A group of security researchers determined to make the physical world a safer place demanded automobile manufacturers to build cars designed to withstand cyber attacks.
The group, with the moniker "I am the Cavalry," released an open letter to "Automotive CEOs" through Reuters, posted a copy on its website, and launched a change.org petition, to call on automobile industry executives to implement its Five Star Automotive Cyber Safety Program. The pillars of the program includes safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation.
"The once distinct world of automobiles and cybersecurity have collided," read the letter. "Now is the time for the automotive industry and the security community to connect and collaborate."
Computers manage engines, brakes, navigation, air-conditioning, windshield wipers, entertainment systems, and other critical and non-critical components in modern cars. There is no dispute that they need to be locked down to prevent tampering or unauthorized acess. Anyone who has seen the video last year of researchers Charlie Miller and Chris Valasek cackling maniacally in the background while they seize control of the car being driven by Forbes writer Andy Greenberg is going to agree that if an adversary was motivated enough, that person could cause serious, physical, harm to drivers, and potentially the passengers. Miller and Valasek were at Black Hat this year, demonstrating more car hacks, and this year's DEF CON has several sessions on hacking consumer electronics, medical devices, traffic control systems, and the Internet of Things.
Vehicles are "computers on wheels," Josh Corman, CTO of Sonatype and a co-founder of the group. The group's open letter is designed to make these computers safer.
The Five Star Program
Safety by design, simply means automakers should design and build automation features with security in mind. Automakers should also impelent a secure software development program within their companies to encourage better coding and design practices.
Third party collaboration asks automakers to establish a formal vulnerability disclosure program, to clearly state what its policies are and who to contact. The automakers have to be willing to work with researchers to identify flaws. There is no way automakers will be able to find and fix bugs on their own—this is why a healthy collaboration with researchers is essential. There is less chance of things getting missed.
"Tesla already gets a star," Corman said, noting the elecotrnic car maker recently established such a policy.
Evidence capture wants to add a "black box" to cars, much like what already exists in airplanes. When planes crash, investigators can analyze the black box and understand what was happening in the plane, including conversations, speed of the plane, status of various systems, and a myriad of other technical information. When something goes wrong in a car, in most cases, no information is availble. It is difficult to learn from accidents and to work on improving the product when there is no feedback, Corman noted.
Security updates mean the issues being found are fixed on the individual cars in a timely manner. I wouldn't want to be told six months after buying a car that I needed to buy the newer versions to take advantage of the fixes. A security update mechanism ensures the vulnerabilities are fixed effectively.
Segmentation and isolation asks automakers to keep critical systems—such as brakes and steering—separate from the rest of the car's networks, such as the entertainment system. "With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes," said Corman. He noted that there is already significant differences among different car manufacturers. Some are better at segmenting than others, but there's still a lot left to do.
We Can't Afford to Wait
The group aims to bring security researchers together with representatatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security. The goal is to start working together to implement security safeguards because "we can't wait for bad things to happen," Corman said. The time to start is now, so that in a few years, these efforts would actually show results, he said. "We know this is going to take a while," he said.
"We aren't doing this for the security researchers," Corman said. "We are doing this for our neighbors, for anyone who drives a car."
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
)