In-brief: The Department of Transportation is weighing policies governing independent security researchers’ work on connected vehicles. But security industry experts worry that overreach could put a chill on independent research on connected cars.
The website TheHill has an interesting piece on the chilling effect that the threat of lawsuits is having (or may have?) on independent research into vulnerabilities in the computers systems that run connected cars.
The article, “Fear of Lawsuits Chills Car Hack Research,” by Katie Bo Williams is mostly a rehash of the fallout from Chris Valasek and Charlie Miller’s high-profile hack of a Jeep Cherokee in July, but adds some cautionary statements from technology and privacy advocates.
Among other things, Williams notes that the Department of Transportation is concerned that security researchers may reveal vulnerabilities without fully appreciating “the potential safety ramifications of their security circumvention acts” or “may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary.”
The U.S. Copyright Office, the article notes, is “mulling an exemption to a provision of the so-called Digital Millennium Copyright Act (DCMA) that prohibits anyone from circumventing a technological measure that controls access to copyrighted work — like vehicle software.”
But resistance within the auto industry is intense. As discussed at the recent Security of Things Forum, automakers are eager to add connected features to their vehicles, but struggling to adapt to the culture of software security that software publishers like Microsoft, Adobe, Google and Apple long ago were forced to reckon with. While they recognize the need for security, generically, car makers are vague about what steps they are taking to secure their vehicles, while demonstrations of vulnerabilities in late model cars suggests the security gaps in those vehicles are large.
“When we talk to automakers, we get a lot of generalities and not a lot of details,” said Chris Poulin of IBM’s X-Force at that event.
According to The Hill, DOT is weighing whether to constrain disclosure by researchers to regulators and affected parties (read: automakers). But security experts note that such restrictions affect only ethical researchers – not cyber criminals or nation states. “The issue with any prohibition on security research is that you’re only stopping good researchers that follow the law in one country,” the article quotes Kevin Mahaffey, chief technology officer of the mobile security company Lookout, saying.
And such “responsible disclosure” policies in the past have often been cited as an enabler for companies that wish to downplay security holes, or prioritize fixing them according to their own schedule, rather than one dictated by the seriousness of the vulnerability in question.
The current architecture of most cars is an “everything talks to everything” model, said William Whyte of the firm Security Innovation. That will make it difficult to make cars secure in the short term.
However, manufacturers rely heavily on a network of original equipment manufacturers (OEMs) for both hardware and software. Improvements in security will need to start there, with a baseline of security for suppliers to adhere to, said Chris Poulin of IBM’s X-Force research team.
Automakers, which bear the cost and brand damage of any security incident, have the ability to to say to suppliers ‘you have to do security in this way,’ notes William Whyte of Security Innovation. In the long term, the industry needs to find a way to make security a differentiator that allows OEMs and other suppliers to distinguish themselves and compete, said Whyte.