Big Tom Cruise, action thriller movie plot: Third world hacker takes control of all automobiles in Los Angeles and demands $1 billion ransom. Futuristic, and fantastic? Not anymore.
Cars are now very much a part of the IoT (Internet of Things) and the auto industry (thinks that it) is ramping up its data security chops with hired security experts and hack guns.
Today’s automobile world is characterized by Bluetooth wireless connections, hot spots, and in-car applications that are accessible via customers’ smart phones and other portable devices. This is like floating a 5000 foot banner across the sky saying “Hey. Pay attention. I’m here. Come on and hack me.”
So, General Motors has hired its first chief product cybersecurity officer. And, the automobile industry is setting up an automobile Information Sharing and Analysis Center. This is supposed to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics. Never mind that we already have OWASP and the ADC. The auto industry is going to create a completely redundant center to announce to the world that they are anticipating these problems and are on top of them. Sort of like the CDC telling us that there are protocols in place for handling Ebola patients, so not to worry.
As we all know, the fact that automobiles are continuing to become increasingly connected to the Internet increases the myriad opportunities for hackers to gain control of the cars or minimally certain systems installed on-board.
By gaining access to a vehicle’s systems, hackers could easily take private information from the vehicle, such as GPS coordinates or the driver’s username and password used for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that control certain features, such as cruise control, brakes and steering systems at the very least.
The easy way to gain access to a car’s network is through Bluetooth, cellular or one of many applications being installed right this minute. Hackers are of course aware and are planning one of an assortment of attacks that could be very interesting (from a media point of view). The most immediately obvious is the ransom scenario – but specifically targeted – to wealthy driver/owners. The other ransom scenario involves communities and cities and maybe even whole states, because as they say, that’s where the money is.
The potential impacts are much different than what we have become used to with laptops and servers and stolen credit card numbers. Hacking someone’s car and taking their brakes out when they are going 80 is a whole different sort of thrill.
But, rest assured. The Alliance of Automobile Manufacturers and the Association of Global Automakers have taken action. This group includes BMW Group, Chrysler Group LLC, Ford Motor Company, General Motors Company, Jaguar Land Rover, Mazda, Mercedes-Benz USA, Mitsubishi Motors, Porsche, Toyota, Volkswagen Group of America, and Volvo Cars.
They are spearheading the formation of an ISAC (Information Sharing and Analysis Center) to help share information about cyberthreats. ISACs already spearhead information sharing in other sectors, including financial services. “Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats,” the two organizations said in a recent letter to the National Highway Traffic Safety Administration explaining the initiative.
I don’t know about you but I can’t think of anything less heartening than these three organizations rubbing elbows together. Sorry, but I am reminded of the CDC and NIH getting together to announce that we have the spread of Ebola contained and not to worry.
“We’re in the early stages of seeking out some of the best [security] experts to develop some kind of structure for the organization, such as the scope, governance and policies,” says Wade Newton, a spokesperson for the Alliance of Automobile Manufacturers. And, while they are doing that, I wonder what the Russian hackers are doing.
In addition to the auto-ISAC, more automobile manufacturers likely will hire security professionals, following GM’s lead, says Alan Brill, senior managing director at Kroll Advisory Solutions.
“It’s important for companies to act now to designate a senior official to take responsibility for Internet of Things-related issues,” he says. “For some organizations, it may be appropriate to select or hire someone with significant experience in dealing with these problems.” For others, they may supplement internal resources with external specialist advice, he says. This all sounds like bureaucratic nonsense to me.
The guys from Trend Micro are closer to the truth. “In terms of security best practices, manufacturers should focus on an outside-in attack approach, says Trend Micro’s Sherry. ”They need to do penetration testing against the vehicles in the design process and determine where failure modes are,” he advises. “Run the tests against your design process and determine how effective the design of the vehicle is, what the holes are, and what types of controls you can put in place if you missed something in the design process.”
Penetration testing will at least showcase where the specific vulnerabilities are so that software can be engineered to provide protection against those specific breach categories. But, as we have seen through the likes of Target and Dairy Queen, the next attack will not look anything like what we have seen before. If the auto industry can shake off that “not invented here” mentality and reach out in earnest to the software industry for help, we could probably cut through a lot of process that will inevitably get in the way of progress.
The software security industry can contribute their considerable security expertise to proactively helping the vehicle manufacturers to create processes and procedures that introduce security from the design phase all the way through production of the software and hardware being designed into the cars. We can learn a lot from the software industry’s mistakes and the realization that ill-conceived security protection is much harder to bolt on after the fact than during the design process.
And then maybe we ought to re-think the whole notion of on-board computer systems and robot enabled vehicles. There. I said it. Send those cards and letters to firstname.lastname@example.org.