While just a concept, FCA worked with Google for an Android infotainment setup that’s debuting at the 2017 CES in Las Vegas. There’s no word yet if it’ll actually become reality, it does make seem like that is an eventuality. For automakers interested in integrating Google in the dash, they need to look closely at a recent incident as how NOT to behave.
On Christmas Day this tweet started to make its rounds on the internet;
— Darren Cauthon (@darrencauthon) December 25, 2016
While it might be difficult to tell from the screenshot, this television has a virus. It’s a ransomware virus, where the entire Android operating system is locked down and the only way to unlock it is to pay the people who locked it a fee to unlock.
That’s right, folks. This person’s television was infected with a virus. Ransomware is a big industry, generating millions of dollars to the people who create the viruses.
If we start to see Android implemented in the automobile, there are potentially security risks that are opened up that might not have existed before.
Currently, many vehicle infotainment systems are powered by QNX. This system, while prevalent in cars, isn’t something that’s really used outside the automotive space. This means that there’s not really much incentive for virus creators to create viruses for that setup.
By switching an infotainment system to Android, there are viruses already out there that could potentially interfere with the infotainment system of the vehicle, even if they weren’t designed specifically for the vehicle.
Cybersecurity is important in general for cars moving forward, but it’s also important to handle failures of that security swiftly and easily.
LG didn’t do that with the television in that tweet.
I called their support, they said I'd have to pay 340 for a tech call. They won't give me the factory reset, I asked.
— Darren Cauthon (@darrencauthon) December 27, 2016
Now there could be many reasons why the tech on the phone wouldn’t give the customer the reset code for the television — perhaps they didn’t understand what was actually going on — but the factory reset should’ve been in the owner’s manual and freely available online for customers who might run into this problem.
In the end, the customer was provided with the code to reset the television, which cleared the malware and reset everything to the factory settings. But this should serve as a cautionary tale to automakers; it’s a dangerous world out there.
If Android is to be an operating system for the infotainment, security measures must be put in place. Android is a relatively-safe operating system, especially when apps from the official Google Play Store are the only ones allowed to be installed, but that doesn’t mean it couldn’t be safer.
For OEMs integrating Android, apps should be tested for car compatibility by a human being before being made available for consumer download. Source code should be checked and verified to be virus-free.
There also needs to be some sort of security layer between the infotainment system and the rest of the vehicle. Holding a car for ransom unless the owner pays a certain amount of money in BitCoin to some shady people isn’t the ideal scenario for the future.
Also, I’d encourage OEMs to make the infotainment system factory-resettable from a physical button or key combination. On many systems, you have to have access to the screen for the owner to perform a reset. That’d be impossible in this ransomware situation that affected this television.
It should be noted that digging through Darren’s tweets that this LG smart television is when Google made their TV product for integration into smart televisions. That means the software isn’t brand new, like it would be on a car. It also likely hasn’t been updated in a long time.
But that doesn’t mean the car setup will be inherently safer. Regular software and security updates are essential to keep everything running, even after the vehicle has exited the warranty period. People keep their cars a lot longer than their smartphones and other devices. Either Google or the OEM have to continue to support those products in order for the customer to trust the car maker.
These setups are just in the concept phase, and I’m sure we’ll hear more about security as they get closer to market. But it is something that every OEM, not just FCA, should be thinking about.