Application Security

10:00 PM
Connect Directly

Automakers Openly Challenged To Bake In Security

An open letter sent to automobile manufacturer CEOs asks carmakers to adopt a proposed five-star cyber safety program.

LAS VEGAS — DEF CON 22 — Efforts to pressure the automobile industry into better locking down cyber security in automated features of modern cars intensified today as a collective of security researchers sent the CEOs at major auto firms an open letter calling for them to adopt a new five-star cyber safety program.

The so-called I Am The Cavalry group, a grass roots organization that formed a year ago at DEF CON 21 to bridge the massive gap between the cyber security research community and the consumer products sector, outlined the Five Star Automotive Cyber Safety Program aimed at ensuring public safety in the face of increasingly connected and automated vehicles.

The voluntary program is all about building security into the computerized features of modern vehicles. Vulnerabilities in car automation systems have been exposed by security researchers, including Charlie Miller and Chris Valasek, who this week at Black Hat USA shared their newest research on remote attack surfaces in cars. Miller and Valasek studied how different vehicles' automation and networked features are configured and the potential for an attacker to exploit them to mess with steering, parking, and other automated features.

"It's a call to [automakers to] collaborate on cyber safety," says Nicholas Percoco, vice president of strategic services at Rapid7, and one of the founders of I Am The Cavalry.

The five components are: safety by design, where automakers build automation features with security in mind and employ a secure software development program; third-party collaboration, where automakers establish vulnerability disclosure policies; evidence capture, where automakers log forensic information that could be used in any safety or breach investigation; security updates, where they push software updates to customers efficiently; and segmentation and isolation, where critical systems are kept in a safe sector of the car's network.

"With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes," says Josh Corman, a founder of I Am The Cavalry and CTO at Sonatype.

"We want to fix incentives, not bugs, for dependence on technology that's worthy of our trust."

Andrew Ruffin, a former staffer for US Sen. Jay Rockefeller (D-WV) who worked on the Senate Commerce Committee, says the security industry reaching out directly to the automobile industry is a good strategy. "I'm encouraged by the letter and hope there's a quick response," said Ruffin, who attended the press briefing here. "I think this has some legs."

But the auto industry has been showing signs of taking cyber security more seriously. Last month, the Alliance of Automobile Manufacturers and the Association of Global Automakers, whose members include many major automakers, announced that the industry is forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks -- likely via an Auto-ISAC (Information Sharing and Analysis Center).

"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats. Consequently, we are jointly working towards establishing a mechanism for sharing vehicle cybersecurity information, threats, warnings and incidents among industry stakeholders," the associations said in a July 1 letter to the National Highway Safety Administration, announcing their plans.

Meanwhile, the I Am The Cavalry letter also was posted on as a petition for the general public to sign. It reads in part:

New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.

When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles. 

The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.

Tony Sager, chief technologist for The Council on Cyber Security, said the letter offers a clear framework. "It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement."

Aside from the auto industry, I Am The Cavalry also is focused on the home automation, medical device, and public infrastructure sectors.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/12/2014 | 8:10:21 AM
Re: Automobile security
Well, the more press this gets, the more people become aware of it. I'm surprised that this hasn't hit the major news outlets. I know that car hack videos have garnered millions of hits on youtube, so at least social media helps to spread the information. This is such a critical issue, and it doesn't stop at vehicles. The security of the IoT is of particular concern, as we know from discussions about the topic.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 7:44:08 AM
Re: Automobile security
Totally agree that this is an important and necessary first step for the auto industry to take to protect consumers as next gen connected cars come to market. Hope the car makers are paying attention!
User Rank: Ninja
8/11/2014 | 10:33:11 AM
Automobile security
If this gains traction, and there's no reason why it shouldn't, then maybe for the first time, we will see security baked in during the infancy of a technology application. With widespread publicity, people will be aware of the dangers of complacency or ignorance, especially if they use the technology in such a personal thing as an automobile. With the recent spate of data breaches, the general public is keenly aware of its effect on them, and I venture to guess that they are pretty fed up with it. Automobiles are big ticket items on anyone's budget, and I hope that buyers will take its technology security into consideration in the vehicle that they purchase. Can you imagine a public service commercial displaying the remote takeover of a vehicle, leaving the driver helpless? What an impact that would make and it would place enormous pressure on the automobile industry to take technology security seriously.
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the address.
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).