Hackers Demand Automakers Get Serious About Security 120
wiredmikey writes: In an open letter to Automotive CEOs, a group of security researchers has called on automobile industry executives to implement five security programs to improve car safety and build cyber-security safeguards inside the software systems powering various features in modern cars. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation. Vehicles are "computers on wheels," said Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the letter (PDF). The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.
Easier to parallel park a train (Score:5, Insightful)
Getting the automakers to make any kind of substantive change requires either legislation or expensive PR disasters like a Pinto or Firestone/Explorer event.
if this goes the same way as the computer desktop (Score:2, Insightful)
it won't be long before we are forced to install antivirus in our cars : /
Hackers (Score:4, Insightful)
So is it "Hackers" demanding better security or is it "a group of security researchers"? Because the inflammatory headline surely conjures the modern, media definition of Hacker and not "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary". And the headline certainly doesn't make me think of security experts at all!
Come on /. , you can do better than that...
An easier solution (Score:5, Insightful)
I know, I know, simplicity is such an ugly word. It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas [wikipedia.org].
Re:An easier solution (Score:4, Insightful)
It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas.
No doubt, but it would be more horrible if modern systems for things like braking and traction control went away. People who've grown up with cars that are full of three-letter technologies like ABS and EBD might not appreciate how much more skill is required to drive a car safely at the same speeds and in the same environments without these driver aids.
Re:deaf ears (Score:5, Insightful)
What I am afraid of is what happens after. There is a difference between security from remote attackers, and security from "jailbreakers". For example, my Android phone is just as secure rooted as not.
My fear is that what steps would be taken would force the car into the shop for any minor issue. Already, one automaker, if you change the battery out, the vehicle will refuse to start until the vehicle goes into the dealership and the battery is "registered" into the ECM.
Automakers should just keep stuff isolated. The radio should not have access to the brakes. Hell, the radio should not even be on the CAN. It should just be vital components, and have the doodads be stuck on another bus that can be "dirty".
Re:An easier solution (Score:4, Insightful)
For him as well because he would have to be stuffed up under the dashboard to do his hacking, therefore he will probably die in the accident.
These vehicles overwhelmingly share a single bus between everything including powertrain and infotainment. If you can control the infotainment system you can control the diagnostic bus. The infotainment system now commonly includes internet access, so it's not even necessary to be near the vehicle to gain attack surface.
Has anyone in fact demonstrated such a hack, so far? Nope. Does that mean it's not a realistic threat? Also nope. Indeed, it's becoming a more realistic threat as more internet-connected features are being added to autos.
Re:Shouldn't be necessary, but if it is... (Score:2, Insightful)
You are totally ignoring the base issue: The fact that its so easy to get access to any part of the system.
Reflashing a "faulty" component isn't what people are worried about. It's the combination of Wifi/remote accessable parts of a system, that once gotten into leads to total control.
Imagine a virus that is able to jump from car to car once cars are able to simply mesh-hotspot to each other.
Reflashing the stereo means nothing when the entire system is compromised at 80mph.