Software Promises and Perils

In May, Honda recalled some 2014-2015 Acura MDX 2WD and AWD, RLX and 2014 Acura RLX Hybrid vehicles, because its Collision Mitigation Braking System could incorrectly interpret certain roadside objects such as metal fences or metal guardrails as obstacles and unexpectedly apply the brakes. In October, Google and Volvo were demonstrating their driverless cars for journalists on two continents – the U.S. and Australia; and this month, Volkswagen – which surpassed Toyota in July to become the world’s biggest automaker – was offering outraged customers $500 gift cards as it tries to dig itself out of an emission cheating scandal in which a “defeat device,” vehicle software designed to detect system testing, would run the engine at less than full power to emit fewer pollutants.

As the automobile continues its radical transformation from an assemblage of mechanical components to a sophisticated computer on wheels, industry leaders promise that electronics and software will make vehicles more efficient and safer, with endless potential. Today’s drive-by-wire Lexus will look primitive next to driverless cars. V2V technology – cyber-speak for crash avoidance systems that take control of a vehicle to prevent a collision – means the network is not just within a single vehicle, but among multiple vehicles. Your car is not just a mode of transportation – wireless technology makes it a phone booth, a movie theater, a navigator, an Internet café.

But, trailing in the wake of fast-moving technology are the obvious problems – recalls for defects caused by the unintended consequences of tangled code and the less obvious problem of how this technology will be regulated and how its problems will be investigated. There are now two open NHTSA dockets regarding automotive software, electronics and functional safety. A Final Rule has just been published on third docket before the U.S. Copyright Office dealing with vehicle owners and researchers rights to examine, copy or alter automotive software. 

Industry – no surprise – has mounted a full-on assault on the very idea of an automotive electronics and software standard. From the copyright docket to the vehicle-to-vehicle communications docket, automakers have sought to build a wall around their software that can be breached by neither the consumer nor the regulator. Some of have even challenged NHTSA’s authority to write standards for this component of today’s vehicles.

But, software experts warn that establishing standards for automotive applications is more critical than ever. In a May 2015 editorial, Tony Dyhouse, director of the U.K’s Trustworthy Software Initiative, a collaborative effort to gather existing standards and best practices, as well producing its own standard to help all manufacturers “avert IT risks,” criticized automakers’ current systems. The demand for automotive software is outstripping developers’ abilities to produce code that is secure, safe and testable: 

“Too much of the code currently produced for the automotive industry is insufficiently protected, leaving manufacturers and drivers vulnerable to potentially dangerous attacks,” he writes in Traffic Technology International. “Connected vehicle technology is one of many areas where software vulnerabilities could have a truly catastrophic effect.”

The Mothership: Functional Safety

In October 2014, NHTSA published a Federal Register Notice seeking comments on the possibility of writing regulations to ensure the safety of automotive electronics. The 10-page request for comments, satisfied a directive from the federal legislation known as MAP–21 to “complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles.”  

The notice attracted 44 comments from safety groups, SAE International, automakers and some of their representative organizations. (Although the Alliance of Automobile Manufacturers was notably absent.)

The Telecommunications Industry Association, ever hostile to government intervention, expressed “strong concerns” with NHTSA’s “seeming intention to regulate vehicle software,” calling it “an unnecessary overreach that would stifle innovation in the US vehicle technology marketplace” and that NHTSA’s focus “on a narrow set of security and safety design standards is similarly inappropriate; this is not a proper role for government.”  

Automakers GM, Ford, Mercedes commented in one form or another that everything is moving too quickly for anything as antediluvian as a function safety standard. Mercedes assured NHTSA that the current standards “have matured to the point that high levels of safety, quality and reliability have been achieved,” but that “as technology continues to evolve, the automotive industry – as it has done in the past – will continue to examine the relevance and efficacy of those standards and adapt them as needed to ensure that safety, quality and reliability are not compromised. Mercedes-Benz actively supports global standards organizations in the pursuit of these objectives; we believe that this proven process is best suited to meet the dynamic needs of continuously evolving automotive electronic component safety, quality and reliability.”

General Motors did not recommend “generic performance tests due to the significant variation among products and the difficulty in normalizing the results to have all manufacturers provide performance test results in a consistent, meaningful manner.”

Ford averred that “any functional safety process will be most effective when incorporated into existing product development processes. Therefore, vehicle manufacturers are best suited to determine which standards and approaches have broad applicability and feasibility in both the extent and manner in which they are used. Hazard analysis methodology is a rapidly evolving research area and we expect refinements in practice will lead to convergence across the automotive industry.”

Ford got it half right. Philip Koopman, a Carnegie Mellon University professor in computer engineering, a safety critical embedded systems specialist, author of the textbook, Better Embedded System Software, and a consultant who performs private industry embedded software design reviews says that the time to ensure the functional safety is during the design process – traditional compliance testing after the vehicle is built is not sufficient to ensure safety, because intermittent electronic defects are difficult to detect. Automotive software designers must take a different approach:

“You have to assume that the software is unsafe until you accumulate enough evidence that you can demonstrate that it is safe,” he says.

Automotive software designers have been guided in constructing safe systems from standards issued by the Motor Industry Reliability Software Association (MISRA) in 1994. This set of best practices is hardly new, Koopman says. In addition, the industry is guided by ISO 26262, a nine-volume standard, developed by a “Functional Safety” industry working group within ISO TC22/SC3/WG16, that included members from nine countries, that includes functional safety throughout the product’s entire lifecycle from development to implementation, to servicing to decommissioning. Published in November 2011, the voluntary guidelines enumerate four different Automotive Safety Integrity Levels (ASIL) A through D, with the latter being the most stringent.

“If you follow them, you are in pretty good shape,” Koopman says. “We all know that software’s imperfect. You have to get more sophisticated and change your tool set, and look how to certify software safety. You don’t just test the vehicle, you get involved with development.”

Koopman says that NHTSA needs to consider the compliance models that have been used successfully in other industries, such as aviation and the chemical process industry. In aviation, for example, there are Designated Engineering Representatives (DERs), who may be employed by the manufacturer, but are ethically and legally bound to the regulating agency. DERs sit in on the design process and ensure compliance with best practices and standards. Or the agency could use the chemical industry model in which manufacturers are required to keep good documentation of their software process that is audited and certified by third party auditors.

“There’s no mystery,” Koopman says “People have known how do this right for a long time.”

V2V is Not for Thee, NHTSA

NHTSA believes that the next wave in reducing harm from motor vehicles will come from vehicle-to-vehicle crash avoidance technology – “on-board dedicated short-range radio communication devices to transmit messages about a vehicle’s speed, heading, brake status, and other information to other vehicles and receive the same information from the messages. Unlike technology based on sensors, radar, or cameras, V2V will perceive threats and warn drivers sooner.” In August 2014, NHTSA published an Advanced Notice of Proposed Rulemaking, proposing to create a new Federal Motor Vehicle Safety Standard 150, requiring vehicle-to-vehicle communication capability for passenger cars and light truck vehicles and to create a minimum performance requirements for V2V devices and messages.

The defining document of the rulemaking is Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application. The 300-plus page report sets out the results of more than a decade of agency research, as well as its authority to regulate such systems. The agency, in particular, cited two sections of the Safety Act involving components sold as replacements or improvements, accessories, addition and one regarding “any device or an article or apparel … that is not a system, part, or component of a motor vehicle; and is manufactured, sold, delivered, or offered to be sold for use on public streets, roads, and highways with the apparent purpose of safeguarding users of motor vehicles against risk of accident, injury, or death.”

The agency thus staked its authority to regulate V2V:

“The language of the Safety Act, however, is broad enough to comfortably accommodate this evolution in vehicle technologies. NHTSA’s statutory authority over motor vehicles and motor vehicle equipment would allow the agency to establish safety standards applicable both to vehicles that are originally manufactured with V2V communications technologies and to aftermarket equipment that could be added to vehicles that were not originally manufactured as V2V-capable (i.e., to convert them into vehicles with various degrees of V2V-capability).”

The telecommunications industry – and to a lesser extent, the Alliance of Automobile Manufacturers – have a different view. The Telecommunications Industry Association, which represents 500 information and communication technology manufacturers, vendors, and suppliers and the CTIA, The Wireless Association, flat-out challenged the agency’s right to impose standards on their automotive applications.

In its submission to the docket, the TIA expressed its “strong concerns with NHTSA’s seeming intention to regulate software in the vehicle, which would be an unnecessary overreach that would stifle innovation in the US vehicle technology marketplace. In addition, TIA believes that NHTSA’s focus in the RFC on a narrow set of security and safety design standards is similarly inappropriate; this is not a proper role for government. Finally, while we urge NHTSA not to take any cybersecurity risk management actions, if it nevertheless acts, it must ensure any regulation is technology-neutral and aligns with existing cybersecurity efforts, such as those by the National Institute of Standards and Technology (“NIST”) rather than pursuing separate automotive industry-specific requirements.” Similarly, the CTIA rejected the agency’s assertions of authority, arguing that NHTSA’s own “longstanding interpretation of its statutory authority” concedes that it does not have “jurisdiction over mobile devices because they are not substantially related to the use or maintenance of motor vehicles.”

The Alliance stated that NHTSA had the authority to regulate V2V technology, but noted that the agency itself admitted that the Safety Act’s reach was limited. It also raised the issue of the availability of the radio spectrum to support V2V communications, and the necessity of working with the Federal Communications Commission to protect the 5.9 GHz radio frequency spectrum  on which such communications would be transmitted. However, the Alliance noted that any proposed V2V communications network, “is not complete without communications and security components that NHTSA cannot mandate fully under its Safety Act authority” given NHTSA’s current lack of appropriations for this purpose.”

And some GOP lawmakers have been trying to carry the telecommunications industry’s water. In November 2014, for Republican Congressional leaders, Michigan Rep. Fred Upton, chairman of the House Energy and Commerce Committee; Pennsylvania Rep. Bill Shuster, chairman of the Transportation and Infrastructure Committee; former Nebraska Rep. Lee Terry, then-chair of the commerce committee’s Commerce, Manufacturing and Trade Subcommittee; and Oregon Rep. Greg Walden, chair of its Communications and Technology Subcommittee send a pointed letter outright rejecting the notion that NHTSA had any business regulating communication devices in automobiles:

“In addition to questions of its authority, we have concerns that NHTSA lacks the expertise to properly advance safety in this space. Guidelines could act as de facto regulation of industry without the expert input, transparency, and process protections that would normally accompany such activity. Indeed, NHTSA’s action could limit further safety innovations and create legal uncertainty for multiple sectors of the U.S. economy.”

Some GOP lawmakers have tried to do more than threaten, by slipping amendments into various measures to prohibit NHTSA from regulating this realm. So far they have not succeeded, but it is clear that the intersection of vehicles and mobile communications is a multi-jurisdictional mess.

Your $30,000 Software License

In mechanical past, no vehicle manufacturer would argue that its customers didn’t own every nut and bolt of their cars from the front bumper to the tailpipe. But GM and other automakers tried unsuccessfully to persuade the U.S. Copyright Office that the $30,540 2015 Buick Regal you bought only entitles you to be the licensee of GM’s proprietary software that runs it.

The Copyright Office didn’t buy it – for now. It issued a Final Rule adopting three-year exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, saying it would not apply to those who engage in non-infringing activities in a number on categories, including vehicle owners and cyber security researchers. This means that owners may tinker with and security software researchers can test the robustness of automotive software, as long as they don’t violate the law or federal regulations.

Every three years, the Copyright Office publishes a notice to consider exemptions to the Digital Millenium Copyright Act. Signed into law in 1998, the DMCA was an attempt to prevent digital piracy by criminalizing the production and dissemination of copyrighted technology and by making a crime to circumvent digital security measures even if it doesn’t infringe on copyright –  think Napster. At the time, explains Kit Walsh, a staff attorney with the Electronic Frontier Foundation, technology advocates and civil liberties advocates protested that the law was too broad. Congress compromised by requiring the Copyright Office to do periodic rulemakings to consider petitions for exemptions.

In September 2014, the U.S. Copyright Office published a notice in the Federal Register calling for exemption petitions. It garnered 40 requests, which it grouped into 27 exemption categories, ranging from audiovisual works for educational purposes to jail-breaking wireless phones to the software for networked medical devices. The EFF submitted six petitions, two relating the automotive software: vehicle software for repair, diagnosis or modification and vehicle software for safety and security research.

It argued that vehicle owners have a right to tinker and otherwise modify their vehicles. Indeed, a billion-dollar aftermarket industry relies on this activity, along with independent repair shops.

“With automobiles, there is a century of history of independent tinkering, leading to the invention of the catalytic converter, the retractable safety belt and a variety of now-standard equipment,” Walsh says. “It’s easy to make the case that tinkering is good for the public. An unintended consequence of the DMCA is that traditional tinkering activities now take place under a cloud of legal liability.”

The EFF also filed a petition to exempt researchers who want to examine the security of automotive software. These studies serve “a critical public service by identifying potential vulnerabilities in vehicle safety,” including security shortcomings which have prompted manufacturers to make improvements, and software bugs. Further researchers have used their findings to develop technology to “protect drivers from flaws left open by manufacturers.”

While the consumer electronics industry argued in the V2V docket that wireless communications were stand-alone items, vehicle manufacturers such as GM and John Deere, made the opposite argument to the U.S. Copyright Office. According to GM:

“The fact that vehicle firmware is sold as part of a car and not as a standalone product does not eliminate the harm to a manufacturer’s copyright interests if a vehicle owner, or those acting on the owner’s behalf, is permitted to circumvent TPMs to engage in security research, but then widely disseminates the code in such a manner that it may be used by bad actors for intentional malicious reasons or by benign hobbyists for purposes which could create inadvertent risks to safety, security and regulatory compliance. Allowing individuals to access, analyze, modify and then publish code for vehicle software risks increasing, not diminishing vehicle safety and security challenges. Further, such increased challenges directly and negatively impact the value of the copyrighted work.”

The Copyright Office concluded that “reproducing and altering the computer programs on ECUs for purposes of facilitating diagnosis, repair and modification of vehicles” was a non-infringing activity as a matter of fair use.  But, the Copyright Office tailored the exemption to exclude computer programs on the ECUs that “are chiefly designed to operate vehicle entertainment and telematics systems.” The Copyright Office concluded that “computer programs in ECUs that are chiefly designed to operate vehicle entertainment and telematics systems” should not be exempted “due to insufficient evidence demonstrating a need to access such ECUs and out of concern that such circumvention might enable unauthorized access to creative or proprietary content.”

Also, excluded were circumvention by third parties, which requires a legislative amendment, and any that would violate the law, or Department of Transportation or Environmental Protection Agency regulations. The office delayed the effective date of the exemptions for a year to give the agencies time to promulgate regulations addressing the exemptions.   For cyber security researchers, the Copyright Office permitted circumvention on a lawfully acquired vehicle “for the purpose of good-faith security research” and doesn’t violate any existing laws. The effective date for this exemption is delayed for a year.

Cyber-Attack on the Internet of Things

In July, Wired magazine wrote up the story of a hair-raising ride in a Jeep on the highway, in which hackers sent commands through the Jeep’s entertainment system to its dashboard functions, such as steering, brakes, and transmission. This story followed a February broadcast in which Dan Kaufman of the military’s Defense Advanced Research Projects Agency (DARPA) demonstrated for 60 Minutes correspondent Lesley Stahl how a software hacker could take control of the new car – make and model obscured. For starters, Kaufman and his associate turned on the windshield wipers and the horn, prompting surprised chuckles from Stahl. Then, they interfered with the braking and the laughter stopped.

These demonstrations have gotten a lot of attention. The headlines veered from “Nobody’s Safe on the Internet” to “Congress, ‘60 Minutes’ Exaggerate the Threat of Car Hacking.” And yet, just 10 days earlier, BMW sent out an over-the-air (OTA) software patch to 2.2 million vehicles after ADAC, Germany’s AAA, discovered that it could lock and unlock the car doors, by exploiting a vulnerability in BMW’s ConnectedDrive telematics system.

Two months after the 60 Minutes story aired, the U.S. House Committee on Energy and Commerce sent a letter to NHTSA Administrator Mark Rosekind asking what NHTSA was doing to address automotive cyber security. The letter asked what staff had been dedicated to researching this topic, how NHTSA was “tracking potential cyber vulnerabilities, and how the agency was evaluating the potential for a cyber-attack on the dealer and/or vehicle maintenance infrastructure.” Among other things, the committee sought information on NHTSA’s evaluation of over-the-air updates to upgrade software and on how existing vehicle systems and technologies utilize public key infrastructure and/or certificates for secure communications.

In 2012, the agency created a new research division, Electronics Reliability/Functional Safety to study, cybersecurity, automated vehicles and electronics reliability. As part of this effort, NHTSA has been building “in-house applied electronics research capabilities at its testing facility at the Vehicle Research and Test Center “to support testing of  electronic systems and potential countermeasures towards developing objective test procedures for electronics related standards, requirements, guidelines, principles, or best practices,” according of a NHTSA overview. The agency has also established a Council on “Vehicle Electronics, Vehicle Software, and Emerging Technologies, managed by senior NHTSA officials “to coordinate and share information on a broad array of topics related to advanced vehicle electronics and emerging technologies.”  

For its part, the industry is building its voluntary bulwark against future agency meddling. In July 2014, the Alliance of Automobile Manufacturers (Alliance1 and the Association of Global

Automakers signed an agreement to work together on cyber security issues. It submitted a copy of this agreement to the agency’s automotive cybersecurity topics and publications docket to inform the agency of its intention of “establishing a voluntary automobile industry sector information sharing and analysis center or other comparable program for collecting and sharing information about existing or potential cyber-related threats and vulnerabilities in motor vehicle electronics or associated in-vehicle networks.”  

In the meantime, members of Congress have been floating their own cyber security bills. In July Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Security and Privacy in Your Car Act (SPY Car), which would require NHTSA and the Federal Trade Commission to establish standards to “secure our cars and protect drivers’ privacy.” It would also establish “a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards.” The bill includes civil penalties of up to $100,000 per incident.

Reality Check

As much as manufacturers would like to build their porous software systems without the dreary demands of regulations or regulators, the evidence that regulations are more important than ever continues to mount.  As we move toward the age of automotive autonomy, NHTSA needs to get itself up to speed and start considering new ways of demonstrating adherence to best practices.

There is no timetable to promulgate an automotive electronics standard. MAP-21 only requires that the “Secretary shall complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles and write a report on the findings.”  Of course, the examination was required to be completed by October 2014, so NHTSA’s a little behind there.

The integration of electronics continues apace at warp speed. Last month, Tesla founder Elon Musk made cars semi-autonomous with an over-the-air software update for its Models S and X. Its Autopilot feature allows automatic lane changing without touching the steering wheel. And, Fiat Chrysler has been experimenting with a nifty innovation in recall remedies. In Recall 13V-175, FCA fixed cracks in the actuator circuit board that cause the transfer case to inadvertently shift 2005-2010 Grand Cherokee and 2006-2010 Commander vehicles into neutral with a software patch. Rather than replace the defective hardware creating the problem, Chrysler went for a cheap, upstream solution.

Unfortunately, even Musk doesn’t recommend that a driver take his or hands off the wheel, as several viral videos showing Tesla Autopilot failures attest. In one, the driver was exiting the highway after rhapsodizing about how much he trusted Autopilot, when the software abruptly tried to steer the vehicle to the right. (Or see this one.) Fiat Chrysler’s software patch, is similarly unreliable. About a year after the recall, Chrysler issued a bulletin for another reprograming of the FDCM that was applicable to vehicles covered under the recall – including those that had had the recall performed.  In May of 2015, Chrysler launch a Customer Satisfaction campaign to reprogram the control module again – maybe you can’t fix a cracked circuit board with software after all.  

The whole idea behind driverless cars and V2V is: humans are the problem. They are too distracted on the road, make too many bone-headed maneuvers and speed. If we can only remove humans from the equation, our fatality rates will plummet, the advocates promise. If we want to achieve this ambitious goal, we’d better come up with a way to ensure that the humans designing and manufacturing these miraculous mashups of codes and cars aren’t the new problem.