A modern car has dozens of computers with as much as 100 million lines of code -- and for every 1,000 lines there are as many as 15 bugs that are potential doors for would-be hackers.
With vehicles becoming more automated and connected to the Internet, to other cars and even roadway infrastructure, the number of potential intrusion points is growing exponentially, according to Navigant Research.
While cybersecurity became a top priority for carmakers after a 2015 Jeep Cherokee was hacked last year, the lead time for developing a new car is three to five years and with a service life of 20 years or more, most vehicles have systems that bare vastly outdated compared to the latest consumer electronics devices.
That's creating what researchers expect to be an enormous market for vehicle anti-malware and secure hardware.
With the largest U.S. automotive telematics conference taking place this week - TU-Automotive Detroit -- traditional software companies and start-ups alike are announcing new vehicle security products. Announcements have come from Symantec, Savari and Karamba Security.
"Every new vehicle today...has at least some degree of automation capability," said Sam Abuelsamid, an analyst with Navigant Research. "Essentially, every vehicle on the road is going to need some aspect of cyber security built into it."
Cybersecurity has many flavors
Abuelsamid, who co-authored a recent report on automotive cybersecurity, said a flurry of companies have sprung up in Israel, including Argus Cyber Security and TowerSec. But not every company is taking the same approach to securing vehicles.
For example, Argus offers an intrusion detection and prevention module that ties into a vehicle's controller area network (CAN), which connects the various electronic control units (ECUs) or computers in a car. TowerSec offers software that is embedded in existing ECUs. Karamba's software is made to be intergraded as part of a vehicle's telematics system from the factory.
"Basically, what they're all doing is heuristic scanning of the vehicle's data traffic...rather than the traditional anti-virus approach, where its looking for virus signatures," Abuelsamid said.
By definition, heuristic-pattern software is not perfect in that it doesn't block malware directly; it watches a vehicle's computer network for any unusual messages or code that shouldn't be there. It then mitigates the infection by keeping it from spreading or executing critical system commands, such as making a car swerve or brake.
"It's a more robust approach rather than trying to find traditional anti-virus signatures because it doesn't rely on having constant updates. It is trying to discover malware-like activity before it has a chance to infect," Abuelsamid said.
Along with the relatively nascent automotive anti-malware industry, system security is further endangered because vehicle engineers typically do not use the most state-of-the-art hardware. Instead, carmakers opts for processors that may be a generation or two older in order to ensure reliability and robustness. That older hardware, however, may be able to run up-to-date security systems, which can expose latent vulnerabilities in the hardware, according to Navigant.
The need for cybersecurity software is so critical that the Alliance of Automobile Manufacturers and the Association of Global Automakers set up its own Information Sharing and Analysis Center (ISAC), which enables the sharing of data involving cybersecurity.
Such info-sharing groups exist in most major industries, such as healthcare, financial services and aerospace, but until 2014 the auto industry didn't see the need for a cyber security network.
Within five years, most new vehicles will be connected to the Internet, according to Gartner. And, by 2035, there will be 21 million autonomous vehicles on roadways, according to research firm IHS Automotive.
The watershed moment
Egil Juliussen, director of research at IHS Automotive, said prior to last year's Jeep Cherokee hack, which was performed by two security experts who were able to control the vehicle remotely, the auto industry didn't see an immediate threat.
Fiat Chrysler Automobiles (FCA), the world's seventh largest automaker, issued a recall notice for 1.4 million vehicles in order fix a software hole that allowed hackers to wirelessly break into the Jeep Cherokee and electronically control vital functions.
"Last year they all got kicked in the butt," Juliussen said. "When that happened, then they had a data point around how much it could cost to fix these things -- 1.4 million cars that may cost $100, so all of a sudden you're looking at $140 million to fix that. So that changed how they looked at it."
"The first thing they did was look at existing systems...then began planning for new systems coming out in 2019 or 2018," he added.
While Internet-connected vehicles offer an avenue for attack, they also provide a potential solution to cybersecurity via over the air (OTA) software updates. Those updates are only now being offered by a limited number of automakers.
That will soon change.
By 2022, some 203 million vehicles on the road will be able to receive over-the-air software upgrades; among those vehicles, at least 22 million will also be able to get firmware upgrades, according a report by ABI Research.
By 2025, nearly half of all global light duty vehicle sales are expected to include telematics capabilities that will enable OTA software updates to address cyber security, functionality, and regulatory compliance issues, according to Navigant.
When software can be updated as it is on any mobile device, new threats can be addressed in near real-time.
Unlike the financial services or healthcare industry, the automobile industry offers less of a financial incentive for hackers. While vehicle infotainment systems may someday allow drivers to purchase goods and services, it's not a widespread feature and isn't expected to be anytime soon.
What does loom as a larger threat from hackers is ransomware and terrorism, Abuelsamid and Juliussen said.
For example, a hacker could encrypt a vehicle's infotainment system, denying access and then blackmail either the vehicle owner or the carmaker to release it.
For terrorists, the potential to shut down a fleet of vehicles or a transportation system would be considered low-hanging fruit.
"That's probably what's scaring [the auto industry] the most," Juliussen said. "They'll spend lots of time and money to do that. If you could disable even 10,000 cars in the New York area or any other place, that would be a total disaster."