In-brief: the Department of Homeland Security is putting $4 million towards to research projects aimed at securing connected cars. (Updated to add comments from Dan Massey of DHS. – PFR 11/10/2015)
Months after Charlie Miller and Chris Valasek used remote, software-based attacks to commandeer a Jeep Cherokee, the U.S. Department of Homeland Security is putting close to $4 million into two research projects to assess the security of connected vehicles.
DHS’s Science and Technology Division announced on October 29th two grants totaling $3.7 to researchers at The University of Michigan and a firm in Malibu, California targeting security weaknesses in connected vehicles. In statements, DHS cited the growing threat of cyber attacks on physical systems such as automobiles as the impetus for the new funding.
The grants are part of an on-going effort at DHS to fund research into securing cyber physical systems, said Dan Massey, Program Manager for CYBER Security Division at DHS’s Science and Technology Directorate. “We’re seeing the convergence of the cyber and physical world… The goal of the program is to make sure devices on which we bet our lives have reasonable security baked in at the outset.”
In the first of the two grants, researchers at the University of Michigan received $1.2 million for a project titled “Secure Software Update Over-the-Air for Ground Vehicles Specification and Prototype.” The University of Michigan team, led by Dr. André Weimerskirch, has proposed a system for securely delivering software over-the-air (SOTA) updates to vehicles “before vulnerabilities can be exploited,” DHS said in a statement. “The goal is to develop a comprehensive industry standard that includes technical design specification, reference source code and best practice guidance for integration, testing, and deployment,” DHS noted.
Some automakers have already deployed over-the-air updates for software that runs critical, in-vehicle systems. Notably, the electric car maker Tesla Motors has long relied on over the air updates to service customer vehicles in the field. Most recently, the company made headlines by pushing new, autonomous driving features to existing vehicles via a software update. In February, BMW was also reported to have patched a security flaw in some of its vehicles using an over-the-air software update.
Massey declined to comment on how those features stacked up next to what DHS had in mind. Instead, he said that DHS was less concerned about picking holes in existing technologies than in establishing a baseline for security around software updates that all vehicle makers could meet. “We don’t want to see companies competing on cyber safety,” he said. “We want to make sure that these features are good for everyone.”
While software companies like Microsoft have been pushing out over the air software updates for years, Massey notes that no company has a perfect record and that the stakes in the case of connected vehicles, medical devices or critical infrastructure are much higher than with laptops, desktops and servers.
Today most, legacy auto makers have not yet made the leap to over the air updates for their fleets. That presents clear problems – especially for vehicles that do support 3G or 4G cellular access. For example, Fiat Chrysler was forced to recall 1.4 million vehicles and ship USB thumb drives containing software updates to customers following the compromise by Valasek and Miller in July.
The second grant from DHS’s Science and Technology division, for $2.5 million, is supporting research by the Malibu firm Hughes Research Laboratories LLC (HRL) on “Side-Channel Causal Analysis for Design of Cyber-Physical Security.” The objective appears to be securing the supply chain for automobiles. According to a DHS statement, HRL is developing a system to detect cyber-physical inconsistencies that can provide an “early warning signal” for attacks.
The research is being conducted the UK’s Centre for the Protection of National Infrastructure (CPNI) and the Defence Science and Technology Laboratory (DSTL) and Defence Research and Development Canada (DRDC), DHS said.
DHS is not a regulatory agency and won’t be formulating rules for technology adoption, Massey said. Instead, the agency is using its R&D budget to promote best practices from and engagement with the IT industry. DHS is working with rule making agencies like the National Highway Traffic Safety Commission (NHTSA) and the Federal Trade Commission (FTC), as well, Massey said.