White-hat hackers key to securing connected cars

Federal regulator warns of security and privacy risks in connected cars, calling on manufacturers to partner with white-hat hackers to seek out flaws and vulnerabilities.

WASHINGTON -- It's a scary prospect, barreling down the highway when a hacker seizes control of your brakes and power-steering system.

The specter of hacking a vehicle, potentially a matter of life and death, demands auto makers to elevate security as a priority as they develop ever-more sophisticated in-car technology, a member of the Federal Trade Commission is warning.

[ Related: Senators call for investigation of potential safety security threats from connected cars ]

"The age of connected cars has firmly begun, and will only accelerate from here," FTC Commissioner Terrell McSweeny said at a recent conference on connected cars. "This technology has a huge amount of promise for consumers, but also raises serious privacy and security considerations that must be part of the dialogue."

McSweeny cites a Senate report issued last year that found wide swings in the security practices throughout the auto industry. Some car makers engaged a third-party outfit for independent testing of the security in their cars, for instance. Others did not. And some manufacturers, but not all, had systems in place to remotely monitor for suspicious activity.

McSweeny says that she is a frequent visitor to security conferences, where researchers often demonstrate tactics for hacking into a vehicle's system.

[ Related: Corvette hack is one more reason to be wary of connected cars ]

"Some have dismissed these exploits as stunts, but I think it would be far wiser to treat them as important wake-up calls to the industry," she says. "What I've learned from visiting with hackers and security researchers is that cars are prominent targets, but also that this prominence can create a real opportunity to enhance the safety and security of cars and the trust of consumers."

Auto industry urged to embrace hacking community

She sees the potential for the auto industry to partner with the security community to help unearth vulnerabilities in their in-car systems in a similar fashion as the tech sector, where many firms offer bug bounty programs to incentivize responsible hackers to bring flaws to their attention and ultimately improve the security of their products.

"The auto industry, in my view, would be well-served by following the lead of the information technology industry, which has developed ways to work with hackers, rather than against them. For years, technology companies fought a losing battle in security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowdsourcing solutions can be an effective way of staying ahead of cyberthreats," she says.

"I'm convinced that white-hat hackers can be an ally in the technology-development process. Security researchers can work to uncover flaws and vulnerabilities in vehicles," she adds. "If you want to think about it, they are like the white blood cells spotting viruses, infections and flaws in the system and communicating to the brain the best way to respond."

In the meantime, there are certainly steps that car makers could take on the policy front to limit their risk and potential liability, beginning with how they handle data. For years, the FTC has been probing the ways that technology companies collect and use consumers' personal information, and agency officials often recite one of the central lessons that inquiry has produced, urging firms to limit the amount of data they collect and store.

[ Related: Firewalls can't protect todays connected cars ]

"A breach is less costly if there's less information stored," McSweeny says.

But she also notes the fast-increasing sophistication of in-car software systems, which appear to be headed down the same path as smartphones, raising the potential that companies could gather all manner of sensitive data about consumers, such as health and financial information. That raises the stakes of a breach, and McSweeny made it clear that the FTC expects auto makers to keep the customer information they collect under lock and key.

"Once collected that information must be protected," she says. "The more information that's collected, the more resources are going to need to be deployed to protect it."

Join the CSO newsletter!

Error: Please check your email address.

More about Federal Trade CommissionFTC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place