A modern car is a wonderful piece of engineering. Even at its most basic, these vehicles provide levels of road holding, economy, safety and comfort that make their predecessors of only a decade ago seem like tractors in comparison.

While a modern car’s performance is miles ahead of its forebears, manufacturers know that they cannot rest on their laurels. They must continue to push the boundaries of road holding, power, performance and economy in order to survive in the highly competitive car market.

The market continues to develop, but the discerning customer always wants more. Now we want connected cars that integrate with our own personal IT infrastructure, talk to our cloud-based data stores and communicate with other systems in order to enhance the driving and ownership experience.

Connected Cars Surge in Popularity

This connectivity represents its own unique challenges, and until recently, a vehicle had been its own island: It was controlled both physically and electronically by the people inside it. The connected car is no longer an isolated node but part of a larger web of devices, sharing information about itself and its occupants. IHS Automotive estimated that by 2020 a single connected car will generate 350 MB of information every second!

Traditional component suppliers have to move quickly in order to continue development and become major players in the connected car supply chain. Already, nontraditional manufacturers such as Apple and Google are looking to move into this sector, and history tells us they have an ability to innovate and maintain a presence in new markets.

However, our own experience tells us that the mainstream software development culture is very different from its industrial brother. One is innovative, functional and changes constantly, but has had a checkered past in terms of reliability and security; the other is stable and reliable, but is based on older technology that now has a questionable security record.

Security Questions Surround Connected Cars

So what does a car manufacturer do? Customers demand the latest refinements in connectivity, so new levels of reliability and monitoring are made possible through data links. But these features leave vehicles vulnerable to attack. We cannot have a car that needs to reboot at 60 mph or that can be hacked by someone who takes over control of the brakes and steering while we’re driving.

The security challenge doesn’t stop there. As the car becomes embedded in our personal data network, it has access to vast amounts of our personal information — making it even more attractive to attackers. It is imperative that the vehicle has a security architecture that is robust, flexible and able to adapt over the life of the automobile.

To achieve this, manufacturers either need to invest large sums of money in an area completely outside their core skill set or work with a partner. But which partner should they choose? To me, the answer seems obvious. The enterprise sector has the ability to innovate while delivering the kind of reliability that is so important.

Enterprise systems process petabytes of data every day but at the same time are agile enough to adapt to constantly changing requirements. They achieve this by using proven design techniques and software frameworks that have levels of rigorous testing to ensure quality and consistency. These players need to bring their experience and expertise to the connected car market to deliver the levels of security, reliability and new functionality that will allow the connected car to reimagine our driving experience.

At IAA, IBM is demonstrating its Automotive for IoT solutions, which can transmit vehicle data, monitor vehicle health and analyze driver performance and maintenance needs. Visit us at Booth B48 in the New Mobility World or join in the @IBMAutomotive conversation using the hashtag #DrivingSecurity.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…