The Rise of the User Defined Vehicle: Bridging Technology, Personalization, and Cyber Security

Introduction: from Software Defined Vehicle (SDV) to User Defined Vehicle (UDV)

By now, it is unlikely you have not heard the term Software Defined Vehicle.  What it means exactly is a matter of perspective. It is widely accepted though that the modern vehicle has an ever increasing amount of software code embedded in its components, and a lot of functions that used to be controlled by mechanical or electrical means are now controlled by software code. But beyond that, the Software Defined Vehicle allows for decoupling of hardware and software. In other words, an OEM can update the vehicle functions and even introduce new ones in vehicles that are already on the road. 

As more and more vehicles are adopting the SDV concept, and the implications of this evolution (some would argue ‘revolution’) are starting to materialize, the conversation starts gravitating into a User Defined Vehicle. What’s that all about? Let’s take the mobile phone as a comparison. 

Many of us would find it difficult to remember what phones were like in those prehistoric times before the smartphone. Back then, a phone’s functions and capabilities stayed exactly the same for the life of the device, years after the purchase date. If you wanted your phone to learn new tricks, you had to go to the store and buy a newer model.  

The modern smartphone changed all that, in two important ways. First, decoupling the phone operating system from the hardware allowed the phone maker to update the system periodically by pushing over-the-air updates (OTA). Many mobile phone makers update their OS at least once a year with new functions and capabilities. Second, phone owners can install apps that are of interest to them. Popularized by Apple with the introduction of the iPhone app store back in 2008, smartphone ecosystems today sport millions of apps on online app stores. Every phone user chooses their app combination of choice, and thus no two phones are really the same. Users literally define their own experience. 

Apps are king, now in vehicles too

Similar to smartphones, User Defined Vehicles allow car owners to customize their user experience. Apple and Android users have long been able to leverage Apple CarPlay or Android Auto to mirror apps from the mobile phone into their vehicle infotainment system, as long as it’s compatible with these platforms. But new vehicle native platforms such as Android Automotive and others promise an even more intuitive user experience, allowing users to install apps of choice directly to the vehicle infotainment system without a need to mirror them from a mobile device. 

In-vehicle connected services

The Software Defined Vehicle concept is riding on another automotive trend – connectivity. The combination of both is enabling a new business model for car makers – selling connected services. Research forecasts that car companies can generate $1,600 per car from selling connected car services. A car owner does not need to buy all possible features. Instead they can pick and choose the ones they want. A McKinsey survey finds that connectivity preferences vary widely by regions and customer segments. For example, Chinese consumers prefer advanced technologies such as advanced driver-assistance features, while US and German consumers prefer comfort and convenience features such as heated seats and climate control. Consumers also want flexible payment options, as some prefer one-time payment for a feature, while others want a service based subscription model.

Software updates make cars learn new tricks

Many car manufacturers add hardware, sensors and technology into the car design to enable future services even before customers buy or subscribe to them. It allows them to keep innovating and offer new services, because aftermarket enhancements aside, car hardware typically remains the same through the life of the vehicle. The average life of a car on the road is over 12 years, and many vehicles last much longer than this. But once the connected SDV can get software updates over-the-air, a new dimension of enhancement opportunities opens up. Tesla, which pioneered the SDV in 2012 with the introduction of Model S, is typically updating its in vehicle software every few months, sometimes even faster. But Tesla is not alone. Nio, which is considered by some as the “Chinese Tesla”, offers its own take on user defined vehicles. Nio sees itself as a “user experience” rather than a car maker, and views its customers as “users”. They push at least four to five complete software updates a year, and user feedback is what’s driving their features and software development process. Feedback is usually collected via the in-car voice assistance system, but also via user workshops and from users’ smartphones. It’s then delivered directly to Nio’s user advisory board. Nio experience managers are analyzing the feedback, and repeated comments are translated into vehicle improvements via OTA updates within a few months. In 2023, Nio completed 10 OTA software updates including 768 experience improvements.

The cyber security angle of the user defined vehicle

The evolution of the SDV into a UDV opens up a whole new car digital experience we never had before, taking a page from the rise of the smartphone. At the same time though it raises cyber security considerations the industry must take into account. Allowing car owners to download and install digital apps is creating a new potential attack vector for bad actors. Some apps, even legitimate ones, have less than adequate cyber posture and may bring with it software vulnerabilities or weaknesses that can be exploited to hack into the vehicle. One should also consider the possibility that rogue apps would penetrate the app stores and cause car owners to inadvertently inject malicious code into their vehicle.

Digital apps aside, software updates to vehicles on the road are yet another channel for software vulnerabilities. SDV car makers are pushing major software updates multiple times a year. Each such software stack includes new code, and could also introduce new or updated software libraries, either open source or commercial. Maintaining the vehicle software cyber posture is becoming not only a moving target, but also a never ending task. In a way, the software development process of the UDV never ends. While traditionally, design and development of vehicles and their components are done prior to start of production, the software of the UDV will evolve and enhance for years to come.

How can we mitigate the cyber security risks of the User Defined Vehicle?

1. Apply a DevSecOps approach to automotive software development. This methodology enables shift left security, and applies security tests and measures at every step of the design and development princess.
2. Scan each vehicle component software code for vulnerabilities. Every software update might include weaknesses that need to be identified and addressed before the software is deployed.
3. When only software binaries are available (e.g. when the code is developed by a supplier), scan the software bill of material (SBOM) of all binaries for vulnerabilities to keep a high cyber security posture of the supply chain.
4. Conduct fuzz and penetration testing to discover zero-day vulnerabilities and make sure software is safe.
5. Include intrusion detection and prevention systems in strategic areas of the vehicle architecture such as switches, gateways and important ECUs. CAN IDPS, Ethernet IDPS and Host IDPS can protect the vehicle when bad actors do manage to find weaknesses to exploit.  
6. Monitor your vehicle fleet on a regulator basis. Using an Extended Detection & Response platform within your vehicle security operation center (VSOC) will allow you to identify risks and cyber attacks in real-time, so rapid action is taken to address it.