Car software: The weak spot under the hood

Shwetak N Patel looked over the 2013 Mercedes C300 and saw not a sporty all-wheel-drive sedan, but a bundle of technology.

There were the obvious features, like a roadside assistance service that communicates to a satellite. But Dr Patel, a computer science professor at the University of Washington in Seattle, flipped up the hood to show the real brains of the operation: the engine control unit, a computer attached to the side of the motor that governs performance, fuel efficiency and emissions. "Cars these days are reaching biological levels of complexity," said Chris Gerdes, a professor of mechanical engineering at Stanford University.

The sophistication of new cars brings numerous benefits - forward-collision warning systems and automatic emergency braking that keep drivers safer are just two examples. But with new technology comes new risks - and new opportunities for malevolence.

The unfolding scandal at Volkswagen - in which 11 million vehicles were outfitted with software that gave false emissions results - showed how a carmaker could take advantage of complex systems to flout regulations.

Carmakers and consumers are also at risk. Dr Patel has worked with security researchers who have shown it is possible to disable a car's brakes with an infected MP3 file inserted into a car's CD player. A hacking demonstration by security researchers exposed how vulnerable new Jeep Cherokees can be. A series of software-related recalls has raised safety concerns and cost automakers millions of dollars.

Cars have become "sealed-hood entities with complicated computers and modules," said Eben Moglen, a Columbia University law professor and technologist. "All of this is deeply nontransparent. And all of this is grounds for cheating of all sorts."

The increasing reliance on code raises questions about how these hybrids of digital and mechanical engineering are being regulated. Even officials at the National Highway Traffic Safety Administration acknowledge that the agency doesn't have the capacity to scrutinise the millions of lines of code that now control automobiles.

One option for making auto software safer is to open it to public scrutiny. While this might sound counterintuitive, some experts say that if automakers were forced to open up their source code, many interested people - including coding experts and academics - could search for bugs and vulnerabilities. Automakers, not surprisingly, have resisted this idea.

"There's no requirement that anyone except the car companies looks at the code," says Philip Koopman, an associate professor at the department of electrical and computer engineering at Carnegie Mellon University. "Computers can now exert complete control over your car. If that software misbehaves, there's nothing you can do." Though automakers say they know of no malicious hacking incidents so far, the risks are real. Stefan Savage, a computer security professor at the University of California, San Diego, said that automakers are "in a state of panic" over the prospect.