Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 PM
Connect Directly

Automakers Openly Challenged To Bake In Security

An open letter sent to automobile manufacturer CEOs asks carmakers to adopt a proposed five-star cyber safety program.

LAS VEGAS — DEF CON 22 — Efforts to pressure the automobile industry into better locking down cyber security in automated features of modern cars intensified today as a collective of security researchers sent the CEOs at major auto firms an open letter calling for them to adopt a new five-star cyber safety program.

The so-called I Am The Cavalry group, a grass roots organization that formed a year ago at DEF CON 21 to bridge the massive gap between the cyber security research community and the consumer products sector, outlined the Five Star Automotive Cyber Safety Program aimed at ensuring public safety in the face of increasingly connected and automated vehicles.

The voluntary program is all about building security into the computerized features of modern vehicles. Vulnerabilities in car automation systems have been exposed by security researchers, including Charlie Miller and Chris Valasek, who this week at Black Hat USA shared their newest research on remote attack surfaces in cars. Miller and Valasek studied how different vehicles' automation and networked features are configured and the potential for an attacker to exploit them to mess with steering, parking, and other automated features.

"It's a call to [automakers to] collaborate on cyber safety," says Nicholas Percoco, vice president of strategic services at Rapid7, and one of the founders of I Am The Cavalry.

The five components are: safety by design, where automakers build automation features with security in mind and employ a secure software development program; third-party collaboration, where automakers establish vulnerability disclosure policies; evidence capture, where automakers log forensic information that could be used in any safety or breach investigation; security updates, where they push software updates to customers efficiently; and segmentation and isolation, where critical systems are kept in a safe sector of the car's network.

"With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes," says Josh Corman, a founder of I Am The Cavalry and CTO at Sonatype.

"We want to fix incentives, not bugs, for dependence on technology that's worthy of our trust."

Andrew Ruffin, a former staffer for US Sen. Jay Rockefeller (D-WV) who worked on the Senate Commerce Committee, says the security industry reaching out directly to the automobile industry is a good strategy. "I'm encouraged by the letter and hope there's a quick response," said Ruffin, who attended the press briefing here. "I think this has some legs."

But the auto industry has been showing signs of taking cyber security more seriously. Last month, the Alliance of Automobile Manufacturers and the Association of Global Automakers, whose members include many major automakers, announced that the industry is forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks -- likely via an Auto-ISAC (Information Sharing and Analysis Center).

"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats. Consequently, we are jointly working towards establishing a mechanism for sharing vehicle cybersecurity information, threats, warnings and incidents among industry stakeholders," the associations said in a July 1 letter to the National Highway Safety Administration, announcing their plans.

Meanwhile, the I Am The Cavalry letter also was posted on Change.org as a petition for the general public to sign. It reads in part:

New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.

When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles. 

The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.

Tony Sager, chief technologist for The Council on Cyber Security, said the letter offers a clear framework. "It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement."

Aside from the auto industry, I Am The Cavalry also is focused on the home automation, medical device, and public infrastructure sectors.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
8/11/2014 | 10:33:11 AM
Automobile security
If this gains traction, and there's no reason why it shouldn't, then maybe for the first time, we will see security baked in during the infancy of a technology application. With widespread publicity, people will be aware of the dangers of complacency or ignorance, especially if they use the technology in such a personal thing as an automobile. With the recent spate of data breaches, the general public is keenly aware of its effect on them, and I venture to guess that they are pretty fed up with it. Automobiles are big ticket items on anyone's budget, and I hope that buyers will take its technology security into consideration in the vehicle that they purchase. Can you imagine a public service commercial displaying the remote takeover of a vehicle, leaving the driver helpless? What an impact that would make and it would place enormous pressure on the automobile industry to take technology security seriously.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 7:44:08 AM
Re: Automobile security
Totally agree that this is an important and necessary first step for the auto industry to take to protect consumers as next gen connected cars come to market. Hope the car makers are paying attention!
User Rank: Ninja
8/12/2014 | 8:10:21 AM
Re: Automobile security
Well, the more press this gets, the more people become aware of it. I'm surprised that this hasn't hit the major news outlets. I know that car hack videos have garnered millions of hits on youtube, so at least social media helps to spread the information. This is such a critical issue, and it doesn't stop at vehicles. The security of the IoT is of particular concern, as we know from discussions about the topic.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.