Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 PM
Connect Directly

Automakers Openly Challenged To Bake In Security

An open letter sent to automobile manufacturer CEOs asks carmakers to adopt a proposed five-star cyber safety program.

LAS VEGAS — DEF CON 22 — Efforts to pressure the automobile industry into better locking down cyber security in automated features of modern cars intensified today as a collective of security researchers sent the CEOs at major auto firms an open letter calling for them to adopt a new five-star cyber safety program.

The so-called I Am The Cavalry group, a grass roots organization that formed a year ago at DEF CON 21 to bridge the massive gap between the cyber security research community and the consumer products sector, outlined the Five Star Automotive Cyber Safety Program aimed at ensuring public safety in the face of increasingly connected and automated vehicles.

The voluntary program is all about building security into the computerized features of modern vehicles. Vulnerabilities in car automation systems have been exposed by security researchers, including Charlie Miller and Chris Valasek, who this week at Black Hat USA shared their newest research on remote attack surfaces in cars. Miller and Valasek studied how different vehicles' automation and networked features are configured and the potential for an attacker to exploit them to mess with steering, parking, and other automated features.

"It's a call to [automakers to] collaborate on cyber safety," says Nicholas Percoco, vice president of strategic services at Rapid7, and one of the founders of I Am The Cavalry.

The five components are: safety by design, where automakers build automation features with security in mind and employ a secure software development program; third-party collaboration, where automakers establish vulnerability disclosure policies; evidence capture, where automakers log forensic information that could be used in any safety or breach investigation; security updates, where they push software updates to customers efficiently; and segmentation and isolation, where critical systems are kept in a safe sector of the car's network.

"With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes," says Josh Corman, a founder of I Am The Cavalry and CTO at Sonatype.

"We want to fix incentives, not bugs, for dependence on technology that's worthy of our trust."

Andrew Ruffin, a former staffer for US Sen. Jay Rockefeller (D-WV) who worked on the Senate Commerce Committee, says the security industry reaching out directly to the automobile industry is a good strategy. "I'm encouraged by the letter and hope there's a quick response," said Ruffin, who attended the press briefing here. "I think this has some legs."

But the auto industry has been showing signs of taking cyber security more seriously. Last month, the Alliance of Automobile Manufacturers and the Association of Global Automakers, whose members include many major automakers, announced that the industry is forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks -- likely via an Auto-ISAC (Information Sharing and Analysis Center).

"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats. Consequently, we are jointly working towards establishing a mechanism for sharing vehicle cybersecurity information, threats, warnings and incidents among industry stakeholders," the associations said in a July 1 letter to the National Highway Safety Administration, announcing their plans.

Meanwhile, the I Am The Cavalry letter also was posted on Change.org as a petition for the general public to sign. It reads in part:

New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.

When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles. 

The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.

Tony Sager, chief technologist for The Council on Cyber Security, said the letter offers a clear framework. "It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement."

Aside from the auto industry, I Am The Cavalry also is focused on the home automation, medical device, and public infrastructure sectors.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/12/2014 | 8:10:21 AM
Re: Automobile security
Well, the more press this gets, the more people become aware of it. I'm surprised that this hasn't hit the major news outlets. I know that car hack videos have garnered millions of hits on youtube, so at least social media helps to spread the information. This is such a critical issue, and it doesn't stop at vehicles. The security of the IoT is of particular concern, as we know from discussions about the topic.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 7:44:08 AM
Re: Automobile security
Totally agree that this is an important and necessary first step for the auto industry to take to protect consumers as next gen connected cars come to market. Hope the car makers are paying attention!
User Rank: Ninja
8/11/2014 | 10:33:11 AM
Automobile security
If this gains traction, and there's no reason why it shouldn't, then maybe for the first time, we will see security baked in during the infancy of a technology application. With widespread publicity, people will be aware of the dangers of complacency or ignorance, especially if they use the technology in such a personal thing as an automobile. With the recent spate of data breaches, the general public is keenly aware of its effect on them, and I venture to guess that they are pretty fed up with it. Automobiles are big ticket items on anyone's budget, and I hope that buyers will take its technology security into consideration in the vehicle that they purchase. Can you imagine a public service commercial displaying the remote takeover of a vehicle, leaving the driver helpless? What an impact that would make and it would place enormous pressure on the automobile industry to take technology security seriously.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (, contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (, contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.