How can we ‘disclose’ a potentially fatal hack?


It is 2015 and we have now had the first recall based solely on a synthesised cyber-attack on an automotive platform. The good news is that the only affected vehicle was owned by the hackers and the only person hurt by their foolhardy, open road test was a single terrorised reporter (see Latest ‘prank’ hack gets carmakers rattled).

In the week following the hack, we saw the Fiat Chrysler move from its initial software patch and Technical Service Bulletin to a full recall of the 1.4M affected vehicles, a recall that is being monitored by the US’s National Highway Traffic Safety Administration (NHTSA) to track vehicle updates.

This is a historic moment in the automotive arena. Not only have we experienced our first cyber recall, we have also potentially witnessed the first circumstance of responsible disclosure in the automotive industry.

In the IT space responsible disclosure is model of vulnerability disclosure in which the stakeholders agree to withhold the details of a hack until a patch can be issued. This is a tricky thing in the automotive space where the outcomes are going to be very different than those in the enterprise world. Take for example, the critical Android vulnerability that is going to be published at the same convention as the previously mentioned vehicle exploit.

In many respects the Android disclosure is more severe, affecting over 950M android devices worldwide and allowing an attacker to control the device. In fact, the biggest difference between the automotive exploit and the Android one is the fact that hacking a phone isn’t the kind of thing that will generally cause user fatalities. As the vehicle hackers explained to Wired, describing their exploit: “This might be the kind of software bug most likely to kill someone.”

In Android’s case, an update will be distributed. Then phone manufacturers will decide which phones to update and provide updates to those users in due time. In May, iOS went public with a similar text vulnerability and an update was made available in early June. In neither case has there been any government oversight, because the safety of phones is not regulated.

This kind of response would not be possible in an automotive application where such vulnerabilities could put lives at stake. What does this say about the nature of responsible disclosure with regards to vehicles? Does the cyber physical nature of automobiles change anything?

The hackers behind the current exploit plan to release some, but not all, of their source code at Black Hat 2015. Clearly they recognise the potential liability to them and their companies if their exploit leads to fatalities in the hands of other hackers but is it responsible to release even a portion of the code for an exploit that has the potential to cause fatalities?

Releasing source code in this way is, of course, inherent to the responsible disclosure model but does it work for automotive? This is something automakers and legislators will need to consider as they map out the future of automotive cyber security.

Now read what one of the hackers, Chris Valasek had to tell TU-Automotive last year

Don't miss Active Safety: ADAS to Autonomous this October 12-13.

Leave a comment

Your email address will not be published. Required fields are marked *