Ramping Up Automobile CybersecurityReport Spells Out Challenges; Legislation Pending
In late 2014, signs emerged that the automobile industry was taking the first steps toward addressing cybersecurity and privacy risks.
See Also: Main Cyber Attack Destinations in 2016
For instance, General Motors hired its first chief product cybersecurity officer, and the automobile industry set up an automobile Information Sharing and Analysis Center to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics (see: Automobile Cybersecurity: Growing Risk).
Heading into 2015, efforts to mitigate cybersecurity and privacy risks affecting automobiles continue to gain traction. Recently, Senator Edward Markey, D-Mass., issued a report detailing various automobile security and privacy vulnerabilities. Then, on Feb. 11, Markey confirmed that he, along with Senator Richard Blumenthal, D-Conn., will introduce legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards for improving the security of vehicles and protecting drivers' privacy.
"We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century," Markey says.
The senators' efforts come after auto manufacturer BMW recently addressed a potential security gap affecting data transmissions to and from the company's connected vehicles via the mobile phone network.
But while early steps are being taken by the industry to get on top of the risks, progress around securing automobiles may not come as quickly as some would hope. "Sure, proof of concept exploits are there - and they are real - but there is not even a semblance of exploitation by the criminals in the wild," says Anton Chuvakin, research vice president for security and risk management at Gartner.
"We do have a chance to prepare for this now by starting early with car and other device security," he says. "However, the history of information security teaches us that we probably won't. Today the threat is mostly 'not' real, but all signs point that it will become real."
Chris Valasek, director of vehicle security research at IOActive, a computer security services firm, has researched cyber vulnerabilities in automobiles through funding from the Cyber Fast Track initiative from the Defense Advanced Research Projects Agency, or DARPA.
Based on his research, Valasek says hackers could gain access to a vehicle's systems and potentially take private information, such as GPS coordinates or the driver's username and password for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that operate certain features, such as cruise control, Valasek says.
"[Through our research], we showed that if you're on the car's computer network, you could send messages to completely stop the car and immobilize it," he says. "If an attacker found a way to break in remotely - through Bluetooth, cellular or an application - and was able to be on the right portion of the car's network, they could stop the car, disengage breaks or steer the steering wheel."
Down the road, automakers also need to worry about the potential cyberthreats concerning so-called "autonomous" or driverless vehicles now in development, says Stephen Wu, an attorney at the Silicon Valley Law Group, who has been researching the legal concerns regarding autonomous driving. "If cars crash because of information security vulnerabilities, it could lead to liability for the manufacturers," he says. "They need not only be concerned about safety, but also the governance of information security, privacy and the management of information that's being generated and communicated by cars."
Security Gaps Remain
The recent report from Senator Markey is based on a survey of 16 major automobile manufacturers about how vehicles may be vulnerable to hackers and how driver information is collected and protected.
Among the findings:
- Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions;
- Most automobile manufacturers were unaware of or unable to report on past hacking incidents;
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers;
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most said they rely on technologies that cannot be used for this purpose at all.
Valasek at IOActive says the biggest takeaway from the report is how most of the manufacturers couldn't answer many questions. "This means that not only are they behind on their security efforts, but probably don't have a good idea of the attack landscape or where to start," he says.
The new legislation proposed by Markey would include three key requirements:
- All wireless access points in cars must be protected against hacking attacks and evaluated using penetration testing;
- All collected information must be appropriately secured and encrypted to prevent unwanted access; and
- The manufacturer or third-party feature provider must be able to detect, report and respond to real-time hacking events.
To address privacy issues, Markey is seeking a transparency requirement that drivers be made explicitly aware of data collection, transmission and use. He also wants consumers to have the ability to choose whether data is collected, without having to disable navigation. And he's seeking prohibition of the use of personal driving information for advertising or marketing purposes.
"In essence, the proposed legislation codifies what have been best practices in privacy and security for years," says Scot Ganow, a privacy and security attorney at the law firm Faruki Ireland and Cox PLL.
But that doesn't mean the proposed law won't face challenges similar to those that have arisen in previous failed attempts to adopt federal data breach legislation, Ganow says (see: Seeking Compromises on CyberSec Bills). "As with all laws seeking to regulate commerce and, in particular, the flow of information, the struggle will exist over balancing appropriate regulation while not choking innovation and corporate independence."
As the security and privacy landscape around automobiles continues to take shape, manufacturers can start taking the necessary steps to get ahead of the challenge before it becomes a real problem.
Right now, hacking a vehicle is still very hard and very expensive, Valasek says. "That's not to say that won't change in the future. But you want to start implementing security measures before there is an actual problem."
Valasek argues that manufacturers "will have to accept that security is required as part of the process and not an after-thought. Only then can we truly talk about mitigating risks."
In addition, automakers should hire more cybersecurity experts and attempt to integrate security into the automotive software development lifecycle, says Ben Johnson, chief security strategist at Bit9 + Carbon Black, an endpoint security firm. "Immediately, I would be hiring penetration-testers and security consultants to do as much assessment and analysis of the existing systems as possible," he says.
It may also be in the best interest of the automobile industry - and consumers - if manufacturers adopt a model similar to PCI-DSS, the independently developed standards in the payments card industry, says Andreas Mai, director for smart connected vehicles at Cisco. "If an independent body devised a list of security features and controls that a vehicle and its computer systems should have, and the body audited vehicles for adherence, even if it was voluntary, like Consumer Reports, it would at least provide consumers with the notion someone has looked at security and provide a baseline level of confidence," he says.