Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/14/2015
11:35 AM
Lorie Wigle
Lorie Wigle
Partner Perspectives
50%
50%

Your ‘Check Security’ Light Is On

Please restart your car in safe mode.

Your car may not get a “Check Security” light in the future, but it might get an “Update Software” light. In addition to Drive, Reverse, and Park, it may also get a Safe mode with diminished but sufficient functions to get home or to a safe stop in the event of an automotive security incident.

As automotive systems use more and more electronic control units and greater information sharing inside and outside of the vehicle, computer security and data privacy join safety and reliability as important aspects of vehicle design, production, and operations. Intel is part of a large ecosystem of manufacturers, suppliers, standards bodies, universities, and government organizations collaborating to advance the research and best practices on secure driving experiences. Consumers’ trust and confidence in the security of their vehicles will become as important as reliability and safety when these factors first emerged as critical consumer issues and competitive differentiators.

“Unsafe at any bandwidth” is not a title that anyone wants to see published. Vehicle designers, product engineers, and suppliers are all working to design security that can detect, protect, and mitigate current and emerging threats. While networking in-vehicle systems and connecting cars to the Internet increases the threat level, distributed security architectures and layers of defenses that are intentional and proactive will help secure them from chip to cloud. These layers include:

  • Hardware security: secure boot, tamper protection, memory protection extensions, and device identity that defend the operating components from intentional or accidental damage
  •  Software security: virtualization, software containers, digital authentication, and behavior enforcement that isolate vehicle functions, verify identities, and restrict inappropriate messages and activities
  • Network security: firewalls, message authentication, and behavior enforcement that protect messages and personal information while it is in transit inside the vehicle, between vehicles, or to external services
  • Cloud security: secure authenticated channels, remote monitoring, threat intelligence, and over-the-air updates that provide real-time connections to additional security services to help detect and correct threats before they get to the car
  • Supply chain security: authorized distribution channels, component track and trace, and supply continuity that detect and protect the supply chain from compromise and infiltration of tainted or counterfeit parts
  • Data privacy and anonymity: encryption and authentication, data anonymization, and appropriate policies that protect personally identifiable information, control unauthorized data access, and constrain data leakage

These tools and technologies can be designed in to a vehicle, but the vehicle also has to be protected once it has left the dealership -- a lifecycle that can extend for 15 years or more. Increases in computing performance, storage capacity, and development of new attack methodologies could make currently impossible attacks possible. Securing cars over their lifetime means introducing techniques such as firmware and software patches, over-the-air updates, and other countermeasures to quickly close vulnerabilities and reduce the cost of recalls. It also means developing incident response plans that encompass all of the stakeholders, including drivers, owners, manufacturers, suppliers, aftermarket parts, dealers and service operations, emergency or transportation agencies, and security vendors.

There are many open questions in this area, and we are just scratching the surface of the security and privacy issues facing the next generation of vehicles. However, we believe that collaboration on research, development, and operations makes the goal of trusted vehicles and confident driving experiences achievable. 

Lorie Wigle is building a new business focused on securing critical infrastructure and IOT more broadly at Intel subsidiary McAfee. Lorie has been with Intel for nearly 30 years in a wide variety of marketing and technical roles. She has an MBA from Portland State University ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/14/2015 | 12:31:15 PM
Multi-Factor Authentication
Multi-factor authentication should still be a pivotal point in updates for cars. A physical device to ensure you are you and a secure channel from the provider with a code sent from this channel to the device would be a good start.


Otherwise, the risk is too high for an everyday task that already has critical danger involved.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.