LAS VEGAS — DEF CON 22 — Efforts to pressure the automobile industry into better locking down cyber security in automated features of modern cars intensified today as a collective of security researchers sent the CEOs at major auto firms an open letter calling for them to adopt a new five-star cyber safety program.
The so-called I Am The Cavalry group, a grass roots organization that formed a year ago at DEF CON 21 to bridge the massive gap between the cyber security research community and the consumer products sector, outlined the Five Star Automotive Cyber Safety Program aimed at ensuring public safety in the face of increasingly connected and automated vehicles.
The voluntary program is all about building security into the computerized features of modern vehicles. Vulnerabilities in car automation systems have been exposed by security researchers, including Charlie Miller and Chris Valasek, who this week at Black Hat USA shared their newest research on remote attack surfaces in cars. Miller and Valasek studied how different vehicles' automation and networked features are configured and the potential for an attacker to exploit them to mess with steering, parking, and other automated features.
"It's a call to [automakers to] collaborate on cyber safety," says Nicholas Percoco, vice president of strategic services at Rapid7, and one of the founders of I Am The Cavalry.
The five components are: safety by design, where automakers build automation features with security in mind and employ a secure software development program; third-party collaboration, where automakers establish vulnerability disclosure policies; evidence capture, where automakers log forensic information that could be used in any safety or breach investigation; security updates, where they push software updates to customers efficiently; and segmentation and isolation, where critical systems are kept in a safe sector of the car's network.
"With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes," says Josh Corman, a founder of I Am The Cavalry and CTO at Sonatype.
"We want to fix incentives, not bugs, for dependence on technology that's worthy of our trust."
Andrew Ruffin, a former staffer for US Sen. Jay Rockefeller (D-WV) who worked on the Senate Commerce Committee, says the security industry reaching out directly to the automobile industry is a good strategy. "I'm encouraged by the letter and hope there's a quick response," said Ruffin, who attended the press briefing here. "I think this has some legs."
But the auto industry has been showing signs of taking cyber security more seriously. Last month, the Alliance of Automobile Manufacturers and the Association of Global Automakers, whose members include many major automakers, announced that the industry is forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks -- likely via an Auto-ISAC (Information Sharing and Analysis Center).
"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats. Consequently, we are jointly working towards establishing a mechanism for sharing vehicle cybersecurity information, threats, warnings and incidents among industry stakeholders," the associations said in a July 1 letter to the National Highway Safety Administration, announcing their plans.
Meanwhile, the I Am The Cavalry letter also was posted on Change.org as a petition for the general public to sign. It reads in part:
New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.
When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles.
The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.
Tony Sager, chief technologist for The Council on Cyber Security, said the letter offers a clear framework. "It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement."
Aside from the auto industry, I Am The Cavalry also is focused on the home automation, medical device, and public infrastructure sectors.