We are moving into an era of inter-connectivity with billions of devices, including a previously disconnected industry of automotive vehicles. Vehicles were not designed with computer security in mind, and that worked just fine for the last few decades. However, now we are at a point where we can take an "unhackable" 1997 Honda Civic and add in a OBD II device that creates a vulnerability on top of newer models being shipped with Wi-Fi and Bluetooth or that sends unencrypted data to the car manufacturer's cloud server. The issue with throwing cars into the connected world without security in mind is we have created cars that have non-critical functions (like Bluetooth) tied to critical functions (like braking), through the CAN bus. I, for one, know I would prefer not having my car remotely stopped in the middle of a highway. Volkswagen recently had a couple hacks emerge. Those attacks exploit an 18-year-old security algorithm that's still being used in modern cars. In response to these and other disclosures, I Am The Cavalry – an organization focused on issues where computer security intersects public safety – has stepped in to help guide the automotive industry into a more secure state. Founded by Joshua Corman, I Am The Cavalry introduced the Five Star Automotive Cyber Safety Framework, where each star represents an area of focus to help prevent the exploiting of vulnerabilities in automobiles.
- Safety by Design – Does the car manufacturer take security into account during the Software Development Lifecycle?
- Third Party Collaboration – Does the manufacturer work with security researchers acting in good faith?
- Evidence Capture – Do vehicles collect enough information to facilitate safety investigations?
- Security Updates – Do vehicles have a secure and easy way to update their software for security fixes?
- Segmentation and Isolation – Are the vehicles' critical systems tied to non-critical functions?
If we review the five stars and take a look at the Volkswagen hacks, we can see that third-party collaboration is particularly important in this case. A manufacturer can’t test for every particular use case, but security researchers can help fill in this gap. Unfortunately, not everyone sees it that way. In the case of Volkswagen, their response to the researchers was to delay publication of the research with a lawsuit instead of trying to fix their own security flaws. Tesla, Chrysler, and Ford have implemented bug bounty programs to find vulnerabilities within their vehicles, which is a great start. We can only hope that other automakers start adopting a more security-conscious mindset. Otherwise, get used to one of your most used tools being as secure as Windows XP.
