Security Experts call for Action on Connected Auto Safety

A non-profit group that represents prominent computer security researchers has issued an open letter to the automotive industry calling for more collaboration on cyber security issues.

Tesla Model S Mobile App
A group of security researchers has proposed a five-point plan to address cyber security issues in connected vehicles.

The group, I Am The Cavalry said the automotive industry needs to elevate cyber security to put it on par with other vehicle safety issues.

The announcement, on Friday at DEF CON 22 in Las Vegas – an annual hacker conference – included a letter to CEOs in the automotive industry, calling for the adoption of “five key capabilities that create a baseline for safety relating to the computer systems in cars.”

The letter asks for safety to be built into the design of computer systems in vehicles.

“Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, much of which is still being investigated and understood,” the group said.

“Modern cars are computers on wheels and are increasingly connected and controlled by software. Unlike your home computer, the consequences of compromise are far more severe,” said Joshua Corman, co-founder of I Am The Cavalry.

“Dependence on technology in vehicles has grown faster than effective means to secure it. We’re just at the start of understanding the implications for public safety. The combined expertise of the automotive industry and the cyber security research community can rise to meet the challenge. This framework can be the foundation of that collaboration.”

The group identifies five areas where car makers should focus:

+ Safety by Design – developing automotive computer systems with security in mind.
+ Third-Party Collaboration – publishing a clear vulnerability disclosure response policy that works with security researchers.
+ Evidence Capture – logging information that may assist with an investigation should one be necessary.
+ Security Updates – providing a mechanism for consumers to receive updates to computer systems quickly and easily as issues are found and fixed.

+ Segmentation and Isolation – ensuring that issues in non-critical systems do not impact the performance of critical systems.

“I think the proposed framework clearly states important principles and intent in a plain, sensible and workable way.” said Tony Sager, Chief Technologist for The Council on Cyber Security in the statement. “It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement.”

The group also released a petition with a request for members of the public to show their support for car safety.