Hackers Must Keep Tearing Cars Apart

Carmakers need to ask software hackers to ‘tear their cars apart’ to make sure the products are cyber secure.

That’s the view of Casey Ellis, CTO and founder of the Bugcrowd platform for crowdsourced security, who thinks the closed nature of traditional automakers trying to keep innovations behind closed-doors undermines their ability to make their products digitally robust. Speaking to TU-Automotive, Ellis said: “The reality is hacking is going to happen anyway because hackers are looking to improve the security of the products. So, they are going to take your product and tear it apart to find problems with it whether you ask them or not.

“It just becomes an issue whether you are actually taking advantage of that information and if you’re ready for it when it comes. The smart move is to be proactive and anticipate this.”

Hacking benefits

He said engaging with hackers as a resource rather than a threat can have real business benefits for the auto industry. Ellis explained: “The way that we encourage folk to do this is by working out what is important among the noise of the internet and working out how to get that information to where it needs to go within an organization. The first port of call for any manufacturer is to establish a vulnerability disclosure policy where they say, ‘If you’ve found a security issue in one of our products, here’s where to send it and we interpret your actions as being in good faith’.

“In this way there has, in the past been a chilling effect on the hacking community worried that they may be sued or get a knock on the door from the police even when they haven’t breached anyone data and just found a fault on a car.”

He admitted not all manufacturers have been slow in seeing the value in tapping into the hacking community’s expertise. Ellis said: “What we have seen is an incredible increase over the last five years, with Tesla and Fiat Chrysler leading the charge, is getting feedback on their products from the outside world. Such as, when you build a vehicle it is impossible to get it 100% perfect especially as it relates to software. So engaging the help of the help of the security research community, and the car hacking community in particular, that’s becoming increasingly important.

Code dependent

“That’s because the dependency on code increases in the average vehicle, and also as feature release starts to accelerate, car manufacturers increasingly competing with each other in these technologies. Some manufacturers have risen to this challenge and said ‘yes, we understand this is a safety critical issue and not just not just a geeky software issue’.

“Then there are all the others who are going to have to think about adopting the same approach especially as they introduce more and more autonomy into our vehicles. Already, the idea of LiDAR assisted braking, steering and lane changing are becoming far more standardized. To achieve this, you have to assumed you haven’t got things perfectly and need to solicit as much input as you can possibly find in order to find where the gaps might be so that you can fix them.”

Industry standards

Ellis also recommends drawing lessons from other industries who have adopted best practice standards to safeguard against future cyber-security problems. He said: “We saw this with the Food and Drug Administration with respect to medical device security a couple of years ago, when they incorporated vulnerability disclosure into their post market cyber-security guidance for these devices. So you are talking about similar things, computerized equipment that is safety critical and is subject to all the same potential challenges as any other piece of software.

“If we can see the Department of Transportation in the US and equivalents around the world start to say: ‘Hey, if you’re an automaker who is building a car that is making driving decisions, you have to have a way of receiving security vulnerability from the researching car hacking community,’ I think that would be a really good step.”

— Paul Myles is a seasoned automotive journalist based in London. Follow him on Twitter @Paulmyles_