How so? Because actual cars transmitting data like their location, speed, steering angle, and state of braking to one another at least ten times per second provides a greater degree of awareness than sensor readings and algorithms. The US Department of Transportation and the National Highway Traffic Safety Administration have been working for years on standards and a regulatory schedule for introducing V2V to the marketplace, and Cadillac plans to incorporate V2V into at least one of its vehicles by 2017.
Since we've begun the year with a number of stories of cars being hacked into, that got us wondering about the security of V2V communications. In a recent piece by our own Pete Bigelow on what motorists should know about getting their cars hacked into, he wrote that although cyber break-ins are extremely difficult, expensive, and time-consuming to do remotely, V2V is "one more conceivable avenue a hacker could use to impact multiple cars at a given time."
So we spoke to Wilmington, Massachusetts-based Security Innovation about it. The automotive consultancy company has been working with the DOT since 2003 on V2V technology and the issues around it - namely security and privacy - and its chief scientist, William Whyte, is the technical editor of the Institute of Electrical and Electronics Engineers (IEEE) 1609.2 standard outlining its security protocols. Those protocols are expected to be finalized by the DOT toward the end of this year and then come into effect in 2016, and the company's Aerolink product is the security solution Cadillac will use.
Whyte said, "If you hack into a car, V2V is the hardest place to start," and Pete Samson, the general manager of Security Innovation's automotive team, said "There are ten or 12 alternate attack surfaces" around the car that would make much easier targets. V2V engineers have been developing, testing, and refining security solutions for more than a decade and have more time yet to refine them to the eventual federally-mandated standards; hacking stories almost always involve points of entry like the OBD-II port, telematics, and convenience features, where security wasn't considered as thoroughly as the rolling out the customer benefits, and there were no standards.
It's not that V2V can't or won't ever be hacked, but Samson said that while there is the issue of protecting new cars, "The bigger challenger is how to protect cars already on the street, the vast majority of which have older technology, and that's where a lot of the threats are going to be." Offering an example, he said "There are 100 million lines of code in a Mercedes S-Class, and on average there's one error every 1,000 lines." As hacking gets more widespread and more focused, how do you patch those vulnerabilities without making every S-Class owner haul the car into the dealer, when over-the-air updates pose their own problems? Whyte said he could envision a scenario in which certain features on a car were simply turned off or disabled until their vulnerabilities could be addressed.
To hear them tell it, V2V won't be one of them. The company has set up Automotive Centers of Excellence in Boston and Seattle to help automakers understand where "threat and attack profiles in their automobiles" reside; the Boston center will remain focused on V2V-related technology, the Seattle center will test and validate other software interfaces like telematics and drive-by-wire systems. And somewhere in all of that, "privacy will be a big part of the debate."
The future is coming. Hopefully, by the time it gets here, it will have addressed the fact that, as Whyte said, "Cars weren't designed to be online."