A push for the less-hackable car

There is no such thing as 100% software security. But groups representing the auto industry say it is possible to come close in vehicles. One thing is for sure, however – they have a long way to go

The auto industry now has at least a couple of “best practices” guide for cybersecurity.

One, from the Automotive Information Sharing and Analysis Center (Auto ISAC), was released about a month ago, generated a flurry of stories that highlighted the group’s exhortations to automakers to start building security into their software from the ground up – from design through production.

Another is from Intel Security, which released a white paper earlier this month titled "Automotive Security Best Practices," a set of, “recommendations for building security into the design, fabrication and operation phases of the automotive production process,” according to McAfee blogger Lorie Wigle (McAfee was acquired by Intel in 2011).

“More than just a set of recommendations, this paper is a call to action for the industry to integrate best practices into their processes now to achieve automotive security,” she wrote.

[ ALSO ON CSO: Should you worry that your car will be hacked? ]

And, a cynic might add, a long-delayed call to action. While welcome in the security community, the call for best practices also raises the question of why it has taken so long to put a serious focus on automotive cybersecurity.

davidbarzilai

David Barzilai, cofounder, Karamba Security

Vehicles have been increasingly “connected” for decades – and the attack surface is now, according to more than one study, varied and porous.

GPS became available in production cars in the mid-1990s, Bluetooth started becoming common by 2007 and Wifi connectivity arrived several years later, along with video chat and streaming content. That connectivity has also made them “smarter” – they can call 911 if there is a crash, and many have accident-avoidance features built into them.

All of which has improved physical safety and made vehicles into entertainment centers. But it has also made them much more vulnerable. Anything that is connected is hackable.

In a white paper titled "Commonalities in Vehicle Vulnerabilities," released earlier this month, the cybersecurity firm IOActive noted the breadth of the attack surface – data can enter vehicles through cellular radio, Bluetooth, Wifi, V2V radio, infotainment media, companion apps and Zigbee Radio.

The company said it had spent 16,000 hours researching vehicle cybersecurity since 2013, and using a formula combining how serious a vulnerability is and how likely it is to be exploited, ranked 22 percent of more than 150 vulnerabilities it found as critical. “These are the high-priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” wrote Corey Thune, senior security consultant and the report’s author.

The problems have been increasingly apparent for several years now. A report from the financial advisory firm Stout Risius Ross found that the percentage of vehicle recalls attributed to software problems tripled between 2011 and 2015.

Obviously people’s laptops, smartphones, bank accounts and increasingly their “smart” homes are also hackable. But the stakes are much higher in a moving vehicle. If your credit card gets compromised, you can get a different one. If your bank account is hacked, you could lose a lot of money. But if your car gets hacked, you could lose your life.

stevegrobman

Steve Grobman, CTO, Intel Security Group

That has been most famously demonstrated at the past two Black Hat conferences by Charlie Miller and Chris Valasek, hackers who now work for the ride-hailing service Uber. They showed that an attacker with physical access to a vehicle’s computer systems (in this case a 2014 Jeep Cherokee) can bypass Controller Area Network (CAN) protections and hijack functions including steering, acceleration and brakes.

Chrysler recalled 1.4 million vehicles after last year’s demonstration, and patched the flaw that allowed the two to hack the car remotely. This year, the two had to have a laptop plugged into the Jeep’s CAN through a port under the dashboard. But they were able to create much more dangerous mischief – turning the wheel or slamming on the brakes at any speed.

And they and other experts say it is only a matter of time before hackers will find ways to do that remotely.

As software management consultant Art Dahnert put it in a post on Dark Reading, "the age-old problem of software development failing to 'build security in' is leading to insecurity in automobiles today.”

So yes, Thune agrees that, “best practice initiatives are late. We have legacy technology mixed with modern technology being developed by companies that are just exploring this area of technology,” he said, “and all of that is a recipe for security gaps.”

But he and others say there is almost always a delay when a new technology is brought in to a well-established industry.

The auto industry is, “dealing with the challenge of adding connectivity to systems that were never intended to be connected,” said Steve Grobman, CTO for Intel Security Group.

Thuen agrees. “The emerging technologies have moved these auto companies from automobile manufacturers to Silicon Valley companies who also manufacture automobiles,” he said.

And there is evidence that the industries big players, which have always been notoriously secretive about both their plans and their problems, are concerned enough about their software vulnerabilities to share cyber threat information and solutions with one another.

“We’ve seen a sense of urgency, and the players – in a break with past industry tradition – are willing to share knowledge and best practices,” said David Barzilai, cofounder of Karamba Security, a company that makes security programs to protect automotive software.

There are at least some political leaders who believe it will take a push from government to get automakers to address their vulnerabilities, much like it took legislation to require safety features like seat belts and airbags.

U.S. Sen. Ed Markey (D-Mass), who released a report in February 2015 titled, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” also filed legislation last year, called the "SPY Car Act of 2015," to require the National Highway Traffic Safety Administration (NHTSA) to issue rules to require “reasonable” protections for the physical security and privacy of those in connected cars. The report noted that, “today’s cars and light trucks contain more than 50 separate electronic control units (ECU) that collect driver information and are also vulnerable to attack.

But that bill never went beyond a referral to committee. Markey’s staff did not respond to questions on the status of the bill.

And experts generally argue that legislation would not be as effective as various private sector pressures. One of the most obvious problems is the difficulty with defining "reasonable."

Barzilai said automakers are already under major pressure to improve the software security of their products for two reasons: “To avoid brand damage that may harm sales of their current models, and to make sure cyber security is an enabler for autonomous cars.”

Autonomous cars and ride-sharing, “are seen as the industry’s two main growth engines in the coming years,” he said, adding that if there are significant and successful hacks of vehicles, “growth and sales expectations will be negatively affected.”

Thuen said he thinks pressure will also ramp up with the adoption of cybersecurity insurance. “No companies are better at assessing risk than insurance companies,” he said, “and if anyone can figure out what activities actually make us more secure, it’s them.

“Also, a statement like, ‘Having a vulnerability assessment done on a component will reduce your premiums by X dollars,’ is an actual ROI that business leaders and policy makers can factor into their calculations.”

Of course, there is also the reality that, in the online world, nothing is bulletproof. Even Auto ISAC notes in its best practices document that, “a future vehicle with zero risk is unobtainable and unrealistic.”

But Barzilai, while he agrees with Auto ISAC, said he also believes that, “cars and drones can be hardened in a way that will make the risk of cyber hacking tamed to levels that are close to zero.”

That, he said, is because, “cars, drones and IoT devices in general, are not user-configured. They should run according to factory settings, so any foreign code or unexpected in-memory operation imply hacking attempts.”

And Grobman notes that semi- and fully autonomous vehicles are already in the works. He said the Automotive Security Review Board (Intel is a founding member), “has a vision of driving research to achieve intelligent, self-healing vehicles.”

And he said it is important to focus on the “aggregate” improvement that connected cars bring to vehicle safety, and not dwell only on a few failures.

“Just as the airline industry now relies on automation and ‘fly by wire’ to improve air safety in inclement weather, we should look forward to similar benefits in the automotive world,” he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags automotive IT

More about CANCherokeeCSOFBIIntelIntel SecurityUber

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place