every car a potential hacking target.
  • The explosion of connected‑car deployments—projected at 367 million vehicles by 2027 and already numbering in the billions—means each vehicle becomes an additional endpoint, dramatically expanding the overall attack surface.
  • Cars remain on the road for a decade or more, yet manufacturers rarely provide long‑term software patches, leaving legacy vehicles vulnerable much like outdated laptops.
  • This longevity creates a business‑model dilemma: automakers have little incentive to maintain security updates for models they no longer sell, despite the growing cybersecurity risk.
  • The IBM Institute for Business Value report highlights these challenges, prompting experts in AI‑driven autonomous EVs and cybersecurity to explore mitigation strategies for secure, connected mobility.

Sections

Full Transcript

# Securing the Connected Car Era **Source:** [https://www.youtube.com/watch?v=rLms76Q8bS4](https://www.youtube.com/watch?v=rLms76Q8bS4) **Duration:** 00:12:58 ## Summary - Modern vehicles function as complex computers, containing 70‑100 onboard systems and roughly 100 million lines of code, which makes every car a potential hacking target. - The explosion of connected‑car deployments—projected at 367 million vehicles by 2027 and already numbering in the billions—means each vehicle becomes an additional endpoint, dramatically expanding the overall attack surface. - Cars remain on the road for a decade or more, yet manufacturers rarely provide long‑term software patches, leaving legacy vehicles vulnerable much like outdated laptops. - This longevity creates a business‑model dilemma: automakers have little incentive to maintain security updates for models they no longer sell, despite the growing cybersecurity risk. - The IBM Institute for Business Value report highlights these challenges, prompting experts in AI‑driven autonomous EVs and cybersecurity to explore mitigation strategies for secure, connected mobility. ## Sections - [00:00:00](https://www.youtube.com/watch?v=rLms76Q8bS4&t=0s) **Security Risks in Connected Cars** - The segment highlights how modern vehicles operate as complex computer systems with millions of lines of code, making them vulnerable to hacking, and introduces the presenters' focus on addressing cybersecurity challenges as the number of connected cars is projected to reach 367 million by 2027. ## Full Transcript
0:00the modern car is essentially a computer 0:03that takes you places in fact it's 0:06likely to contain between 70 and 100 0:09onboard computers and a 100 million 0:13lines of code and that doesn't just mean 0:15High Tech Electric Vehicles that's all 0:18cars these days and what we know from 0:20cyber security is that every computer 0:22can potentially be hacked which means 0:25potentially every car can be hacked rest 0:27well with that idea right and that's why 0:30a recent IBM Institute for business 0:32value report drew our attention we both 0:36Drive AI powered self-driving electric 0:39cars in fact we both got to the studio 0:41today in them so we have a very personal 0:44vested interest in this technology and 0:46making sure it succeeds no doubt you've 0:48seen Martin's great videos on the IBM 0:50technology channel on AI and hopefully 0:53you've also seen some of Jeff's videos 0:56on cyber security so this whole subject 0:59of security connected Cars Is Right In 1:01The Sweet Spot for both of us 1:03professionally as well in this video 1:06we're going to take a look at the 1:07challenges in this emerging space and 1:10see what we can do to mitigate the risks 1:13so let's talk about some challenges and 1:15the first challenge I think is that 1:17connected cars run on a lot of data lots 1:21and lots of data connected cars have 1:23always on network connections and used 1:25for all sorts of purposes like shared 1:27Mobility assisted driving and autonomous 1:29Fe features now according to Juniper 1:32research the number of connected cars is 1:36quite large it's projected to be 1:37something like 1:39367 million Vehicles by 1:432027 now that sounds a lot but we're not 1:45just talking about self-driving Vehicles 1:48here many of today's vehicles are 1:50considered connected Vehicles so today 1:52there's something like 20000 million 1:55connected Vehicles so I wonder with all 1:57of this data it doesn't represent any 2:00kind of security concerns is it Jeff Oh 2:03contr Martin uh every one of these 2:06things is an endpoint and every single 2:08one of them increases the attack surface 2:11making it easier for a bad guy to do 2:14whatever it is he wants to do because 2:15now he's got a million different targets 2:18hundreds of millions of different 2:19targets that he can aim at and 2:21potentially attack and create all kinds 2:23of Havoc so that becomes an additional 2:26threat that we have to consider another 2:28thing also if you've got a 10-year-old 2:30laptop probably it's getting toward the 2:32end of its life and you're going to Chu 2:34that thing and and get another one um 2:36and certainly you wouldn't want to use 2:38one that hasn't had software updates in 2:4010 years it's going to be slow it's 2:42going to have all sorts of security bugs 2:44in it and things like that well guess 2:46what happens with vehicles most people 2:48hang on to them uh either for 10 years 2:51or more or they get rid of them and 2:53somebody else inherits that car but the 2:56point is it's out on the road for 2:58decades and we're not used to supporting 3:01software and vulnerabilities for that 3:03long a period of time what's the 3:05business model what's the incentive for 3:07the car maker to keep supporting 3:09software updates in vehicles that 3:11they're not making any more money from 3:13that means we have lots of security 3:15holes sitting out there riding on the 3:17highways you know 10 years is am to hour 3:20my wife has had a car for 14 years ah 3:22you're making my point exactly right now 3:25let's talk about another concern I think 3:26many of us have and that's about another 3:28increase in something the increas in 3:30complexity so a connected vehicle is 3:32loaded with all sorts of onboard 3:35capabilities now there's some obvious 3:36ones like CPUs of course for processing 3:40but there's probably gpus as well that 3:43are powering the infotainment system 3:46there are 3:47tcus those are telematics control units 3:51for managing the telecoms and the data 3:53services in the vehicle like GPS 3:55navigation and one we're both very 3:57familiar with Jeff I think is otaa over 4:00the air I'm waiting for one right now 4:02love the otaa updates yeah we can't wait 4:05for those so there's also LS of things 4:08that happen outside of the vehicle as 4:10well out Car Technology as well so for 4:13example there is cloud technology for 4:16workloads that don't run on the vehicle 4:18now that's also known as Cloud VTO 4:21meaning virtual Security operation 4:23Center and that has various applications 4:25and data platforms that monitor manage 4:27and respond to cyber security threats 4:29and in ents so yes it's uh it's a lot of 4:33complex stuff it is complex and what I 4:36know for sure is that complexity is the 4:39enemy of security because the more 4:41complex a system is the harder it is to 4:43assure that it's going to do exactly 4:45what we intend for it to do so all of 4:48this great stuff that gives us these new 4:50features also represents a complexity 4:53which then represents a threat to 4:55security as we see security decrease as 4:58a result of these things if we're not 5:00really careful now what a lot of 5:02organizations do with software in 5:05general and this applies to cars as well 5:07is they tend to look at security as an 5:09afterthought it's a bolt-on as opposed 5:12to something that's baked in from the 5:13start if you bake it in from the start 5:16and use the right design principles 5:18you've done security by design a secure 5:21by Design car would be one that fails 5:23safe instead of fails open it's one that 5:26has uh the defense and depth capability 5:29so we're not relying on a single 5:31security mechanism but we have multiples 5:33it's one where we're imple implementing 5:36the principle of lease privilege so that 5:38systems can't do more than they were 5:40supposed to be able to do they can only 5:41do exactly what they were designed to do 5:43and no more so we need to be able to 5:45implement these kind of of processes and 5:48architectures in the vehicles themselves 5:52and I have a down arrow challenge as 5:54well I'm just going to call this lack of 5:57because traditionally incar security is 5:59man managed by an oem's product 6:01development organization and the outcast 6:03security stuff is the shared 6:04responsibility between probably research 6:06and development and the IT department 6:09and that leads to a lack of stuff so 6:12there is a lack of shared resources 6:15between these teams there's probably 6:17also a lack of common tools and there's 6:21probably a lack of common skills between 6:23these organizations as well now in fact 6:26the ibv study reported that well over 6:2850% of Auto motive execs reported lack 6:31of all of these things yeah no doubt and 6:34that really sums up the conclusion that 6:38threats will increase as we add all of 6:41these things the threats on the road 6:42will continue to increase now some 6:45people will ask the question is this a 6:47real threat or is this something you 6:49guys are just hyping this is 6:50hypothetical well no it's real in fact 6:53it's been around for a while even though 6:55you might not have been aware of it back 6:57in 2015 a couple of white hat hackers 7:00guys who hack but they expose the 7:03information that they find to the car 7:05makers so they're not damaging anybody 7:08they're actually looking for security 7:09vulnerabilities in order to make the 7:11system better they actually did a proof 7:13of concept where they were able to take 7:14over one of the very popular vehicles on 7:16the road that day in those days and they 7:19were able to control the brakes they 7:21were able to control the infotainment 7:23system the steering the engine speed a 7:26lot of different things like that that 7:28could be disastrous in the hands of an 7:30attacker and they were able to do it and 7:33it caused as a result a recall of 1.4 7:37million vehicles uh that had to be 7:40changed their software updated and so 7:42forth and back then we didn't have 7:43overthe a updates so these vehicles had 7:46to be brought into the shop in order to 7:48be uh to be updated uh so these are are 7:52real threats that we see already imagine 7:55when we start introducing all of these 7:57kind of capabilities how much more that 7:59is in fact going to increase yeah so 8:02that's a a real threat to security but 8:05another one of my concerns is privacy 8:07what about privacy yeah that's a really 8:09good one also and as a driver a consumer 8:12of this technology you should care about 8:14it as well privacy well your car is 8:17collecting lots of information about you 8:19it's a computer that takes you places 8:21you know your computer is collecting 8:23lots of information about you and a lot 8:25of that information is used to improve 8:27service for you to give you a more 8:29customer IED experience but how is that 8:32information used and where is it sent we 8:34know it's being sent off into a cloud 8:36someplace else what are they doing with 8:38that information do we know can they 8:40change their terms of service so this is 8:42a threat to Consumer privacy and most 8:46people are not aware of it they go ahead 8:48and consent when they get the car so 8:49that they can drive it when those terms 8:51of service come up nobody brings their 8:53lawyer along to read through the whole 8:55thing before they take delivery of the 8:56vehicle you just go ahead and accept it 8:59and by the the way that stuff changes so 9:01we've got threats both real and 9:03theoretical in the security space as 9:05well in the Privacy 9:07space all right Jeff we've covered the 9:10challenges but what can we do about them 9:13so let's talk about some recommendations 9:15yeah in fact Martin let's take a look 9:17where you cover the automakers and what 9:20they can be doing to improve security 9:22and I'll talk about what the drivers and 9:24consumers can do to protect themselves 9:26okay so on the automator front there's 9:28there's a couple things that we can do 9:30so manufacturers need to embed security 9:32and privacy in the entire product life 9:34cycle and they can start with building 9:35core platforms and services and one sort 9:38of platform and service is a hyperscaler 9:42now what is that it's a large scale 9:45cloud service provider capable of 9:46delivering compute storage and 9:48networking resources on a massive scale 9:51and that extensive amount of compute can 9:53take advantage of Data Insights to 9:55design a robust and secure 9:56infrastructure and Jeff I'm sure you 9:58knew we couldn't get ped through an 10:00entire video without me talking about 10:02gen apparently that's a thing it is a 10:05thing yes so generative AI is a 10:07consideration here but how well it could 10:10be used to automate the monitoring of 10:12compliance with security standards 10:14across the supply chain could be used to 10:16generate contracts and reports and 10:18create models that predict future risk 10:20based on historical data as well the key 10:22here is though to use common tools and 10:25standards to encourage security and 10:27compliance and transparency 10:29across the entire ecosystem oh and one 10:33other thing for manufacturers to 10:34consider from the start and it's 10:36something you've already mentioned Jeff 10:38that is 10:39SBD secure by Design yeah if you don't 10:42build the security in from the start 10:45then trying to add it on later is more 10:46expensive and actually more dangerous so 10:49in fact if you don't get this stuff 10:51right as an automaker it could represent 10:54an existential threat to the company 10:56because of damage to your brand 10:58reputation damage so get that stuff 11:01right for sure now on the consumer side 11:04what can you do well I think it starts 11:06off with education so learn as much as 11:09you can about this technology about what 11:11your car is intended to do what it's not 11:13intended to do how you can use the 11:15capabilities best uh in a safe way and 11:19don't do things that that avoid the way 11:21the car was designed to operate another 11:24thing that you can do like with all 11:26systems that are computers and again 11:28these are computers that take you places 11:30there's software on there you need to 11:32make sure that the software is updated 11:34now if you get over the a updates and 11:36you maybe don't want to apply it the 11:38very same day that it comes that's 11:40understandable but don't go weeks or 11:42months for sure don't go months not 11:44applying these updates and if you have 11:47to take the car into the shop because 11:49there's uh there's no way to do an 11:50overthe aair update well then that's 11:52what needs to be done because if you 11:54don't do this then there are latent 11:56security bugs in your car and you're 11:58driving around now what could be a 12:01ticking Time Bomb you want to make sure 12:03that's not happening in your case and 12:05then the one thing you definitely do not 12:06want to do Jailbreak the car 12:09jailbreaking means you modify the 12:11software in a way that the automaker 12:14didn't intend and when you do that you 12:16violate the security model and we have 12:18no idea what's going to happen at that 12:20at that point we all are impatient 12:23especially me I want those updates 12:25quickly but don't do this to try to get 12:27them because that will put you at far 12:30greater risk look Jeff and I we are both 12:33real fans of connected vehicle 12:35technology and what AI can bring to the 12:37Driving Experience exactly we just need 12:40to make sure that the security 12:41challenges are mitigated so that we can 12:43sit back and enjoy the 12:46ride if you like this video and want to 12:48see more like it please like And 12:50subscribe if you have any questions or 12:52want to share your thoughts about this 12:54topic please leave a comment below