Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/15/2014
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail

Automobile Industry Accelerates Into Security

Industry looking at intelligence-sharing platform or an Auto-ISAC in anticipation of more automated, connected -- and vulnerable -- vehicles.

Left to right: Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers;  Mike Cammisa, director of safety at the Association of Global Automakers; Lisa McCauley, vice president and general manager of Battelle Cyber Innovations;  Andrew Brown Jr, vice president and chief technologist, Delphi Automotive PLC; Karl Heimer, director of Battelle Center for Advanced Vehicle Environments
Left to right: Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers; Mike Cammisa, director of safety at the Association of Global Automakers; Lisa McCauley, vice president and general manager of Battelle Cyber Innovations; Andrew Brown Jr, vice president and chief technologist, Delphi Automotive PLC; Karl Heimer, director of Battelle Center for Advanced Vehicle Environments

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 5:46:48 PM
Re: Upcoming DR Radio episode on car hacking
I look forward to hearing their insights!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/18/2014 | 3:34:23 PM
Re: Upcoming DR Radio episode on car hacking
that sounds like a great show Kelly. I'm fascinated by the idea of self-driving cars. I love the idea of being able leave the driving to the car and use the time to read, work or simply enjoy the view. But there definitely will be a dark side to this. It will be great to hear what Miller and Valasek have to say about it.   
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/18/2014 | 2:14:21 PM
Upcoming DR Radio episode on car hacking
I have security experts/car hackers Charlie Miller and Chris Valasek as my guest on Dark Reading Radio on Wed. July 30 at 1pm ET and they will be sharing some of their newest research into vulnerabilities in cars, both local and remotely hackable. They will have some very interesting insight into all of this.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 11:50:54 AM
Re: Automobile cyber security
I for one believe self driving cars are inevitable and a good thing for everyone but local police departments.  However, if auto manufacturers do not take security serious then we may all be in for a bumpy ride.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/17/2014 | 9:03:47 AM
Re: Automobile cyber security
Another argument is that the majority of accidents are caused by operator error and that more vehicular automation -- including self-driving cars -- would be safer than what we have now. That's a nice thought, though I shudder to think about what hackers would do in that truly mobile environment. 
supersat
50%
50%
supersat,
User Rank: Apprentice
7/16/2014 | 5:22:47 PM
Re: Automobile cyber security
The first ECUs were for fuel efficiency and emissions control. Now a lot of ECUs provide several critical safety features -- anti-lock brakes, stability control, tire pressure monitoring, airbags, etc. As a side note, a lot of automatic transmissions are implemented with hydraulics that determine when and how to shift.
theb0x
50%
50%
theb0x,
User Rank: Ninja
7/16/2014 | 1:36:11 PM
Re: Automobile cyber security
What exactly is the benefit of automated computer systems in a vehicle besides people being lazy?

Automatic transmission, power door locks, power windows, powered trunk latch, power seats, power seatbelts, cruise control, eco boost, launch control, xdrive, parking assist, ........ brake systems are no longer mechanically controlled. This absolutly disgusts me. How many recalls have there been that require firmware upgrades to fix the problem? Firmware should have nothing to do with a vehicle's brakes. This is why I refuse to buy a new vehicle. I will always have more control and I certainly don't need a computer to tell me my gas cap is loose.
eaglei52
50%
50%
eaglei52,
User Rank: Apprentice
7/16/2014 | 1:24:48 PM
Time to start system hardening now....
One of the first areas to secure is the ECU interface port; the connector under the drivers knee used to  measure emissions via computer status codes. It's wide open to anyone.  The software and connector cables are pc friendly and widely available for next to nothing and on car forums there's abundant instruction on modifying built in functions (e.g. how long headlights stay on after shutoff, programming a new chip key, etc.)  A perfect place to infect in ways limited by only imagination. This physical access alone is enough to take action to harden; let us hope it's already begun.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/16/2014 | 11:10:51 AM
Remote theft
Something I think could become a problem in years to come when automated vehicles are commonplace, is someone remotely taking control and driving it away from your home while you're asleep, or after you've left it in the car park. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/16/2014 | 10:47:17 AM
Re: How do researchers interface with the group
No details yet, Beau, but I will be following its progress. Thank you for sharing your thoughts.

I am very familiar with I Am The Cavalry--as a matter of fact, I wrote about it last year when all of the consumer device hacks were coming out at Black Hat & DEF CON: http://www.darkreading.com/attacks-breaches/lost-in-translation-hackers-hacking-consumer-devices/d/d-id/1140272

 

 
Page 1 / 2   >   >>
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.