Java is My Co-Pilot: Weighing the Security of Connected Cars

What is the proper approach to securing connected vehicles? Experts debate at the 2015 Security of Things Forum.
What is the proper approach to securing connected vehicles? Experts debate at the 2015 Security of Things Forum.

In-brief: scandals like the one gripping Volkswagen and the hack of vehicles by Chrysler Fiat have a common thread: a lack of transparency about the software that powers modern cars. A panel at the recent Security of Things Forum took up this issue, and we have the video to share. 

The security of connected vehicles is one of hottest topics in the information security field today. Its where – excuse the pun – the “rubber meets the road” when it comes to securing the Internet of Things.

The evidence to support connected vehicles as an important, early test case for issues that will bedevil us in other sectors gets stronger every day. Just last week, for example, we learned that the automaker Volkswagen admitted to cheating on U.S. pollution emissions tests by rigging software on late model passenger vehicles to sense when emissions tests are being conducted and to tune the engine’s performance in order to ace those tests. The company’s stock has fallen by close to half since those revelations first came to light.

A couple of articles in recent days have sketched out the many wrinkles in the connected or “smart” car security debate. A piece in the New York Times on Sunday by David Gelles, Hiroko Tabuchi and Matthew Dolan interviews experts from the information security world and academia and finds worrying resonance in the travails at Volkswagen. The scandal, affecting 11 million vehicles, showed “how a carmaker could take advantage of complex systems to flout regulations.”

Cars have become “sealed-hood entities with complicated computers and modules,” the authors quote Eben Moglen, a Columbia University law professor and technologist as saying of car makers “deeply nontransparent” approach to developing, deploying and managing the code that runs their vehicles. Existing regulators, like the National Highway Traffic Safety Administration (NHTSA) simply are staffed or equipped to start performing rigorous audits of tens of millions of lines of application code.

In a similar vein, Klint Finley, writing over at Wired, argues that the scandal at Volkswagen as well as other, recent revelations of security holes affecting Internet of Things products make the case for demanding that the software that runs connected products be open source and easily auditable.

“Today, the vast majority of smart home gadgets, connected cars, wearable devices, and other Internet of Things inhabitants are profoundly closed, Finley writes.” “Independent researchers can’t inspect the code that makes them run. You can’t wipe the factory-loaded software and load alternative software instead…But this opacity is also what helped Volkswagen get away with hiding the software it used to subvert emissions tests. It makes it harder to trust that your thermostat isn’t selling your personal info to door-to-door salesmen or handing it out to the National Security Agency.”

Many of these very issues – about the proper role of security in the design of deployment of security – were topics of discussion at The Security of Things Forum, hosted by The Security Ledger and The Christian Science Monitor on September 10.

In a panel entitled “Java is my co-pilot,” I sat down with three experts on the security of connected cars: Josh Corman of the firm Sonatype, William Whyte of Security Innovation and Chris Poulin of IBM to talk about the state of the art and where things are headed.

The automotive industry faces many challenges, our experts said. Among them: legacy code.

“Yes there are 100 million lines of code and many of those were written before the cars were networked at all,” said William Whyte, the Chief Scientist at the firm Security Innovation. “Once you have a system on the road that works, there’s a lot of incentive not to change that.”

That challenge doesn’t absolve the industry of fixing the problem – but that doesn’t mean repeating the mistakes of the past, said Josh Corman of Sonatype and IAmTheCavalry. “Because the consequences of failure are mortal, we shouldn’t simply aim to be as crappy as enterprise security,” said Josh Corman. In other words: forget about antivirus software for your car. The solution is to rethink security from the ground up with defensible design, segmented hardware and the like – at least for new vehicles.

Check out the video here, or by clicking on the embedded video below.