Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/25/2016
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

NHTSA Issues Cybersecurity Best Practices For Automakers

Focus is on limiting access to electronic components and what someone can do with that access.

The National Highway Traffic Safety Administration (NHTSA) has issued a set of cybersecurity best practices for connected cars.

Vehicle cybersecurity has captured the attention of safety experts in the wake of security researchers demonstrating how attackers can take advantage of vulnerable electronic components in modern connected cars to gain independent control of critical vehicle functions.

The most dramatic examples have been from security researchers Charlie Miller and Chris Valasek of Uber’s Advanced Technology Center, who as recently as this August demonstrated an attack in which they took over a 2014 Jeep Cherokee’s steering, accelerator, and braking system while the vehicle was moving.

Like the NHTSA's earlier research on the topic, the new recommendations contained in the 22-page report released this week are non-binding and meant to serve purely as guidance for automakers. 

But since the NHTSA’s recommendations are non-binding, it’s unclear how many automakers will implement them.

Many of the recommendations cover the things that automakers need to be focusing on during the manufacturing process like secure development practices, information sharing, vulnerability disclosure, and reporting, incident response, and self-auditing.

But a big section is focused on some of the fundamental cybersecurity precautions that automakers need to deploy in the vehicles themselves. The emphasis here is on restricting access to critical components in connected vehicles and on limiting what someone with access could do with it.

For example, the NHTSA wants manufacturers to consider limiting or even eliminating the access that developers have to the Electronic Control Units (ECUs) in their vehicles. Often such access is facilitated via a debugging port or serial console, the NHTSA said.  

"Any developer-level debugging interfaces should be appropriately protected to limit access to authorized privileged users," the NHTSA said. Merely hiding connectors, traces, or pins that enable debugging access does not provide security, the report noted.

Similarly, the NHTSA wants automakers to implement controls that limit the ability for anyone to modify firmware in a vehicle’s electronic components. For example, by using digital-signing technologies, manufacturers can make it much harder for attackers to make an unauthorized modification or to install rogue software.

Physical and logical segmentation and isolation of critical electronic components should be implemented to limit the damage from external threats, the NHTSA said.

Some of the proof-of-concept attacks against connected vehicles have involved researchers first exploiting a weakness in one component—like a vehicle’s entertainment system—and then using that entry point to try and access other components.

By separating processors, vehicle networks and external connections to the extent possible manufacturers can limit and control the pathways that an attacker might use to escalate privileges, the NHTSA said in its recommendations.

"Strong boundary controls, such as strict white list-based filtering of message flows between different segments, should be used to secure interfaces," it noted.

The NHTSA also wants automakers to consider include limiting access to vehicle maintenance diagnostics; controlling access to firmware via encryption, for example; and limiting the number of network ports, protocols, and services in vehicles.

Major automakers, cognizant of the concerns over cybersecurity at the government and regulatory levels, and anxious to stave off regulation, have already taken steps to address securing cars at the industry level.

For example, the 12-member Alliance of Automobile Manufacturers, comprised of companies like Ford, General Motors, Chrysler, and Toyota, is currently working on an industry-wide effort to identify emerging threats to connected vehicles and measures for mitigating them.

Related stories:

  

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19668
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-17963. Reason: This candidate is a reservation duplicate of CVE-2018-17963. Notes: All CVE users should reference CVE-2018-17963 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12882
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2017-6363
PUBLISHED: 2020-02-27
** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for...
CVE-2017-6371
PUBLISHED: 2020-02-27
Synchronet BBS 3.16c for Windows allows remote attackers to cause a denial of service (service crash) via a long string in the HTTP Referer header.
CVE-2017-5861
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-1000020. Reason: This candidate is a reservation duplicate of CVE-2017-1000020. Notes: All CVE users should reference CVE-2017-1000020 instead of this candidate. All references and descriptions in this candidate have been removed to...