One in Five Vehicle Vulnerabilities are ‘Hair on Fire’ Critical

The Department of Homeland Security is investing close to $4 million on two projects related to the security of connected vehicles.
One of every five software vulnerabilities in connected vehicles is rated “critical,” according to a study by IOActive.

In-brief: One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive. 

One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.

“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report, which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.

The report studied a wide range of flaws, most discovered in IOActive’s work with automakers and suppliers to auto manufacturers, said Corey Thuen, a Senior Security Consultant with IOActive. Thuen and his colleagues considered what kinds of vulnerabilities most commonly affect connect vehicles, what types of attacks are most often used to compromise vehicles and what kinds of vulnerabilities might be mitigated using common security techniques and tactics.

[See also: “The era of automobile hacking has just begun.”]

The results, while not dire, are not encouraging. The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation. “These are all great things that the software industry learned as it has progressed in the last 20 years. But (automakers) are not doing them.”

A quarter of vulnerabilities were rated critical by IOActive. A slightly smaller share (22%) had an overall impact of "Critical." (Image courtesy of IOActive.)
A quarter of vulnerabilities were rated critical by IOActive. A slightly smaller share (22%) had an overall impact of “Critical.” (Image courtesy of IOActive.)

The result is that vehicle cybersecurity vulnerabilities are not solvable using “bolt-on” solutions, IOActive concluded. That is because they are caused by flawed engineering assumptions or insecure development best practices. “The most effective cybersecurity work occurs during the planning, design and early implementation phases of products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” IOActive’s report notes.

In an interview with The Security Ledger, Thuen said that the automotive industry is coming up to speed on cyber security in the wake of high-profile incidents like the 2015 wireless hack of a Jeep Grand Cherokee by researchers Charlie Miller and Chris Valasek. Both now work for Uber, though Valasek conducted much of the vehicle research as an IOActive employee.

Still, auto firms remain wary of information security firms and wedded to the notion that keeping the details of their systems secret will ensure security (aka “security through obscurity”).

“Their general attitude is that they don’t want to  engage researchers or share their ‘secret sauce,'” Thuen said. “The attitude is anti-security in general. It’s the Ostrich approach – we’re going to stick our head in the sand and say that we can’t hear you, or that everthing you’re saying isn’t important.”

That can make conducting security research on vehicles painstakingly slow – but also fruitful, said Thuen. Miller and Valasek’s research is a great example. Much of the work the two did was not devoted to analyzing the Fiat Chrysler system for security holes, but merely in figuring out how the specifics of the company’s implementation of standard components, like the CAN (Controller Area Netowrk) BUS.

“A lot of what the public considers ‘vehicle hacking’ was just ‘how to use the vehicle’.” The two needed to be able to decipher traffic from the vehicle – figuring out what command causes the steering wheel to turn or the brakes to be applied. Once that work was done, finding security holes and figuring out how to exploit them was a more simple matter, given that the underlying components were not designed with security in mind, he said.

Resistance to the attentions of security researchers is rooted in an engineering culture that looks on software vulnerabilities as shameful – far different from software-based engineering that generally accepts vulnerabilities as an inevitable byproduct of writing code. “It’s not shameful to have vulnerabilities. What is shameful is to have them and not move forward to fixing them,” he said.

The industry has made progress. Last month, an auto industry information sharing and analysis center (ISAC) released a set of cyber security best practices.  And  Thuen said that more and more automakers and suppliers are seeking out IOActive’s help. “Our auto related business has doubled every year for the last few years,” he said.

IOActive_Report
Click to download IOActive’s report.

Still, a Government Accountability Office (GAO) report last year( PDF) emphasized that help – in the form of more secure vehicles from Detroit or new regulations and standards from Washington D.C. – is likely years from being realized. Automakers are working to design more secure in-vehicle systems and regulators, like that National Highway Traffic Safety Administration (NHTSA), are still trying to determine their role and the scope of possible regulations, the report noted.

Still, car companies that are investing more and more in software driven features and services will need to be adept at changing their internal culture and processes to deal with the security and privacy risks that result, Thuen said.

“(Automakers) need to recognize that their industry is undergoing a major pivot that will require personnel changes and policy changes,” he said. “They need to realize that there’s a lot (they) don’t know, and that’s OK.”

11 Comments

  1. Apparently, it’s even worse than the headline would suggest. I crunched the numbers and according to my calculations, one in five (1/5) = 20%. The graph shows 25% (i.e., one in four (1/4)) are critical.
    🙂

  2. Pingback: Weekend tech studying: 5G is all hype, the IBM 5150 turns 35, most sensible objectives in Rocket League championship | WorldFree4You.XYZ - Where you can get everything

  3. Pingback: Weekend tech studying: 5G is all hype, the IBM 5150 turns 35, most sensible objectives in Rocket League championship | WorldFree4You.XYZ - Where you can get everything

  4. Pingback: Weekend tech reading: 5G is all hype, the IBM 5150 turns 35,… – Ecobecas Archive – Ecobecas

  5. Speaking of security, 100% of your comments (presumably until mine) are spam bots.

  6. These stats are garbage. Other than UConnect, you would need physical access to implement any of these ‘exploits’. Are you going to let a hacker sit next to you while you drive down highway? Are you going to let the hacker install a device in your car? Probably not.

    There are definitely REAL concerns here due to increased vehicle connectivity; however, the current situation is not the doom and gloom these articles point to.

    • Well, the problem with security holes that require physical access is that car companies and third party (aftermarket) vendors keep adding features (like in car cellular hot spots) that tend to chip away at that requirement. It’s foolish to say “well, this isn’t serious because you’d need to be in the car) when we’ve seen a demonstration of how that limitation can suddenly disappear.

  7. Pingback: Weekend tech reading: 5G is all hype, the IBM 5150 turns 35, top goals in Rocket League championship | Techlear

  8. Pingback: One in Five Vehicle Vulnerabilities are ‘Hair on Fire’ Critical | The Security Ledger | Robert's Interests