Episode 108: DEF CON’s Car Hacking Village and is the Open Source Model Failing on Security

In this week’s podcast (#108), sponsored by CA Veracode: hacker summer camp wrapped up on Sunday, as the 26th annual DEF CON conference concluded at Caesar’s Palace in Las Vegas. Hacks of connected and smart vehicles were a big theme again this year. We sat down with the organizers of DEF CON’s Car Hacking Village to see what was news at this year’s show.  Also: open source software has revolutionized the way software gets made, and turbo charged the growth of companies like Facebook and Uber. But is the open source model failing us when it comes to security? We’re joined by OWASP founder Mark Curphey of CA Veracode to discuss it.

Elon who? A visit to DEF CON’s Car Hacking Village

Hacker summer camp wrapped up on Sunday, as the 26th annual DEF CON conference concluded at Caesar’s Palace in Las Vegas, ending a week of security conferences including the annual Black Hat Briefings and B-Sides Las Vegas. Some of the headlines out of the shows were predictable: DEF CON’s voting village yielded all too predictable stories about outdated electronic voting equipment making an easy target for hackers – this year it was an 11 year old girl.

While we always love to see middle schoolers and teens strutting their stuff at DEF CON, we’ve also weighed in on why hacks of aging e-voting systems might not be the best use of the security industry’s time and energies.

What was of interest at this year’s show were hacks of connected vehicles – including a talk and paper (PDF) by Jeep Cherokee hackers Chris Valasek and Charlie Miller, a presentation of a remote hack of a Tesla vehicle by researchers at China’s Keen Security (a division of Tencent) as well as  — wait for it — a surprise appearance by Tesla Chief Elon Musk, who left with a promise to release Tesla’s security software as open source, clearing the way for it to be used across the industry.

That’s a great gesture and speaks to Musk’s history and roots as a creator of Internet-powered startups like Paypal. But – as we know, the automobile industry is older and wholly different from Silicon Valley and there’s no indication that the future of connected cars will look anything like that of connected phones, connected homes or anything else.

To get a sense of where things might be heading, Security Ledger stopped by the Car Hacking Village at DEFCON last week to speak to the folks from Grimm, a top vehicle security consultancy that organizes the Car Hacking Village. In our first segment of this week’s podcast, I speak with Bryson Bort, Grimm’s Chairman and Founder and researchers Tomas Tillery and Aaron Cornelius about the differences and similarities between hacking vehicles and other kinds of connected endpoints, and about what the near future and the advent of self driving and autonomous vehicles may hold.

A contestant in the DEF CON Car Hacking Village’s Kidnap Challenge. Photo by Paul Roberts.

We start off by talking about the Car Hacking Village, which this year added a “kidnap challenge,” in which DEF CON attendees were grabbed (with their consent, of course), blindfolded, thrown in the back of a Jeep Cherokee and given a laptop and a connection to the vehicle’s network. Their challenge, manipulate the car to spring the trunk or door locks and free themselves.

With Many Eyes, Open Source Risk is Deep

Open source software has revolutionized the way software applications get made – and how companies get started. The proliferation of open source projects has created an ecosystem of ready-made blocks that can be used to build and expand software applications at lightening speed. Companies like Google, Facebook, Twitter and – yes – even Microsoft now rely heavily on open source software to power their growth and operation.

Mark Curphey, CA Veracode
Mark Curphey is the VP of Strategy at CA Veracode.

But the shift to open source software is not an unallied good. In fact, the widespread use and re-use of open source libraries and code might accelerate software development, but it also spreads around cyber risk in the form of exploitable software vulnerabilities in that code and even back doors, malware and ransomware that might worm their way into open source repositories.

[You might also like: Podcast Episode 94: Black Report takes Hacker View and Securing the Open Source Supply Chain]

The world woke up to this with the Heartbleed vulnerability in OpenSSL, but the problem is much bigger than one open source tool. To get a better understanding of the problem, we caught up with Mark Curphey of the firm CA Veracode on the sidelines of the Black Hat Briefings.

In this conversation Mark talks about the founding of his company SourceClear, which was acquired by Veracode, and about the problem of tracing the impact of open source vulnerabilities in software applications. Unlike other security research problems, however, solving the open source dependency problem requires cutting edge data science to analyze changes across millions of open source libraries and billions of lines of code.

(*) An earlier version of this story misspelled Mr. Bort’s last name. The story has been corrected. PFR 8/14/2018

One Comment

  1. Grimm does not organize the village, they sponsor and provide content. But please don’t discount all the others involved.