Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/14/2015
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Intel Takes On Car Hacking, Founds Auto Security Review Board

Chipmaker establishes new Automotive Security Review Board for security tests and audits

After a summer full of car hacking revelations, Intel, today, announced the creation of a new Automotive Security Review Board (ASRB), focused on security tests and audits for the automobile industry.

The potential for modern connected cars to be attacked and remotely controlled by malicious hackers is a topic that has received considerable attention recently from security experts, industry stakeholders, regulators, lawmakers, and consumers.

Demonstrations like one earlier this year where two security researchers showed how attackers could take wireless control of a 2014 Jeep Cherokee’s braking, steering, and transmission control systems, have exacerbated those concerns greatly and lent urgency to efforts to address the problem.

Intel also released a whitepaper describing a preliminary set of security best practices for automakers, component manufactures, suppliers, and distributors in the automobile sector.

An Intel press release described the ASRB as a forum for top security talent in the area of cyber-physical systems. “The ASRB researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cyber-security solutions,” for the auto industry, the release noted.

ASRB members will have access to Intel automotive’s development platforms for conducting research. Findings will be published publicly on an ongoing basis, Intel said. The member that provides the greatest cybersecurity contribution will be awarded a new car or cash equivalent.

Intel’s security best practices whitepaper, also released today, identified several existing and emerging Internet-connected technologies in modern vehicles that present a malicious hacking risk.

Modern vehicles have over 100 electronic control units, many of which are susceptible to threats that are familiar in the cyber world, such as Trojans, buffer overflow flaws, and privilege escalation exploits, Intel said. With cars connected to the external world via Wi-Fi, cellular networks, and the Internet, the attack surface has become substantially broader over the last few years.

The whitepaper identifies 15 electronic control units that are particularly at risk from hacking. The list includes electronic control units managing steering, engine, and transmission, vehicle access, airbag and entertainment systems. “Current automotive systems are vulnerable,” Intel noted. “Applying best-known practices and lessons learned earlier in the computer industry will be helpful as vehicles become increasingly connected.”

Concerns have been growing in recent times about critical security weaknesses in many of the Internet-connected components integrated in new vehicles these days. Chrysler for instance, recalled 1.4 million vehicles after two security researchers showed how they could bring a Jeep Cherokee traveling at 70 mph to a screeching halt by hacking into its braking system from 10 miles away.

A report released by Senator Edward Markey (D-MA) in February, based on input from 16 major automakers, revealed how 100 percent of new cars have wireless technologies that are vulnerable to hacking and privacy intrusions. The report found that most automakers were unaware or unable to say if their vehicles had been previously hacked while security measures to control unauthorized access to control systems were inconsistent.

Craig Hurst, director of strategic planning and product management at Intel Transportation Solutions Division’s Internet of Things Group says a holistic approach is required to address security issues in Internet connected vehicles.

“Automotive security must be approached from a system-level perspective, and not from a single attack surface or platform ingredient alone,” he says. Collaboration and contribution across the entire automotive ecosystem are critical to ensuring better security, he says.

“Security begins with the design of the car where hardware, software, and network security technologies can be deployed,” he says. Organizations in the automobile sector have to start thinking about institutional processes such as security development lifecycle and secure supply chain management from a cyber risk standpoint. And processes need to be in place to ensure that vehicles continue to be protected as new threats emerge over its life time,” Hurst says.

“The complexity of the automotive ecosystem requires an industry effort, and there’s a positive momentum building,” he said. “The most important aspect is that security must be observed, designed, tested, and enhanced from a system-level view." 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jscott490
50%
50%
jscott490,
User Rank: Apprentice
9/17/2015 | 12:16:11 PM
Looks like marketing to me
Intel doesn't have much of a presence in automotive electronics (they don't even show up in top 10 of automotive electronics providers), so this seems like more of a move to get into a market that they have continually failed in than anything else, to me. Even the infotainment systems are more likely to use smart phone processors and electronics where Intel also doesn't play well.

As seen from the hacker stuff, the weak point in all automotive electronics is the infotainment systems. They have not been protected as well as they should be, and they have been used along with in-depth research to reprogram the micros that are on the CAN bus and send erroneous messages. Harden the entry point (i.e. infotainment) and the rest will be fine.
Enrico Fontan
50%
50%
Enrico Fontan,
User Rank: Strategist
9/15/2015 | 12:28:22 PM
New security controls
As started in the SCADA systems, we need to adopt security controls also in the Automotive environment.

Car system integration can be a big step, think about engines interacting with GPS to understand terrain data (objective:save fuel).  

We still can have "isolated" systems, but as in other IT systems we need to think about data flow and data access permissions.

On the other hand, without such controls system integration can bring several risks.
DarkerMind
50%
50%
DarkerMind,
User Rank: Apprentice
9/15/2015 | 11:27:09 AM
Re: Vehicle hacking
@DontBeknown You make excellent points. I think it was naive to design this system without planning for security
DontBeknown
100%
0%
DontBeknown,
User Rank: Apprentice
9/14/2015 | 11:19:45 PM
Vehicle hacking
It is interesting how we think that we "need" our engine, brakes, transmission, etc. to be connected via network to our entertainment system and internet.

They've been running into this in the aircraft world as well.  In the past, you were not allowed to have ANY primary system in an aircraft hooked into any other system.  In otherwords - Engine # 1 circuts would be separated physically and electronically from any of the other systems (primary navigation did this as well).  All primary systems would be done this way for safety reasons - you wouldn't want a problem on Engine #2 to take out the controls for Engine #1 now - would you?  

With the advent of networking - they (engineers) figure they can do it better - forgetting all that has been learned about safety in the past.  Why would you ever hook the entertainment system (and internet) to engine controls?  Or brakes? or the transmission?  It need not be that way. It's gone as far as hackers being able to OPEN THE DOORS on moving vehicles on the freeway!!  Really?  Is this level of integration required or is it just an open barn door of "we can so we will"? 

Take this level of sophistication out of cars.  It is not needed.  The entertainment system (and navigation system) should be separate from the drivetrain and safety equipment in ANY vehicle.  This level of networked BS is stupid, and dangerous.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2319
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
CVE-2019-2320
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
CVE-2019-2321
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
CVE-2019-2337
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
CVE-2019-2338
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...