When an autonomous vehicle gets into an accident, who’s to blame? Is it the manufacturer who assembled the car, the provider of the part which caused the accident, or the passenger who didn’t override the computer in time? This question, which has no agreed-upon answer, is a touchy subject for the automotive industry. Not just because the answer is complicated, but because it seems like there’s simply no way it can be decided peacefully. Blame assignment will commence, courts will be dragged into this – there’s just too much money and reputation on the line.

One likely outcome is that the “who” will be connected to “why”. Behind every failure there’s a reason – from standard wear and tear, to external factors such as sharp stones on the road, to badly written code. But even then, questions will arise – especially in all matters related to vehicle security.

More Code, More Risk 

Millions of lines of code in an autonomous vehicle bring with them thousands upon thousands of software vulnerabilities – possible flows through which a system can be compromised. Some of them are easy to detect, which happens during the development process. But in such massive software solutions, eradicating all vulnerabilities is nigh impossible.

Ironically, as car makers are mostly integrators, the brand blamed by the public for software failures is unlikely to be the one behind the actual code. In fact, the car maker probably never had access to the source code of the software installed in its vehicles, receiving it as a closed, complete package. And even if the legal liability is placed on the software developer, the brunt of the damage will be done to the vehicle brand.


Scaling Automotive Security

The one thing that car makers can do, is rethink the integration funnel for external software components. While it’s already somewhat security-driven, with components sent for vulnerability analysis prior to integration, it’s also manual in nature – reliant on security researchers and the outsourcing of penetration testing to find vulnerabilities in a sea of code. With said code increasing exponentially in size and complexity, this solution simply isn’t scaleable.

Requiring the component developers to accept blame for their software errors only solves some of the problems, mitigating the legal exposure but doing nothing to keep the brand safe. To do that, car makers will have to lean on software risk assessment and continuous vulnerability management, automating and streamlining the process by which a decision is made whether to trust a new component. After all, it’s their name on the line, regardless of where the legal liability lies.




Cybellum For Automotive – Reducing your Risk

Subscribe to get our vulnerability analysis posts, new blog content and very infrequent special announcements. We won’t spam you, and will never sell your data.


By Michael Engstler