Keeping cyber hands off your steering wheel

Q: What are the top threats to cybersecurity in the automotive industry?

“I think right now the top threats are really shifting to remote attacks. Attacks like to Bluetooth can be damaging in proximity but you have to be considerably close to the car, as opposed to things that may come over cellular or radio which may happen from hundreds of miles away. If your car is connected to the internet, someone from across the world can touch your car. So any entry point that can be accessed from that point of view will be a very dangerous spot. One of the things that hasn’t been hit yet but is likely to in the next couple of years and that what I’m most worried about is car ransomware so professional attackers, not random geeks or kids in their garages, actually targeting high-end vehicles, attacking them, taking control and saying we won’t let you drive your vehicle unless you pay. This is a major issue already on regular computers and moving into mobile but the difference is that on a computer it’s just data, whereas if someone hacks your car they can prevent you from getting from point A to point B, or worse they could actually destroy the car. When you come to high-end vehicles, it may be very hard to detect that that actually happened and prove it but also the choice can come down to the owner: is it worth spending thousands of dollars and saving my car or do I want to go through the hassle of trying to prevent this from happening? Which you may or may not be able to do. That is probably my biggest worry right now.”

Q: What as an industry can/is being done?

“What is being done that I know of, certain auto manufacturers have started actually working with security researchers and hiring their own security teams to actively test as well as build in a security development lifecycle, so there is built-in security from the ground up as much as they can. They’re now working on it and realising it’s not going to go away and that this is something that we cannot act without, which is good. Unfortunately, there’s still a long way to go and the OEMs still are a little bit head-in-the-sand. What can be done?  There needs to be a lot more done on this, the industry needs to understand it’s not a matter of if you’re going to get hacked but when, and that in situations like this the best defence is a good offence. Engage external researchers, internal ones, open up your platforms to other people to look at. Work with your suppliers and vendors, build in security from day zero and also build in processes to ensure all components have proper security, whether it’s something you’ve built in-house or, in my opinion, the bigger worry is with third party vendors if you buy a piece of hardware or software. You want to find out what it is in and you want to make sure the company you buy it from is really taking care of the security for it as well as keeping it secure and being open and honest about when they do have issues because we all, every company, even the most secure, are going to find vulnerabilities. The best measure is not the company that has the least vulnerabilities it’s the one whose response to those vulnerabilities is the best.”

Q: Is the media attention given to recent hacks really worth paying attention to i.e. is it a threat right now?

“It is worth paying attention to. The reason why I look at it is maybe not the same as others. The attacks that Charlie [Miller] and Chris [Valasek] did, for example, are somewhat standard, they’re not extremely revolutionary, they just did it in a very interesting way and it affected a lot of vehicles. The same vulnerabilities have been known and disclosed since at least 2011. But they’re finally starting to get traction and finally getting noticed. I think the good part of it is there was a big recall. Two guys, who prior to 2011 had no real car knowledge, they are good hackers but had no prior knowledge, and they still don’t have a lot of cellular knowledge, but even without years of car or cellular knowledge they could hack a car. What happens when people who have in-depth knowledge of cellular attacks or in-depth knowledge of how the car works start looking at them publically? That’s the interesting part to me. Two guys without any domain-specific knowledge were able to spark the recall of millions of cars.”

Q: What should we be focusing on?

“I think the area that Charlie and Chris identified is a very interesting area and should definitely be focused on as an attack surface, as in the cellular connections but also it’s an interesting point that the entry point wasn’t designed necessarily by the auto manufacturer but by a third party, the one who produced it, and it was then added to the actual automaker’s car. This scenario plays out in many areas in tech. You can have great technical teams, great security teams as part of your own company, like Google and places like that, but when you buy third party or add third party products, you have now introduced a new attack surface which you may or may not know truly what’s going on with, and it’s the third party that can be the tricky part to deal with because of integration, etc. So I think there needs to be a lot of focus on the meeting points and the intersections of where different companies are building in products. You have the automotive manufacturer, the third party providing the actual part, the service provider, all of them are meeting at one point, and that is where vulnerabilities can usually be found. The best way to deal with that is open communication on vulnerabilities and continual updates, working with all the parties involved, and making sure that everyone is up to the task. If they’re not, they shouldn’t be a partner.”

Q: Where is the responsibility ultimately going to lie?

“It lies with everyone. It’s not responsibility just of one person, it’s not just one person’s fault. Everyone needs to understand their role, from the auto manufacturers that need to know if they’re buying parts and introducing them, these parts need to be properly vetted. In standard tech when they are going to introduce third party products they have those products heavily vetted and security tested by impartial third parties to find out where the issues are. Then they also gauge the interaction with the third party manufacturer to see how they respond to issues, do they respond in a good manner? Do they release bug fixes? If third parties are going to be selling products, they need to make sure they are doing due diligence on if it’s secure, that it is continually updated, and that customers know what the issues are and how to work with them and make sure that they’re secure. You can’t hide things. Service providers have exactly the same responsibilities. Everything needs to be very upfront and everyone needs to work together to make sure it stays secure. The biggest thing, especially from auto manufacturers, by bringing in third parties you are bringing in the potential of recalls, lawsuits, etc. You need to be able to document these things directly. While the third party may be at fault, you will be the one held responsible.”

Leave a comment

Your email address will not be published. Required fields are marked *