Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/8/2010
05:18 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ford Motor Rolls Out New Security Features To Prevent Car-Hacking

Automaker enhances security for new lines of WiFi-enabled vehicles

Automobile giant Ford Motor this year will debut vehicles with built-in WiFi -- along with enhanced security features to prevent data breaches via its new cars.

Ford has offered the so-called Sync technology service it co-developed with Microsoft in most of its Ford, Lincoln, and Mercury vehicles since 2008. The technology lets drivers run their Bluetooth-enabled mobile phones and digital media players via their vehicles and use voice commands to operate them, for instance.

The automaker announced today that the second generation of its Sync technology -- due out later this year and to include a full Windows CE operating system with a new driver interface called MyFordTouch -- will come with a built-in browser and secured WiFi access. It will first debut in the 2011 Ford Edge and 2011 MKX Lincoln, and later, in the 2012 Ford Focus.

"We really began to focus on the security side when we began launching Sync, and it was [originally] for working with phones and media players," says Jim Buczkowski, director of Ford electronics and electrical systems engineering. "Now we're extending that system connectivity to include WiFi as another data path for customers in their vehicles ... and we're extending that security model for protecting WiFi."

The WiFi will be broadcast via Sync using a USB-based modem, and Ford has updated its on-board firewalls to protect both the WiFi network as well as the vehicle's operations. The WiFi network is set by default to WiFi Protected Access 2 (WPA2) encryption for secured access to the wireless network. It also will provide anti-malware protection for the MyFordTouch system.

Sukhwinder Wadhwa, manager of the Sync platform and technologies at Ford, says Ford doesn't consider security to be an add-on feature. "We work closely with the Ford enterprise IT security [group] to use basically the same guiding principals for security" as they use for the enterprise security, Wadhwa says.

"Any software is first verified by Ford engineers and signed by Ford enteprise servers before it gets installed [in the vehicles]," he says.

Wadhwa says Ford also uses internal ethical hacking teams as well as third-party consultants to test out the security of the Sync features.

"They are proud that they enable WPA2 and a firewall by default on the access point, perform pairing over Bluetooth, and have some arbitrary DRM for preventing swapping hard drives of MP3s. It all sounds like pretty vanilla stuff, anything a decent home network set-up has," says Nate Lawson, principal with Root Labs.

Wadhwa says Ford isn't aware of any car-hacking incidents with its vehicles to date. "We do not want to have any incidents in the first place," he says. "We are connecting consumer-grade devices [in the vehicle], and we want to make sure out of the chute we are protected from any bad devices out there, like memory sticks or whatever they put [into the vehicle]," he says.

Wadhwa says the hardware-based firewall technology is made up of two "separate entities" so that the consumer side of the firewall that handles what can connect can't pass information to the vehicle's processor, or vice versa. "

All of Ford's vehicles in the next five years will come with the secure WiFi option, according to Ford.

Meanwhile, the automaker's Sync service, which comes standard in some higher-end models and for an optional monthly fee in other models, already comes with phone-pairing protection, an encrypted jukebox hard drive for the driver's music library, a valet-mode option that locks all programmed navigation destinations from view, an engine immobilizer, and keyless entry features.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.