In-brief: In this Security Ledger podcast, Paul speaks with Sameer Dixit of Spirent Security Labs, a leading tester of connected (“smart”) vehicles. Truly secure, connected vehicles may be years away, he says. In the meantime, security flaws and poorly implemented features are a major issue, Dixit says, with many car companies still preferring bolt on security fixes over secure design.
In just the last decade, vehicles of all makes and models have been transformed from moderately intelligent, disconnected machinery to super-sophisticated, Internet connected endpoints. Sensors and interactive features have sprouted like dandelions: from bluetooth enabled entertainment systems to driver assistance technology that can literally steer the car, or ease you into a parallel parking space.
But connected vehicles position at the vanguard of the Internet of Things also paints a big target on their back. Security researchers like Charlie Miller and Chris Valasek have already shown how the combination of Internet connectivity and older, pre-Internet networking technology can combine to create potent attack vectors for would-be cyber criminals and nation-state actors. Vehicles sport some of the world’s largest and most complex supply chains for both hardware and software. Those, too, are susceptible to compromise.
And, unlike other connected products, connected vehicles weight thousands of pounds and regularly drive around at 70 miles per hour, putting life and limb at risk and reducing the margin of error for software induced problems to fractions of a second.
There are already ample signs of strain in the connected vehicle ecosystem. Charlie Miller and Chris Valasek, two security researchers, demonstrated remote, software based hacks of a Jeep Cherokee in 2015, setting off alarm bells in Detroit and around the world. A report by the firm IOActive found that 20 percent of software holes in vehicle systems rated as “critical” and difficult to resolve with patching or other measures even after they have been identified. Growing vehicle application ecosystems are also an area of concern. In June, 2016, an errant mobile application update knocked out radio, GPS and environmental controls to Lexus vehicles. With cars poised to connect to smart homes, smart roads, smart cities and smart businesses, threats are expected to increase as well, given a wider attack surface.
Connected car manufacturers and suppliers need to respond by adopting a uniform security framework for connected vehicles, the Cloud Security Alliance concluded in a report released last week. “In the near future, connected vehicles will operate in a complex ecosystem that connects not only vehicles between each other and the traffic infrastructure, but also with new forms of connectivity and relationships to cloud-based services, smart homes, and even smart cities,” said Brian Russell, Chair of the CSA IoT Working Group.
But what is the state of connected vehicle security? And what steps are car companies taking to address these issues? The Security Ledger sat down with Sameer Dixit to find out. Sameer is the Senior Director, Security Consulting at Spirent, where he leads the ethical hacking and security research team called Spirent Security Labs. Sprient is a UK-based testing and measurement company to provides security consulting services, assessment and monitoring to leading automakers.
Sameer reports that security problems are rife in vehicle systems – some of them trivial to exploit. One example: a mobile application developed by a major automaker required only the vehicle ID number (or VIN) to authenticate to the car. But VINs are hardly protected information – they are readily viewable through the front windshield of a vehicle and can be looked up in the U.S. through state department of motor vehicle websites.
The auto industry, he says, is still making the transition to secure by design principles and is saddled with a legacy of security optional technology or “bolted on” fixes for known security issues that will do little to stem attacks.
Check our full conversation in our latest Security Ledger podcast below or at Soundcloud. You can also listen to it on iTunes. As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.