Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Automobile Industry Accelerates Into Security
Threaded  |  Newest First  |  Oldest First
GonzSTL
50%
50%
GonzSTL,
 User Rank: Ninja
7/16/2014 | 9:52:35 AM
Automobile cyber security
A while back, I saw a video demonstrating the takeover of an automobile's electronic control systems via a cell phone. That was rather scary! I imagined myself driving a "connected" car, listening to music I had previously downloaded from the internet and saved to portable media (CD, USB drive, SD card, smartphone, etc.) that was plugged in to my car audio system, without knowing that the music file I downloaded contained a remote access trojan designed for automobile systems. Additionally, by sheer coincidence another driver in a similar situation happened to share the same road, and was headed towards me. What if both trojans were controlled by the same bad guy? It is not difficult to envision other nasty scenarios regarding automobile cyber security.

Automobile computer environments are really just a microcosm of IT infrastructures we see in organizations. They are comprised of multiple computers, each with their own functions, and most of them communicate with each other via a data network. Shouldn't we see proper segmentation and layered security within those automobile computer systems, in the same way we see them in our organizational computing environments? I realize that additional layers of security incur additional expense, and impact automated decisions cricital in the safe operation of the vehicle, but certainly the scenario above, and other, more potentially damaging scenarios justify the need.

I certainly hope that automobile systems security isn't treated in the same way that King Roland secured their "air shield", prompting Dark Helmet's comment "So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
7/16/2014 | 9:57:06 AM
Re: Automobile cyber security
Your concerns and questions are spot on, @GonzSTL. No specifics yet from the auto industry folks on just how they plan to secure, fix, and address vulns in these current and future automation and networked features, but it is a crucial endeavor. I am looking forward to seeing how the auto industry ultimately works with security researchers, etc., because more and more of them are scrutinizing auto technologies for vulns.
theb0x
50%
50%
theb0x,
 User Rank: Ninja
7/16/2014 | 1:36:11 PM
Re: Automobile cyber security
What exactly is the benefit of automated computer systems in a vehicle besides people being lazy?

Automatic transmission, power door locks, power windows, powered trunk latch, power seats, power seatbelts, cruise control, eco boost, launch control, xdrive, parking assist, ........ brake systems are no longer mechanically controlled. This absolutly disgusts me. How many recalls have there been that require firmware upgrades to fix the problem? Firmware should have nothing to do with a vehicle's brakes. This is why I refuse to buy a new vehicle. I will always have more control and I certainly don't need a computer to tell me my gas cap is loose.
supersat
50%
50%
supersat,
 User Rank: Apprentice
7/16/2014 | 5:22:47 PM
Re: Automobile cyber security
The first ECUs were for fuel efficiency and emissions control. Now a lot of ECUs provide several critical safety features -- anti-lock brakes, stability control, tire pressure monitoring, airbags, etc. As a side note, a lot of automatic transmissions are implemented with hydraulics that determine when and how to shift.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
7/17/2014 | 9:03:47 AM
Re: Automobile cyber security
Another argument is that the majority of accidents are caused by operator error and that more vehicular automation -- including self-driving cars -- would be safer than what we have now. That's a nice thought, though I shudder to think about what hackers would do in that truly mobile environment. 
Robert McDougal
50%
50%
Robert McDougal,
 User Rank: Ninja
7/18/2014 | 11:50:54 AM
Re: Automobile cyber security
I for one believe self driving cars are inevitable and a good thing for everyone but local police departments.  However, if auto manufacturers do not take security serious then we may all be in for a bumpy ride.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
7/18/2014 | 2:14:21 PM
Upcoming DR Radio episode on car hacking
I have security experts/car hackers Charlie Miller and Chris Valasek as my guest on Dark Reading Radio on Wed. July 30 at 1pm ET and they will be sharing some of their newest research into vulnerabilities in cars, both local and remotely hackable. They will have some very interesting insight into all of this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
7/18/2014 | 3:34:23 PM
Re: Upcoming DR Radio episode on car hacking
that sounds like a great show Kelly. I'm fascinated by the idea of self-driving cars. I love the idea of being able leave the driving to the car and use the time to read, work or simply enjoy the view. But there definitely will be a dark side to this. It will be great to hear what Miller and Valasek have to say about it.   
Robert McDougal
50%
50%
Robert McDougal,
 User Rank: Ninja
7/18/2014 | 5:46:48 PM
Re: Upcoming DR Radio episode on car hacking
I look forward to hearing their insights!
Beau Woods
50%
50%
Beau Woods,
 User Rank: Apprentice
7/16/2014 | 10:34:42 AM
How do researchers interface with the group
I'm excited to hear the news that the Auto Industry is getting more proactive about security issues, especially those which can affect human life and public safety. Is there any indication of how security researchers interface with the ISAC? For instance, will the group help coordinate disclosures with the broader industry? Will they solicit recommendations for improving security from researchers and get those to the automakers themselves? 

I'm part of a growing group of security researchers called I Am The Cavalry and we are pushing for exactly these sorts of collaborations between the research community and manufacturers. So far the people we have talked to in those organizations have been interested in working together but there are few mechanisms to do so. Hopefully this ISAC can serve some of that function.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
7/16/2014 | 10:47:17 AM
Re: How do researchers interface with the group
No details yet, Beau, but I will be following its progress. Thank you for sharing your thoughts.

I am very familiar with I Am The Cavalry--as a matter of fact, I wrote about it last year when all of the consumer device hacks were coming out at Black Hat & DEF CON: http://www.darkreading.com/attacks-breaches/lost-in-translation-hackers-hacking-consumer-devices/d/d-id/1140272

 

 
Whoopty
50%
50%
Whoopty,
 User Rank: Ninja
7/16/2014 | 11:10:51 AM
Remote theft
Something I think could become a problem in years to come when automated vehicles are commonplace, is someone remotely taking control and driving it away from your home while you're asleep, or after you've left it in the car park. 
eaglei52
50%
50%
eaglei52,
 User Rank: Apprentice
7/16/2014 | 1:24:48 PM
Time to start system hardening now....
One of the first areas to secure is the ECU interface port; the connector under the drivers knee used to  measure emissions via computer status codes. It's wide open to anyone.  The software and connector cables are pc friendly and widely available for next to nothing and on car forums there's abundant instruction on modifying built in functions (e.g. how long headlights stay on after shutoff, programming a new chip key, etc.)  A perfect place to infect in ways limited by only imagination. This physical access alone is enough to take action to harden; let us hope it's already begun.


DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: He said the knight shift was the pointy end of the cyber-security spear.  
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...