In-brief: In a letter to leading automakers, Senators Edward Markey and Richard Blumenthal have requested more information on security protections in late model vehicles, citing recent demonstrations of wireless hacks.
Washington D.C. has taken note of demonstrations of remote attacks on connected vehicles and is asking the CEOs of 18 automakers to update Congress on its progress in securing them from remote attack.
In a September 16 letter to leading automakers, Senators Edward Markey and Richard Blumenthal have requested more information on security protections in late-model vehicles, citing recent demonstrations of wireless hacks, including an attack on Fiat Chrysler Jeep Cherokee, which was featured at the Black Hat Briefings in August.
The letter was addressed to the chief executives of the largest car makers in the world, including US auto companies Ford Motor Co., General Motors, Tesla and Fiat Chrysler, as well as the North American subsidiaries of leading European, Korean and Japanese firms like Mercedes-Benz, Porsche, Volkswagen, Subaru, Honda and Toyota.
[Read Security Ledger’s coverage of connected vehicles here.]
The letter follows a similar inquiry in 2013, and the release of a report on security and privacy gaps in vehicles released in February 2015 and then proposed legislation by the two senators in late July. The Security and Privacy in Your Car (SPY Car) Act would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy.
In their latest missive, Blumenthal and Markey ask leading U.S. based and foreign automakers for updated information about protections “against the threat of cyber-attacks or unwarranted invasions of privacy related to the integration of electronic systems into and within automobiles.”
The letter is tailored to eliciting information specific to two recent and well publicized attacks on smart car platforms: the hack of Fiat Chrysler’s UConnect in vehicle entertainment system by researchers Chris Valasek and Charlie Miller, now both of Uber, and a demonstration of SMS based attacks on a Corvette demonstrated by researchers at the University of California Santa Barbara at the USENIX Conference in July.
“We ask that you please respond to the 2013 letter, providing updated information as appropriate and providing company-specific information that includes your MY* 2015 and 2016 vehicles,” the letter reads.
While the hacks of connected vehicles in recent months have garnered the attention of lawmakers, progress towards new laws mandating cyber security and privacy protections has been slow. Markey (D-MA) and Blumenthal (D-CT) are both in the minority in the Senate, where Republican leaders are skeptical of the need for new regulations. Confusion also exists about which agency should take the lead on regulating connected vehicles: the FTC, the NHTSA, and so on.
What is clear is the problem. Attacks on the software that powers critical vehicle systems was demonstrated as far back and 2011. Charlie Miller and Chris Valasek demonstrated an attack on the Controller Area Network (CAN) in a Toyota Prius in 2013. However, the response from the auto industry has been halting. Car makers dismissed early demonstrations of software vulnerabilities and attacks that exploited them because they required physical access to the CAN -and the passenger compartment, by extension.
The most recent demonstrations show that those same vulnerabilities can now be paired with wireless connectivity – typically via cellular networks – to enable remote, software based attacks.
Speaking at last week’s Security of Things Forum in Cambridge, Massachusetts, security experts including Valasek, IBM researcher Chris Poulin, Security Innovation Chief Scientist William Whyte and Josh Corman of the group IAmTheCavalry.org said that a combination of cultural, legal and technical factors made it challenging to address the connected vehicle security problem in a holistic way. The insular- and hardware driven culture of Detroit makes car companies skeptical of the opinions of outside experts. At the same time, concern about brand damage and regulatory and liability pitfalls make individual automakers wary of venturing forth into unknown territory when it comes to safety and privacy protections.
But the connected vehicle space is evolving rapidly. Open source software components are becoming common components of late model vehicles, notes Corman of Sonatype. But those components often contain known and undiscovered vulnerabilities that are then replicated into vehicle platforms. Without proper vetting of that software before it is incorporated into in-vehicle systems, software flaws that might have caused service disruptions or data loss ten years ago could play a role in a fatal accident.
Car makers will have to climb a steep learning curve when it comes to software security. And they’ll have to do so far faster than companies like Microsoft and Adobe did in the late 1990s and early 2000s, said Corman, who has been working to educate and inform lawmakers on Capitol Hill.
“If the mean time to enlightenment was 15 years for Microsoft, we’d like to compress that,” he said.