commentary Yoshiyasu Takefuji Connected Vehicle Security Vulnerabilities n t he h i s t or y of mandatory regulation of computeri z e d veh icle s, an E - L e t ter ent it led, "Black box is not safe at all," was published in Science [1] in 2017. It mentioned that on-board diagnostics (OBD-II) specifications were made mandatory for all cars sold in the United States in 1996. The European Union made European OBD (EOBD) mandatory for all gasoline (petrol) vehicles sold in the European Union starting in 2001. The problem is that the OBD-II and EOBD specifications contain "black boxes" that cannot be fully tested by car manufacturers. There is also no security provided in the OBD-II and EOBD specifications. In other words, for more than fifteen years, we have been neglecting security problems of the naked (unsecured) cars [1]. Before considering autonomous vehicles [2], we must understand such unsecure mandatory specifications. Why have we been forced to live with black-box testing without understanding the details of the black box? We all know that black-box testing is not suitable for identifying defects in hardware or software in the black box. However, open source is not automatically more secure than closed source [3]. The difference is with open source code you can verify for yourself (or pay someone to verify for you) whether the code is secure [3]. With ISTOCK/ET1972 I closed source programs it needs to be taken on faith that a piece of code works properly. Open source allows the code to be tested and to be verified to work properly [3]. Open source also allows anyone to fix broken code, while closed source can only be fixed by the vendor [3]. The open source hardware/software movement has been navigating in a good direc- Digital Object Identifier 10.1109/MTS.2018.2795093 Date of publication: 2 March 2018 march 2018 ∕ IEEE Technology and Society Magazine tion to remove all black boxes and to enhance security and incremental innovations [1]. However, cyber-security expert Gene Spafford has a slightly different view of the open/closed issues on security: "I agree that we should be concerned about having unknown components in our systems. We (historically) had some vendors who 15