Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:00 PM
Connect Directly

Automobile Industry Accelerates Into Security

Industry looking at intelligence-sharing platform or an Auto-ISAC in anticipation of more automated, connected -- and vulnerable -- vehicles.

Another day, another ISAC -- and this time it's the automobile industry.

The Alliance of Automobile Manufacturers and the Association of Global Automakers today officially announced plans to address growing concerns over security weaknesses and vulnerabilities in new and evolving vehicle automation and networking features that could put cars at risk for nefarious hacking. The industry is in the process of forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks -- likely via an Auto-ISAC (Information Sharing and Analysis Center), the officials say.

The auto industry's move toward an ISAC comes on the heels of that of the retail and oil and natural gas industries, which recently formed ISACs for their respective industries. While retail and oil & natural gas have faced a wave of real-world threats and attacks on their systems, carmakers for the most part so far have been mostly faced with research demonstrating possible attacks. The heat is on, however, because by 2017, more than 60% of new vehicles will be connected to the Internet, auto industry officials say.

Researchers Charlie Miller and Chris Valasek last year at the DEF CON hacker conference elicited some nervous laughter among attendees as they showed witty but sobering evidence on video of how they were able to hack and take control of the electronic smart steering, braking, acceleration, engine, and other functions of the 2010 Toyota Prius and the 2010 Ford Escape. Their research follows that of 2011 work by the University of Washington and the University of California-San Diego, where academic researchers found ways to hack car features via Bluetooth and rogue CDs, among other tricks.

Miller and Valasek's work was about looking at what could be done if a bad guy hacker could get inside the car's internal network, and they also released their tools during the conference to help promote further study of vehicle vulnerabilities.

The researchers didn't get much response from Ford and Toyota, despite providing the carmakers with their white paper on their research and reaching out to the companies.

[The Retail Industry Leaders Association (RILA) rolls out a retail ISAC following the National Retail Federation's (NRF) announcement of an intel-sharing platform. Read Dual Retail Cyber threat Intelligence-Sharing Efforts Emerge.]

But today's announcement -- which was made at a press briefing at this week's Cyber Auto Challenge security event, where students work with automakers and government agencies on secure system design and programming as well as hands-on application -- appears to be a big step forward for the auto industry when it comes to factoring in the cyber security implications of new car features and functions. Ford and Toyota are both members of the Alliance for Automobile Manufacturers, and Toyota is also a member of the Association of Global Automakers.

Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers, says the goal of the first phase, a cyber security policy working group, is to provide an interim forum for security researchers to share their findings. "Longer-term, we'll be doing the work of governance and scope that would lead to an ISAC to look at vulnerabilities, assess them, and issue alerts," Strassburger says. "All actionable information our members then act upon."

Left to right: Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers;  Mike Cammisa, director of safety at the Association of Global Automakers; Lisa McCauley, vice president and general manager of Battelle Cyber Innovations;  Andrew Brown Jr, vice president and chief technologist, Delphi Automotive PLC; Karl Heimer, director of Battelle Center for Advanced Vehicle Environments
Left to right: Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers; Mike Cammisa, director of safety at the Association of Global Automakers; Lisa McCauley, vice president and general manager of Battelle Cyber Innovations; Andrew Brown Jr, vice president and chief technologist, Delphi Automotive PLC; Karl Heimer, director of Battelle Center for Advanced Vehicle Environments

Even so, Miller says he and Valasek were not part of the discussions that apparently led up to the plans for intelligence- and threat-sharing in the auto industry. "Anything that helps shed light on the security issues in the auto industry is nice although I think, as a researcher, the problem isn't in sharing our research but rather in getting manufacturers to make changes based on it," Miller said in an email exchange. "We have had no problem getting our research out in the media, etc., but I don't necessarily think the industry has been particularly responsive to the changes we've suggested they take, or if they have been, they haven't included us in the discussion.  I tend to think the industry thinks they know what they are doing and don't necessarily need outside help from folks like us."

The working group will look at a formalized Auto-ISAC or other type of program for sharing intel, says Mike Cammisa, director of safety at the Association of Global Automakers. "We will exchange vehicle-related cyber security information" among automakers, their suppliers, and government agencies as well, he said. "The goal is to continue to enhance the driving experience while maintaining the integrity of these systems."

Andrew Brown, vice president and chief technologist at Delphi Automotive PLC, a components supplier to automotive systems, says cyber security threats are bound to increase over time, as more automation and connectivity is added to vehicles. "As such, that represents an increased opportunity for those who may want to do harm to vehicles and the systems we provide," he said. "As a tier 1 supplier, we recognize we alone can't develop solutions and approaches to mitigate threats... It's important to have an industry-wide approach to cyber security issues, and it has to be initiated with the OEMs."

Valasek says car manufacturers and their suppliers tend to be a fairly closed group. "While getting a consortium started is good, the real battle is what to do upon a breach. Pretending like they can develop a perfect system without flaws isn't the answer," he said in an email exchange. There's no such thing as a bug-free system, he says.


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Beau Woods
Beau Woods,
User Rank: Apprentice
7/16/2014 | 10:34:42 AM
How do researchers interface with the group
I'm excited to hear the news that the Auto Industry is getting more proactive about security issues, especially those which can affect human life and public safety. Is there any indication of how security researchers interface with the ISAC? For instance, will the group help coordinate disclosures with the broader industry? Will they solicit recommendations for improving security from researchers and get those to the automakers themselves? 

I'm part of a growing group of security researchers called I Am The Cavalry and we are pushing for exactly these sorts of collaborations between the research community and manufacturers. So far the people we have talked to in those organizations have been interested in working together but there are few mechanisms to do so. Hopefully this ISAC can serve some of that function.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/16/2014 | 9:57:06 AM
Re: Automobile cyber security
Your concerns and questions are spot on, @GonzSTL. No specifics yet from the auto industry folks on just how they plan to secure, fix, and address vulns in these current and future automation and networked features, but it is a crucial endeavor. I am looking forward to seeing how the auto industry ultimately works with security researchers, etc., because more and more of them are scrutinizing auto technologies for vulns.
User Rank: Ninja
7/16/2014 | 9:52:35 AM
Automobile cyber security
A while back, I saw a video demonstrating the takeover of an automobile's electronic control systems via a cell phone. That was rather scary! I imagined myself driving a "connected" car, listening to music I had previously downloaded from the internet and saved to portable media (CD, USB drive, SD card, smartphone, etc.) that was plugged in to my car audio system, without knowing that the music file I downloaded contained a remote access trojan designed for automobile systems. Additionally, by sheer coincidence another driver in a similar situation happened to share the same road, and was headed towards me. What if both trojans were controlled by the same bad guy? It is not difficult to envision other nasty scenarios regarding automobile cyber security.

Automobile computer environments are really just a microcosm of IT infrastructures we see in organizations. They are comprised of multiple computers, each with their own functions, and most of them communicate with each other via a data network. Shouldn't we see proper segmentation and layered security within those automobile computer systems, in the same way we see them in our organizational computing environments? I realize that additional layers of security incur additional expense, and impact automated decisions cricital in the safe operation of the vehicle, but certainly the scenario above, and other, more potentially damaging scenarios justify the need.

I certainly hope that automobile systems security isn't treated in the same way that King Roland secured their "air shield", prompting Dark Helmet's comment "So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"
<<   <   Page 2 / 2
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.