Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/15/2014
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Automobile Industry Accelerates Into Security

Industry looking at intelligence-sharing platform or an Auto-ISAC in anticipation of more automated, connected -- and vulnerable -- vehicles.

Another day, another ISAC -- and this time it's the automobile industry.

The Alliance of Automobile Manufacturers and the Association of Global Automakers today officially announced plans to address growing concerns over security weaknesses and vulnerabilities in new and evolving vehicle automation and networking features that could put cars at risk for nefarious hacking. The industry is in the process of forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks -- likely via an Auto-ISAC (Information Sharing and Analysis Center), the officials say.

The auto industry's move toward an ISAC comes on the heels of that of the retail and oil and natural gas industries, which recently formed ISACs for their respective industries. While retail and oil & natural gas have faced a wave of real-world threats and attacks on their systems, carmakers for the most part so far have been mostly faced with research demonstrating possible attacks. The heat is on, however, because by 2017, more than 60% of new vehicles will be connected to the Internet, auto industry officials say.

Researchers Charlie Miller and Chris Valasek last year at the DEF CON hacker conference elicited some nervous laughter among attendees as they showed witty but sobering evidence on video of how they were able to hack and take control of the electronic smart steering, braking, acceleration, engine, and other functions of the 2010 Toyota Prius and the 2010 Ford Escape. Their research follows that of 2011 work by the University of Washington and the University of California-San Diego, where academic researchers found ways to hack car features via Bluetooth and rogue CDs, among other tricks.

Miller and Valasek's work was about looking at what could be done if a bad guy hacker could get inside the car's internal network, and they also released their tools during the conference to help promote further study of vehicle vulnerabilities.

The researchers didn't get much response from Ford and Toyota, despite providing the carmakers with their white paper on their research and reaching out to the companies.

[The Retail Industry Leaders Association (RILA) rolls out a retail ISAC following the National Retail Federation's (NRF) announcement of an intel-sharing platform. Read Dual Retail Cyber threat Intelligence-Sharing Efforts Emerge.]

But today's announcement -- which was made at a press briefing at this week's Cyber Auto Challenge security event, where students work with automakers and government agencies on secure system design and programming as well as hands-on application -- appears to be a big step forward for the auto industry when it comes to factoring in the cyber security implications of new car features and functions. Ford and Toyota are both members of the Alliance for Automobile Manufacturers, and Toyota is also a member of the Association of Global Automakers.

Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers, says the goal of the first phase, a cyber security policy working group, is to provide an interim forum for security researchers to share their findings. "Longer-term, we'll be doing the work of governance and scope that would lead to an ISAC to look at vulnerabilities, assess them, and issue alerts," Strassburger says. "All actionable information our members then act upon."

Left to right: Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers;  Mike Cammisa, director of safety at the Association of Global Automakers; Lisa McCauley, vice president and general manager of Battelle Cyber Innovations;  Andrew Brown Jr, vice president and chief technologist, Delphi Automotive PLC; Karl Heimer, director of Battelle Center for Advanced Vehicle Environments
Left to right: Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers; Mike Cammisa, director of safety at the Association of Global Automakers; Lisa McCauley, vice president and general manager of Battelle Cyber Innovations; Andrew Brown Jr, vice president and chief technologist, Delphi Automotive PLC; Karl Heimer, director of Battelle Center for Advanced Vehicle Environments

Even so, Miller says he and Valasek were not part of the discussions that apparently led up to the plans for intelligence- and threat-sharing in the auto industry. "Anything that helps shed light on the security issues in the auto industry is nice although I think, as a researcher, the problem isn't in sharing our research but rather in getting manufacturers to make changes based on it," Miller said in an email exchange. "We have had no problem getting our research out in the media, etc., but I don't necessarily think the industry has been particularly responsive to the changes we've suggested they take, or if they have been, they haven't included us in the discussion.  I tend to think the industry thinks they know what they are doing and don't necessarily need outside help from folks like us."

The working group will look at a formalized Auto-ISAC or other type of program for sharing intel, says Mike Cammisa, director of safety at the Association of Global Automakers. "We will exchange vehicle-related cyber security information" among automakers, their suppliers, and government agencies as well, he said. "The goal is to continue to enhance the driving experience while maintaining the integrity of these systems."

Andrew Brown, vice president and chief technologist at Delphi Automotive PLC, a components supplier to automotive systems, says cyber security threats are bound to increase over time, as more automation and connectivity is added to vehicles. "As such, that represents an increased opportunity for those who may want to do harm to vehicles and the systems we provide," he said. "As a tier 1 supplier, we recognize we alone can't develop solutions and approaches to mitigate threats... It's important to have an industry-wide approach to cyber security issues, and it has to be initiated with the OEMs."

Valasek says car manufacturers and their suppliers tend to be a fairly closed group. "While getting a consortium started is good, the real battle is what to do upon a breach. Pretending like they can develop a perfect system without flaws isn't the answer," he said in an email exchange. There's no such thing as a bug-free system, he says.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 5:46:48 PM
Re: Upcoming DR Radio episode on car hacking
I look forward to hearing their insights!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/18/2014 | 3:34:23 PM
Re: Upcoming DR Radio episode on car hacking
that sounds like a great show Kelly. I'm fascinated by the idea of self-driving cars. I love the idea of being able leave the driving to the car and use the time to read, work or simply enjoy the view. But there definitely will be a dark side to this. It will be great to hear what Miller and Valasek have to say about it.   
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/18/2014 | 2:14:21 PM
Upcoming DR Radio episode on car hacking
I have security experts/car hackers Charlie Miller and Chris Valasek as my guest on Dark Reading Radio on Wed. July 30 at 1pm ET and they will be sharing some of their newest research into vulnerabilities in cars, both local and remotely hackable. They will have some very interesting insight into all of this.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 11:50:54 AM
Re: Automobile cyber security
I for one believe self driving cars are inevitable and a good thing for everyone but local police departments.  However, if auto manufacturers do not take security serious then we may all be in for a bumpy ride.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/17/2014 | 9:03:47 AM
Re: Automobile cyber security
Another argument is that the majority of accidents are caused by operator error and that more vehicular automation -- including self-driving cars -- would be safer than what we have now. That's a nice thought, though I shudder to think about what hackers would do in that truly mobile environment. 
supersat
50%
50%
supersat,
User Rank: Apprentice
7/16/2014 | 5:22:47 PM
Re: Automobile cyber security
The first ECUs were for fuel efficiency and emissions control. Now a lot of ECUs provide several critical safety features -- anti-lock brakes, stability control, tire pressure monitoring, airbags, etc. As a side note, a lot of automatic transmissions are implemented with hydraulics that determine when and how to shift.
theb0x
50%
50%
theb0x,
User Rank: Ninja
7/16/2014 | 1:36:11 PM
Re: Automobile cyber security
What exactly is the benefit of automated computer systems in a vehicle besides people being lazy?

Automatic transmission, power door locks, power windows, powered trunk latch, power seats, power seatbelts, cruise control, eco boost, launch control, xdrive, parking assist, ........ brake systems are no longer mechanically controlled. This absolutly disgusts me. How many recalls have there been that require firmware upgrades to fix the problem? Firmware should have nothing to do with a vehicle's brakes. This is why I refuse to buy a new vehicle. I will always have more control and I certainly don't need a computer to tell me my gas cap is loose.
eaglei52
50%
50%
eaglei52,
User Rank: Apprentice
7/16/2014 | 1:24:48 PM
Time to start system hardening now....
One of the first areas to secure is the ECU interface port; the connector under the drivers knee used to  measure emissions via computer status codes. It's wide open to anyone.  The software and connector cables are pc friendly and widely available for next to nothing and on car forums there's abundant instruction on modifying built in functions (e.g. how long headlights stay on after shutoff, programming a new chip key, etc.)  A perfect place to infect in ways limited by only imagination. This physical access alone is enough to take action to harden; let us hope it's already begun.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/16/2014 | 11:10:51 AM
Remote theft
Something I think could become a problem in years to come when automated vehicles are commonplace, is someone remotely taking control and driving it away from your home while you're asleep, or after you've left it in the car park. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/16/2014 | 10:47:17 AM
Re: How do researchers interface with the group
No details yet, Beau, but I will be following its progress. Thank you for sharing your thoughts.

I am very familiar with I Am The Cavalry--as a matter of fact, I wrote about it last year when all of the consumer device hacks were coming out at Black Hat & DEF CON: http://www.darkreading.com/attacks-breaches/lost-in-translation-hackers-hacking-consumer-devices/d/d-id/1140272

 

 
Page 1 / 2   >   >>
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .