Your Car Will Never be Secure

Your Car Will Never be Secure
by Roger C. Lanctot on 01-24-2016 at 4:00 pm

 The automotive cybersecurity forum put on by the National Highway Traffic Safety Administration (NHTSA) yesterday in Washington, DC, surfaced a wide range of issues and conflicts at the heart of the connected car industry. One clear takeaway from the event was that cars will never be secure.

Acceptance of this proposition, alone, will be a major step forward for the automotive industry which has begun to tackle the problem by setting up an ISAC (Information Sharing and Analysis Center) in collaboration with the Alliance for Automobile Manufacturers, GlobalAutomakers, SAE and Booz Allen Hamilton. This new ISAC faces some stiff challenges in an industry consisting of committed competitors and limned by anti-trust regulations.

Car makers and Tier 1 suppliers participated on multiple panels at yesterday’s event and chose their words carefully in the face of multiple calls for greater industry transparency and cooperation. The impression created was one of an industry facing simultaneous cyber and regulatory attacks in the midst of a transition to widespread connectivity.

Points of contention on the various panels included:

[LIST=1]

  • Serviceability being in conflict with cybersecurity
  • The availability and necessity of software updates
  • Mandatory or optional security software updating
  • Greater openness and outreach to the white hat hacking community
  • OBDII ports as a gaping hole in vehicle security
  • Consumer awareness and concern for security – a value proposition for which car makers can neither charge nor claim an advantage or validation
  • Car maker comprehension of the scope of the problem

    Just to be clear, the panelists may have debated and disagreed regarding some of these issues, but the reality was clear:

    [LIST=1]

  • Serviceability – ie. the Right to Repair – is in conflict with preserving vehicle security. According to the AutoCar Association: “The (Right to Repair law passed in the state of Massachusetts) immediately requires that independent shops have full and affordable access to the information, tools and software to work on late model vehicles …and further require that car companies maintain all of their information and software in a cloud that independent shops can obtain using a generic PC, and which utilizes a standardized vehicle interface known as J2534.” Nearly all car makers, with the exception of Tesla Motors, have signed a Memorandum of Understanding to comply with this law. Access to diagnostic codes will be useful to tinkerers, mechanics and hackers alike.
  • Software updates can be provided via OBDII or smartphone connections, according to a representative from Movimento, so there is no reason to delay the implementation of aftermarket software updating where applicable and necessary.
  • Security updates must be mandatory, not optional. There was considerable debate on this topic – but opting out of software updates is likely to lead to voided warranties.
  • As what may be the only car maker with a chief product cybersecurity officer, GM has gotten way out front of the industry by publishing its coordinated disclosure program in cooperation with “bug bounty and security portal provider” HackerOne. In GM’s words: “It’s a public coordinated disclosure program, so when vulnerabilities are discovered we can work with researchers to resolve them.”
  • It may be time for NHTSA to put a process in place for banning or removing from the market OBDII devices liable to compromise vehicle safety and security. The insurance industry is already moving away from the use of OBDII devices for usage-based insurance in favor of smartphone apps – but devices continue to proliferate and compromise vehicle behavior and performance. (Not discussed by the panel was the potential risks posed by hardware installed in cars by ridesharing companies and the impact on vehicle safety and security.)
  • Car makers are conflicted over cybersecurity measures because of the inability to obtain certification of existing or prospective security measures and to charge consumers for those systems.
  • A lingering amalgam of apathy, fear and ambivalence pervaded the comments of the auto industry representatives on the various panels. As a whole, these executives did not yet appear to be of a single mind regarding the scope of the security problem and how to resolve it.

    Representatives of the Food and Drug Administration and the Federal Trade Commissions were on hand to share their perspectives on a problem with which they have already come to grips. The FDA must approve thousands of medical devices with the same life-threatening potential of automobiles. The message from the FDA was to focus on policies and procedures rather than seeking to become too prescriptive.

    The goal, in the words of the FDA representative, is to “surf the new technologies” rather than face being “dashed against the rocks” with an overly specific or rigid compliance program. “We don’t tell (applicants) how to achieve security,” he said. “We expect them to have their own risk models.”

    The FTC representative advised, among other things:

    [LIST=1]

  • Only collect the data you need and don’t keep it longer than necessary
  • Control access to data – assign on a need-to-know basis
  • Protect data at all points of data transmission and storage
  • Use existing security standards
  • Segment and monitor networks

    But the most powerful message was: Prepare for failure. Cars will never be secure.

    The advice for auto makers was stark. Systems will be compromised. Product and system designers must work to minimize intrusion. Security by obscurity is a part of this, but more must be done.

    System designers must think about how intrusions will be detected and have a response plan in place. Whether it is a network shut down or “safe” or “limp home” mode, engineers must have a plan. Last year Chinese car maker BYD saw fit to shut down its entire telematics system following a breech. In some circumstances, such a response may be necessary to isolate the intrusion.

    Finally, electric car maker Tesla Motors was notable by its absence on the stage throughout the event. As a promoter of vehicle security and software updates a casual observer might have expected Tesla to assert a leading voice at an automotive cybersecurity confab.

    The reality is that Tesla remains somewhat on the outside of the industry in part because it is neither a member of the Alliance of Automobile Manufacturers nor GlobalAutomakers. This may be why Tesla has not signed the Memorandum of Understanding in support of the Right to Repair law passed in Massachusetts. Sources say Tesla is complying with existing laws in the U.S., Europe and China.
    There is consensus within the automotive industry that there is a problem. Addressing the problem will require cooperation between car makers and likely some assistance from Federal regulators. Individual car makers are, not surprisingly, at different points of the spectrum as to the severity of the security problem and the urgency of their response.

    A final note: There was little or no mention at the NHTSA event of vehicle-to-vehicle communication to be achieved using 802.11p technology. Some expect this to be yet another source of cybersecurity vulnerability soon to be mandated by the U.S. DOT. The broad range of issues related to implementing 802.11p V2V technology were not discussed.

    More articles from Roger…


  • 0 Replies to “Your Car Will Never be Secure”

    You must register or log in to view/post comments.