Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Intel Takes On Car Hacking, Founds Auto Security Review Board
Newest First  |  Oldest First  |  Threaded View
jscott490
50%
50%
jscott490,
User Rank: Apprentice
9/17/2015 | 12:16:11 PM
Looks like marketing to me
Intel doesn't have much of a presence in automotive electronics (they don't even show up in top 10 of automotive electronics providers), so this seems like more of a move to get into a market that they have continually failed in than anything else, to me. Even the infotainment systems are more likely to use smart phone processors and electronics where Intel also doesn't play well.

As seen from the hacker stuff, the weak point in all automotive electronics is the infotainment systems. They have not been protected as well as they should be, and they have been used along with in-depth research to reprogram the micros that are on the CAN bus and send erroneous messages. Harden the entry point (i.e. infotainment) and the rest will be fine.
Enrico Fontan
50%
50%
Enrico Fontan,
User Rank: Strategist
9/15/2015 | 12:28:22 PM
New security controls
As started in the SCADA systems, we need to adopt security controls also in the Automotive environment.

Car system integration can be a big step, think about engines interacting with GPS to understand terrain data (objective:save fuel).  

We still can have "isolated" systems, but as in other IT systems we need to think about data flow and data access permissions.

On the other hand, without such controls system integration can bring several risks.
DarkerMind
50%
50%
DarkerMind,
User Rank: Apprentice
9/15/2015 | 11:27:09 AM
Re: Vehicle hacking
@DontBeknown You make excellent points. I think it was naive to design this system without planning for security
DontBeknown
100%
0%
DontBeknown,
User Rank: Apprentice
9/14/2015 | 11:19:45 PM
Vehicle hacking
It is interesting how we think that we "need" our engine, brakes, transmission, etc. to be connected via network to our entertainment system and internet.

They've been running into this in the aircraft world as well.  In the past, you were not allowed to have ANY primary system in an aircraft hooked into any other system.  In otherwords - Engine # 1 circuts would be separated physically and electronically from any of the other systems (primary navigation did this as well).  All primary systems would be done this way for safety reasons - you wouldn't want a problem on Engine #2 to take out the controls for Engine #1 now - would you?  

With the advent of networking - they (engineers) figure they can do it better - forgetting all that has been learned about safety in the past.  Why would you ever hook the entertainment system (and internet) to engine controls?  Or brakes? or the transmission?  It need not be that way. It's gone as far as hackers being able to OPEN THE DOORS on moving vehicles on the freeway!!  Really?  Is this level of integration required or is it just an open barn door of "we can so we will"? 

Take this level of sophistication out of cars.  It is not needed.  The entertainment system (and navigation system) should be separate from the drivetrain and safety equipment in ANY vehicle.  This level of networked BS is stupid, and dangerous.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22864
PUBLISHED: 2021-10-26
A cross site scripting (XSS) vulnerability in the Insert Video function of Froala WYSIWYG Editor 3.1.0 allows attackers to execute arbitrary web scripts or HTML.
CVE-2021-23877
PUBLISHED: 2021-10-26
Privilege escalation vulnerability in the Windows trial installer of McAfee Total Protection (MTP) prior to 16.0.34_x may allow a local user to run arbitrary code as the admin user by replacing a specific temporary file created during the installation of the trial version of MTP.
CVE-2021-41866
PUBLISHED: 2021-10-26
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
CVE-2019-3556
PUBLISHED: 2021-10-26
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where o...
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...