Application Security
8/8/2014
10:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Automakers Openly Challenged To Bake In Security

An open letter sent to automobile manufacturer CEOs asks carmakers to adopt a proposed five-star cyber safety program.

LAS VEGAS — DEF CON 22 — Efforts to pressure the automobile industry into better locking down cyber security in automated features of modern cars intensified today as a collective of security researchers sent the CEOs at major auto firms an open letter calling for them to adopt a new five-star cyber safety program.

The so-called I Am The Cavalry group, a grass roots organization that formed a year ago at DEF CON 21 to bridge the massive gap between the cyber security research community and the consumer products sector, outlined the Five Star Automotive Cyber Safety Program aimed at ensuring public safety in the face of increasingly connected and automated vehicles.

The voluntary program is all about building security into the computerized features of modern vehicles. Vulnerabilities in car automation systems have been exposed by security researchers, including Charlie Miller and Chris Valasek, who this week at Black Hat USA shared their newest research on remote attack surfaces in cars. Miller and Valasek studied how different vehicles' automation and networked features are configured and the potential for an attacker to exploit them to mess with steering, parking, and other automated features.

"It's a call to [automakers to] collaborate on cyber safety," says Nicholas Percoco, vice president of strategic services at Rapid7, and one of the founders of I Am The Cavalry.

The five components are: safety by design, where automakers build automation features with security in mind and employ a secure software development program; third-party collaboration, where automakers establish vulnerability disclosure policies; evidence capture, where automakers log forensic information that could be used in any safety or breach investigation; security updates, where they push software updates to customers efficiently; and segmentation and isolation, where critical systems are kept in a safe sector of the car's network.

"With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes," says Josh Corman, a founder of I Am The Cavalry and CTO at Sonatype.

"We want to fix incentives, not bugs, for dependence on technology that's worthy of our trust."

Andrew Ruffin, a former staffer for US Sen. Jay Rockefeller (D-WV) who worked on the Senate Commerce Committee, says the security industry reaching out directly to the automobile industry is a good strategy. "I'm encouraged by the letter and hope there's a quick response," said Ruffin, who attended the press briefing here. "I think this has some legs."

But the auto industry has been showing signs of taking cyber security more seriously. Last month, the Alliance of Automobile Manufacturers and the Association of Global Automakers, whose members include many major automakers, announced that the industry is forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks -- likely via an Auto-ISAC (Information Sharing and Analysis Center).

"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats. Consequently, we are jointly working towards establishing a mechanism for sharing vehicle cybersecurity information, threats, warnings and incidents among industry stakeholders," the associations said in a July 1 letter to the National Highway Safety Administration, announcing their plans.

Meanwhile, the I Am The Cavalry letter also was posted on Change.org as a petition for the general public to sign. It reads in part:

New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.

When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles. 

The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.

Tony Sager, chief technologist for The Council on Cyber Security, said the letter offers a clear framework. "It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement."

Aside from the auto industry, I Am The Cavalry also is focused on the home automation, medical device, and public infrastructure sectors.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/12/2014 | 8:10:21 AM
Re: Automobile security
Well, the more press this gets, the more people become aware of it. I'm surprised that this hasn't hit the major news outlets. I know that car hack videos have garnered millions of hits on youtube, so at least social media helps to spread the information. This is such a critical issue, and it doesn't stop at vehicles. The security of the IoT is of particular concern, as we know from discussions about the topic.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 7:44:08 AM
Re: Automobile security
Totally agree that this is an important and necessary first step for the auto industry to take to protect consumers as next gen connected cars come to market. Hope the car makers are paying attention!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/11/2014 | 10:33:11 AM
Automobile security
If this gains traction, and there's no reason why it shouldn't, then maybe for the first time, we will see security baked in during the infancy of a technology application. With widespread publicity, people will be aware of the dangers of complacency or ignorance, especially if they use the technology in such a personal thing as an automobile. With the recent spate of data breaches, the general public is keenly aware of its effect on them, and I venture to guess that they are pretty fed up with it. Automobiles are big ticket items on anyone's budget, and I hope that buyers will take its technology security into consideration in the vehicle that they purchase. Can you imagine a public service commercial displaying the remote takeover of a vehicle, leaving the driver helpless? What an impact that would make and it would place enormous pressure on the automobile industry to take technology security seriously.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio