Forgot your password?
typodupeerror
Security Transportation

Hackers Demand Automakers Get Serious About Security 120

Posted by samzenpus
from the lock-it-down dept.
wiredmikey writes: In an open letter to Automotive CEOs, a group of security researchers has called on automobile industry executives to implement five security programs to improve car safety and build cyber-security safeguards inside the software systems powering various features in modern cars. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation. Vehicles are "computers on wheels," said Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the letter (PDF). The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.
This discussion has been archived. No new comments can be posted.

Hackers Demand Automakers Get Serious About Security

Comments Filter:
  • deaf ears (Score:3, Interesting)

    by Anonymous Coward on Monday August 11, 2014 @09:30AM (#47647105)

    Nothing is going to happen until they get sued.

  • by Anonymous Brave Guy (457657) on Monday August 11, 2014 @09:39AM (#47647173)

    It's kinda terrifying that the people making fast, heavy lumps of metal with computerised control systems don't already routinely isolate those control systems from any other computerised technologies in the vehicle, particularly any that can interact remotely. They shouldn't need to be publicly admonished about the dangers of these situations. Don't these organisations employ actual engineers any more?

    But given that it does seem to be necessary to make a public display of this -- which presumably removes any plausible deniability if the auto makers do get sued after an accident later, so I can believe it will at least get their attention -- I'm glad it seems to be a responsible group with the right motivations who are starting the ball rolling. If it were just a bunch of lawyers or insurers, the general public could write the campaign off as the signatories just looking out for their own interests.

  • Re:deaf ears (Score:5, Interesting)

    by Z00L00K (682162) on Monday August 11, 2014 @09:43AM (#47647207) Homepage

    Nothing is going to happen until a serious mishap occurs.

    Meanwhile the automakers looks into strange hacks instead of proper physical segmentation and gatewaying. They do have a gateway, but it is just a gateway between different IP address series on the same physical net in some cases - in order to save money on hardware. So a rogue unit can just look at the different series and fake it being a different type of unit causing interesting things to happen.

  • A Modest Proposal (Score:5, Interesting)

    by VernonNemitz (581327) on Monday August 11, 2014 @09:52AM (#47647293) Journal
    One of the simplest ways to lock down a computer is to physically lock it away from access. Originally car-makers did that --you needed physical access to the computer (usually inside locked hood compartment) to do anything to it. Now they have connected it to radio waves. That is the main security hole. Go back to a solid wired-only connection, with the connection point(s) behind locked doors, and a significant chunk of the security problems goes away.
  • by Anonymous Coward on Monday August 11, 2014 @10:05AM (#47647427)

    My 2002 Jetta's stock stereo system is wired to the CAN bus. This means when I run an in-car-diagnostic with the little dongle connected to the computer port in the driver's seat, that the stereo system is part of the diagnostics. It actually told me one of the speakers was broken/disconnected which I was able to leverage another $100 off the price when I bought it used. ... Turned out, it was literally disconnected. Easy DIY fix ;)

    Anyway, my car has not internet connectivity. But I bet the newer models have stereos that integrate GPS, Satellite Radio, and internet services. Theoretically, both satellite radio and web services are potential attack vectors into the stereo, and if you can manipulate the firmware on the stereo to be a CAN bus master, you can now talk to anything in the car.

    So either take the entertainment stuff off the CAN bus, or install some sort of CAN router/firewall, that allows the rest of the car to talk to the stereo, but doesn't let the stereo talk to the rest of the car.

  • by Anonymous Coward on Monday August 11, 2014 @10:35AM (#47647731)

    It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas.

    No doubt, but it would be more horrible if modern systems for things like braking and traction control went away. People who've grown up with cars that are full of three-letter technologies like ABS and EBD might not appreciate how much more skill is required to drive a car safely at the same speeds and in the same environments without these driver aids.

    Grr! If the U.S. would teach people how to drive and have real penalties for not doing simple things like using directional indicators before taking any other action, like turning ones head to see if the way is clear there would be little need for ABS, electronic stability control or driverless cars. Finland comes to mind as an example of the proper way to teach people how to drive and appropriate testing and licensure of drivers. Not only do they have to learn to drive a real car (one you have to shift and pay attention to with both hands and feet) they need to learn handbrake turns, cadence breaking and how to control a car under skid conditions. These skills are all part of the licensing test! Should be everywhere. And yes, you are required to know all of the rules you learn and cannot claim ignorance. That applies everywhere, but most American drivers think they can study for the test, pass, then do whatever they want. It's lunacy!

  • by Anonymous Coward on Monday August 11, 2014 @10:54AM (#47647913)

    1). Not needed since it will add to the cost of the car.
    2). The Computer is not accessible via wireless to change the program (stand still or not) - no issue
    3). How to eleiminate insurance company access to impact data
    4). The whole hobby market would be eliminated i.e. tuner groups, and the DIY since besides just encrypting or isoalting the internal computer, it would be taken to the next step to encrypt the communications such that 3rd party tools couldn't access the data or they would have to pay a license
    5) The people who are suggesting this are just trying to create business for themselves to milk the car industry of an un-needed thing. Since they would be the self-proclaimed standards body and that all testing by the car manufacturers would have to come through them for a high price per car to get their seal of approval, let alone any recerts.

    6). I'd prefer to to be more open sourced and transparent so that I could figure out how to make a 3rd party tool to diagnose the car.

That does not compute.

Working...