Forget about car jacking, car hacking is now at the center of all the buzz. A grassroots security movement called “I am the Cavalry” recently introduced a cyber safety program to facilitate collaboration between researchers and car makers as vehicles become increasingly connected. Last Friday, the group presented an open letter to the heads of today’s leading automotive companies challenging them to acknowledge growing cybersecurity concerns that impact vehicle safety. In a detailed description of its “Five Star Automotive Cyber Safety Program,” I am The Cavalry outlined five critical capabilities that participating companies should demonstrate within their organization to improve security:
- Safety by DesignVALUE: We take public safety seriously in our design, development, and testing.
PROOF: As such, we have published an attestation of our secure software development lifecycle, summarizing our design, development, and adversarial resilience testing programs for our products and our supply chain.
- Third-Party CollaborationVALUE: We recognize that our programs will not find all flaws.
PROOF: As such, we have a published coordinated disclosure policy inviting the assistance of third-party researchers acting in good faith.
- Evidence CaptureVALUE: We want to learn from failures and enable continuous improvement. PROOF: As such, our systems provide tamper evident, forensically sound logging and evidence capture to facilitate safety investigations.
- Security UpdatesVALUE: We recognize the need to address newly discovered safety issues.
PROOF: As such, our systems can be securely updated in a prompt and agile manner.
- Segmentation & IsolationVALUE: We believe a compromise of non-critical systems (like entertainment) should never adversely affect critical/physical systems (like braking).
PROOF: As such, we have published an attestation of the physical/logical isolation and layered defense measures we have implemented
“Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it. Security researchers have demonstrated vulnerability to accidents and adversaries over more than a decade,” the group writes on its website.
It appears that some have grown tired of the same-old hacking of computers, email, websites and networks, and have elected to try a moving target instead; subsequently, with the emergence of connected vehicles comes numerous car hacking opportunities.
In its open letter, I am The Cavalry referenced vehicle-to-vehicle (V2V) communication, automated traffic flow, remote control functions and driverless cars as just some of the evolving technologies making their way to the public. “We don’t need to wait for bad things [to happen] before starting to take safety into our design [considerations]. It takes a very long time to develop technologies and get them in the market. What we start today may not manifest for several years,” Joshua Corman, I am The Cavalry Co-Founder and CTO of Sonatype, told SCMagazine.
A Change.org petition has also been set up, encouraging the car industry to urgently address security concerns. “When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles.”
“The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.”
Researchers have revealed that high-end cars have several computers to control brakes, acceleration, cruise control and self-parking. As a result, attackers have to find a way to exploit a system and then use that vulnerability to send a command to the electronic control unit. These flaws are a problem because it’s hard to patch a car. As VentureBeat notes, “Tesla has a lot of security in place, and it also has a vulnerability disclosure system. Most car makers seem unprepared for hackers because they’re not yet used to the idea of hackable electronic systems. The tire pressure monitoring system, for instance, is hackable. But the risks related to it are small.” As car makers add more computing power and communications to their cars, they become bigger targets. Tesla vehicles rely heavily on sophisticated software and electronics. Founder Elon Musk has even offered a $10,000 reward for a successful hacking of the Tesla Model S vehicle.
A study released at Black Hat 2014 by security researchers Chris Valasek and Charlie Miller also explored the “hackability” of 24 different car models. Among the “most hackable” include 2014 Jeep Cherokee, 2015 Cadillac Escalade and 2014 Infiniti Q50) while some of the notable “least hackable” include 2014 Dodge/SRT Viper, 2014 Audi A8, and 2014 Honda Accord.