November 28, 2016 — Is a potential battle looming between automakers and tech firms with the government over security issues with over-the-air updates made possible by connected car technology? Billions of dollars are at stake for automakers, technology firms and even dealers, but comments from various government officials over the last several months indicate OTAs may be be strictly regulated.

Where We Are Headed

While hype about autonomous vehicle technology dominates headlines, the connected car era seems to be a foregone conclusion. It’s anybody’s guess as to whether self-driving vehicles will be a part of the automotive landscape in 10 years or 20 years, but we do know that within five years, just about every vehicle produced will be be connected to the Internet. 

According to Industry estimates, by 2022 there will be between 200 million and 300 million connected vehicles globally generating more than $180 billion in revenue. By the end of this year, global revenue from connected vehicle applications will total approximately $14 billion according to a report last month from Research and Markets.

Most of the innovation and competition in the auto industry in the next few years is going to occur on the connected vehicle front. Applications include: navigation; infotainment; safety; traffic management; usage-based insurance; fleet management; remote diagnostics; crash notification and autonomous driving.

Tech giants along with automakers are marshalling their resources both in poaching talent and acquiring other companies to position themselves for the expected windfall.

In the last month, three large tech giants announced moves they believe will set them up for the next decade:

• Last week, Samsung announced it is acquiring Harman International Industries for $8 billion. Nearly 70% of Harman’s annual $7 billion in revenue is in the automotive sector while much of its product line will position Samsung to be a the leader in connected vehicle technology.
• Intel announced last week at the Los Angeles Auto Show it is investing more than $250 million into self driving vehicle technology, including connected car technology. The $250 million is in addition to the $100 million investment when the company created the Intel Capital Connected Car Fund in February 2012. Intel currently is involved in more than 30 car connected car progams including its partenership with BMW and MobilEye to develop a self driving vehicle.
• Qualcomm announced in October that it is acquiring NXP Semiconductors for $47 billion, a move that will increase its computing power, and will make it one of the leaders in both the connected car and self-driving arenas.

The investment is already beginning to pay off for companies. On November 10, Nvidia announced in its earnings call that its automotive-related revenues jumped 61% over last year to $127 million in the the third quarter mainly due to demand from automakers for its connected DRIVE PX2 platform. But Nvidia did lose its vice president of software Sasha Ostojic in October when he left to become senior vice president, engineering for General Motors and work on its autonomous vehicle platform.

Over-the-Air Updates

The conventional wisdom is that as more vehicles become connected to the Internet, automakers and in-vehicle app providers will be able to send updates wirelessly — in industry parlance, OTA (over the air) — to those vehicles. Wireless updates to navigation systems, infotainment systems, along with maintenance and service repairs are already happening on a small scale and are set to explode in the next few years.

The potential for OTAs is huge. Automakers will be able to save billions in factory recall costs sending software updates and fixes OTA. Earlier this year, ABI Research estimated automakers could have saved $6 billion — one third of what they spent fixing recalls in 2015 — by using OTA updates. That number will only increase as more vehicles become connected to the Internet.

(The windfall might not extend to car dealers, though. Several weeks ago, TBR wrote about how over-the-air vehicle updates –OTAs — made possible by the coming connected car era could hurt dealership service revenue (Read: Forget Autonomous – It’s the Connected Car that Should Scare Dealers).

Automakers are already beginning to use OTAs, but usage has been on a fairly small scale to this point. Recent examples include:

• In late 2013, Tesla was able to raise the ground clearance of the entire fleet of Model S vehicles with an OTA following a fire caused by a battery pack hitting an object on the ground. Since then, Tesla has updated its vehicles’ operating systems multiple times.
• General Motors, through its OnStar service, offers new entertainment apps OTA to some of its vehicles already.
• Ford Motor Co. is delivering OTA Android Auto and Apple CarPlay updates to its Sync infotainment system in 2016 vehicles. Ford’s software updates have progressed  from USB sticks to Wi-Fi and will be done via satellite in the near future.
• BMW. in January 2015, quietly sent a software patch OTA after it discovered a backdoor in its Connected Drive service. Hackers would have been able to open doors to BMW and MINI vehicles using a smartphone.
• Geely just announced that its two brands, Volvo Cars and Lynk & Co. will be able to update software OTA in late 2017 through its new Compact Modular Architecture.

Overall Security Concerns

Although privacy is an issue, being able to make sure vehicles are safe in a connected era is the big concern. The potential goes beyond a hacker simply getting control of a vehicle’s infotainment center. Researchers have shown it’s possible to remotely hack a vehicle’s entertainment system to gain control over steering, braking and engine functions in the vehicle. (Read: The Infamous Jeep Hack and What it Means for Dealers).

“The connected car is the key to progress in safety, entertainment, and environmental performance,” says David M. Uze, President and CEO of Trillium. “But until cybersecurity can be guaranteed with certainty, progress will stop in its tracks.” (Trillium, founded in 2014, developed its SecureCAR software focusing on vehicle cybersecurity.)

Noted car hacking expert Chris Valasek, who last year was Director of Vehicle Security Research for IOActive, and colleague Charlie Miller (both now work at Uber’s Advanced Technology Center) were able to remotely hack into a Jeep using Sprint’s cellular network to upload code into the vehicle’s UConnect onboard entertainment system. Fiat Chrysler immediately announced a recall affecting 1.4 million vehicles. FCA sent affected customers a USB stick with a software patch that could be uploaded through a port on the vehicle dashboard.

A year later in August, Both Valasek and Miller hacked another Jeep vehicle using a laptop hooked into the vehicle’s CAN network via a port under the dashboard. Although they couldn’t hack the vehicle remotely as they did last year, Valasek and Miller were able to force the Jeep into more dangerous moves than last year, such as accelerating quickly, slamming on the brakes and turning the steering wheel at any speed.

According to panelists at the Connected & Charged conference held last summer at the SAP campus in Silicon Valley, one of the challenges is that automakers have struggled to find a way to wall off less critical areas of the vehicle — such as the infotainment center — from the areas that affect drive control.

The automotive industry is waking up to the importance of cybersecurity. Last year, several automakers and suppliers formed the Automotive Information Sharing and Analysis Center (Auto-ISAC) to share data and information regarding cybersecurity and published a set of best practices in July of this year.

Impact on OTAs

Despite the potential for huge revenue and profits, security issues could put the brakes on the move toward OTAs, though.

Other than a few statements from trade groups such as the National Automobile Dealers Association and government leaders, OTAs as a security issue has stayed under the radar. It’s likely to become a big part of the conversation soon, however. The concern is that broad usage of OTAs increases the chances of hackers finding ways to grab control of a vehicle — or, worse, gain control of a large number of vehicles simultaneously.

Government agencies such as the Department of Transportation and the National Highway Traffic Safety Administration have publicly acknowledged the challenge OTAs create for overall cybersecurity. Last January, both Department of Transportation Anthony Foxx and NHTSA Administrator Mark Rosekind urged the automotive industry to adopt the Federal Aviation Administration’s cybersecurity strategy.

Part of the FAA’s playbook prohibits software updates OTA. Instead, software updates are made by an FAA technician using a secure physical connection. It’s a very real possibility that the government may require the auto industry to follow a similar practice. (This would be good news for dealers as their technicians likely would be the ones making the updates.)

The handwriting may be on the wall. Just last month, the Auto-ISAC named Faye Francy as its Executive Director. She most recently ran the Aviation-ISAC which instituted the practice of requiring software updates be done physically instead of wirelessly. It will be interesting to see whether she pushes the Auto-ISAC into a similar strategy.

Of course, the incoming Trump administration will be a wild card in the conversation as both Foxx and Rosekind will be replaced in January.

This will be an ongoing conversation but how the auto industry will move forward should become more clear in 2017 which should answer several questions regarding how cybersecurity will be implemented.

There are billions of dollars at stake and clearly companies such as Tesla have made OTAs part of their overall market strategy. So whether the proverbial toothpaste is already out of the bottle remains to be seen.

.Read more on security issues and the dealership: Dealerships are Key in Cyber Attack Wars).