The auto industry now has at least a couple of “best practices” guide for cybersecurity.
One, from the Automotive Information Sharing and Analysis Center (Auto ISAC), was released about a month ago, generated a flurry of stories that highlighted the group’s exhortations to automakers to start building security into their software from the ground up – from design through production.
Another is from Intel Security, which released a white paper earlier this month titled "Automotive Security Best Practices," a set of, “recommendations for building security into the design, fabrication and operation phases of the automotive production process,” according to McAfee blogger Lorie Wigle (McAfee was acquired by Intel in 2011).
“More than just a set of recommendations, this paper is a call to action for the industry to integrate best practices into their processes now to achieve automotive security,” she wrote.
[ ALSO ON CSO: Should you worry that your car will be hacked? ]
And, a cynic might add, a long-delayed call to action. While welcome in the security community, the call for best practices also raises the question of why it has taken so long to put a serious focus on automotive cybersecurity.
Vehicles have been increasingly “connected” for decades – and the attack surface is now, according to more than one study, varied and porous.
GPS became available in production cars in the mid-1990s, Bluetooth started becoming common by 2007 and Wifi connectivity arrived several years later, along with video chat and streaming content. That connectivity has also made them “smarter” – they can call 911 if there is a crash, and many have accident-avoidance features built into them.
All of which has improved physical safety and made vehicles into entertainment centers. But it has also made them much more vulnerable. Anything that is connected is hackable.
In a white paper titled "Commonalities in Vehicle Vulnerabilities," released earlier this month, the cybersecurity firm IOActive noted the breadth of the attack surface – data can enter vehicles through cellular radio, Bluetooth, Wifi, V2V radio, infotainment media, companion apps and Zigbee Radio.
The company said it had spent 16,000 hours researching vehicle cybersecurity since 2013, and using a formula combining how serious a vulnerability is and how likely it is to be exploited, ranked 22 percent of more than 150 vulnerabilities it found as critical. “These are the high-priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” wrote Corey Thune, senior security consultant and the report’s author.
The problems have been increasingly apparent for several years now. A report from the financial advisory firm Stout Risius Ross found that the percentage of vehicle recalls attributed to software problems tripled between 2011 and 2015.
Obviously people’s laptops, smartphones, bank accounts and increasingly their “smart” homes are also hackable. But the stakes are much higher in a moving vehicle. If your credit card gets compromised, you can get a different one. If your bank account is hacked, you could lose a lot of money. But if your car gets hacked, you could lose your life.
That has been most famously demonstrated at the past two Black Hat conferences by Charlie Miller and Chris Valasek, hackers who now work for the ride-hailing service Uber. They showed that an attacker with physical access to a vehicle’s computer systems (in this case a 2014 Jeep Cherokee) can bypass Controller Area Network (CAN) protections and hijack functions including steering, acceleration and brakes.
Chrysler recalled 1.4 million vehicles after last year’s demonstration, and patched the flaw that allowed the two to hack the car remotely. This year, the two had to have a laptop plugged into the Jeep’s CAN through a port under the dashboard. But they were able to create much more dangerous mischief – turning the wheel or slamming on the brakes at any speed.
And they and other experts say it is only a matter of time before hackers will find ways to do that remotely.
As software management consultant Art Dahnert put it in a post on Dark Reading, "the age-old problem of software development failing to 'build security in' is leading to insecurity in automobiles today.”
So yes, Thune agrees that, “best practice initiatives are late. We have legacy technology mixed with modern technology being developed by companies that are just exploring this area of technology,” he said, “and all of that is a recipe for security gaps.”
But he and others say there is almost always a delay when a new technology is brought in to a well-established industry.
The auto industry is, “dealing with the challenge of adding connectivity to systems that were never intended to be connected,” said Steve Grobman, CTO for Intel Security Group.
Thuen agrees. “The emerging technologies have moved these auto companies from automobile manufacturers to Silicon Valley companies who also manufacture automobiles,” he said.
And there is evidence that the industries big players, which have always been notoriously secretive about both their plans and their problems, are concerned enough about their software vulnerabilities to share cyber threat information and solutions with one another.
“We’ve seen a sense of urgency, and the players – in a break with past industry tradition – are willing to share knowledge and best practices,” said David Barzilai, cofounder of Karamba Security, a company that makes security programs to protect automotive software.
There are at least some political leaders who believe it will take a push from government to get automakers to address their vulnerabilities, much like it took legislation to require safety features like seat belts and airbags.
U.S. Sen. Ed Markey (D-Mass), who released a report in February 2015 titled, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” also filed legislation last year, called the "SPY Car Act of 2015," to require the National Highway Traffic Safety Administration (NHTSA) to issue rules to require “reasonable” protections for the physical security and privacy of those in connected cars. The report noted that, “today’s cars and light trucks contain more than 50 separate electronic control units (ECU) that collect driver information and are also vulnerable to attack.
But that bill never went beyond a referral to committee. Markey’s staff did not respond to questions on the status of the bill.
And experts generally argue that legislation would not be as effective as various private sector pressures. One of the most obvious problems is the difficulty with defining "reasonable."
Barzilai said automakers are already under major pressure to improve the software security of their products for two reasons: “To avoid brand damage that may harm sales of their current models, and to make sure cyber security is an enabler for autonomous cars.”
Autonomous cars and ride-sharing, “are seen as the industry’s two main growth engines in the coming years,” he said, adding that if there are significant and successful hacks of vehicles, “growth and sales expectations will be negatively affected.”
Thuen said he thinks pressure will also ramp up with the adoption of cybersecurity insurance. “No companies are better at assessing risk than insurance companies,” he said, “and if anyone can figure out what activities actually make us more secure, it’s them.
“Also, a statement like, ‘Having a vulnerability assessment done on a component will reduce your premiums by X dollars,’ is an actual ROI that business leaders and policy makers can factor into their calculations.”
Of course, there is also the reality that, in the online world, nothing is bulletproof. Even Auto ISAC notes in its best practices document that, “a future vehicle with zero risk is unobtainable and unrealistic.”
But Barzilai, while he agrees with Auto ISAC, said he also believes that, “cars and drones can be hardened in a way that will make the risk of cyber hacking tamed to levels that are close to zero.”
That, he said, is because, “cars, drones and IoT devices in general, are not user-configured. They should run according to factory settings, so any foreign code or unexpected in-memory operation imply hacking attempts.”
And Grobman notes that semi- and fully autonomous vehicles are already in the works. He said the Automotive Security Review Board (Intel is a founding member), “has a vision of driving research to achieve intelligent, self-healing vehicles.”
And he said it is important to focus on the “aggregate” improvement that connected cars bring to vehicle safety, and not dwell only on a few failures.
“Just as the airline industry now relies on automation and ‘fly by wire’ to improve air safety in inclement weather, we should look forward to similar benefits in the automotive world,” he said.