Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Automobile Industry Accelerates Into Security
Threaded  |  Newest First  |  Oldest First
GonzSTL
50%
50%
GonzSTL,
 User Rank: Ninja
7/16/2014 | 9:52:35 AM
Automobile cyber security
A while back, I saw a video demonstrating the takeover of an automobile's electronic control systems via a cell phone. That was rather scary! I imagined myself driving a "connected" car, listening to music I had previously downloaded from the internet and saved to portable media (CD, USB drive, SD card, smartphone, etc.) that was plugged in to my car audio system, without knowing that the music file I downloaded contained a remote access trojan designed for automobile systems. Additionally, by sheer coincidence another driver in a similar situation happened to share the same road, and was headed towards me. What if both trojans were controlled by the same bad guy? It is not difficult to envision other nasty scenarios regarding automobile cyber security.

Automobile computer environments are really just a microcosm of IT infrastructures we see in organizations. They are comprised of multiple computers, each with their own functions, and most of them communicate with each other via a data network. Shouldn't we see proper segmentation and layered security within those automobile computer systems, in the same way we see them in our organizational computing environments? I realize that additional layers of security incur additional expense, and impact automated decisions cricital in the safe operation of the vehicle, but certainly the scenario above, and other, more potentially damaging scenarios justify the need.

I certainly hope that automobile systems security isn't treated in the same way that King Roland secured their "air shield", prompting Dark Helmet's comment "So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
7/16/2014 | 9:57:06 AM
Re: Automobile cyber security
Your concerns and questions are spot on, @GonzSTL. No specifics yet from the auto industry folks on just how they plan to secure, fix, and address vulns in these current and future automation and networked features, but it is a crucial endeavor. I am looking forward to seeing how the auto industry ultimately works with security researchers, etc., because more and more of them are scrutinizing auto technologies for vulns.
theb0x
50%
50%
theb0x,
 User Rank: Ninja
7/16/2014 | 1:36:11 PM
Re: Automobile cyber security
What exactly is the benefit of automated computer systems in a vehicle besides people being lazy?

Automatic transmission, power door locks, power windows, powered trunk latch, power seats, power seatbelts, cruise control, eco boost, launch control, xdrive, parking assist, ........ brake systems are no longer mechanically controlled. This absolutly disgusts me. How many recalls have there been that require firmware upgrades to fix the problem? Firmware should have nothing to do with a vehicle's brakes. This is why I refuse to buy a new vehicle. I will always have more control and I certainly don't need a computer to tell me my gas cap is loose.
supersat
50%
50%
supersat,
 User Rank: Apprentice
7/16/2014 | 5:22:47 PM
Re: Automobile cyber security
The first ECUs were for fuel efficiency and emissions control. Now a lot of ECUs provide several critical safety features -- anti-lock brakes, stability control, tire pressure monitoring, airbags, etc. As a side note, a lot of automatic transmissions are implemented with hydraulics that determine when and how to shift.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
7/17/2014 | 9:03:47 AM
Re: Automobile cyber security
Another argument is that the majority of accidents are caused by operator error and that more vehicular automation -- including self-driving cars -- would be safer than what we have now. That's a nice thought, though I shudder to think about what hackers would do in that truly mobile environment. 
Robert McDougal
50%
50%
Robert McDougal,
 User Rank: Ninja
7/18/2014 | 11:50:54 AM
Re: Automobile cyber security
I for one believe self driving cars are inevitable and a good thing for everyone but local police departments.  However, if auto manufacturers do not take security serious then we may all be in for a bumpy ride.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
7/18/2014 | 2:14:21 PM
Upcoming DR Radio episode on car hacking
I have security experts/car hackers Charlie Miller and Chris Valasek as my guest on Dark Reading Radio on Wed. July 30 at 1pm ET and they will be sharing some of their newest research into vulnerabilities in cars, both local and remotely hackable. They will have some very interesting insight into all of this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
7/18/2014 | 3:34:23 PM
Re: Upcoming DR Radio episode on car hacking
that sounds like a great show Kelly. I'm fascinated by the idea of self-driving cars. I love the idea of being able leave the driving to the car and use the time to read, work or simply enjoy the view. But there definitely will be a dark side to this. It will be great to hear what Miller and Valasek have to say about it.   
Robert McDougal
50%
50%
Robert McDougal,
 User Rank: Ninja
7/18/2014 | 5:46:48 PM
Re: Upcoming DR Radio episode on car hacking
I look forward to hearing their insights!
Beau Woods
50%
50%
Beau Woods,
 User Rank: Apprentice
7/16/2014 | 10:34:42 AM
How do researchers interface with the group
I'm excited to hear the news that the Auto Industry is getting more proactive about security issues, especially those which can affect human life and public safety. Is there any indication of how security researchers interface with the ISAC? For instance, will the group help coordinate disclosures with the broader industry? Will they solicit recommendations for improving security from researchers and get those to the automakers themselves? 

I'm part of a growing group of security researchers called I Am The Cavalry and we are pushing for exactly these sorts of collaborations between the research community and manufacturers. So far the people we have talked to in those organizations have been interested in working together but there are few mechanisms to do so. Hopefully this ISAC can serve some of that function.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
7/16/2014 | 10:47:17 AM
Re: How do researchers interface with the group
No details yet, Beau, but I will be following its progress. Thank you for sharing your thoughts.

I am very familiar with I Am The Cavalry--as a matter of fact, I wrote about it last year when all of the consumer device hacks were coming out at Black Hat & DEF CON: http://www.darkreading.com/attacks-breaches/lost-in-translation-hackers-hacking-consumer-devices/d/d-id/1140272

 

 
Whoopty
50%
50%
Whoopty,
 User Rank: Ninja
7/16/2014 | 11:10:51 AM
Remote theft
Something I think could become a problem in years to come when automated vehicles are commonplace, is someone remotely taking control and driving it away from your home while you're asleep, or after you've left it in the car park. 
eaglei52
50%
50%
eaglei52,
 User Rank: Apprentice
7/16/2014 | 1:24:48 PM
Time to start system hardening now....
One of the first areas to secure is the ECU interface port; the connector under the drivers knee used to  measure emissions via computer status codes. It's wide open to anyone.  The software and connector cables are pc friendly and widely available for next to nothing and on car forums there's abundant instruction on modifying built in functions (e.g. how long headlights stay on after shutoff, programming a new chip key, etc.)  A perfect place to infect in ways limited by only imagination. This physical access alone is enough to take action to harden; let us hope it's already begun.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7822
PUBLISHED: 2020-08-04
DaviewIndy has a Heap-based overflow vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-7823
PUBLISHED: 2020-08-04
DaviewIndy has a Memory corruption vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-6012
PUBLISHED: 2020-08-04
ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.