Euro Security Watch with Mathew J. Schwartz

Car Hacking Spurs Automakers to Share Threat Information

But Don't Call Software Bugs Defects, Auto Lobby Says
Car Hacking Spurs Automakers to Share Threat Information

Is a hackable car defective? Put that question to the auto industry, which likens hack attacks to troublemaking - such as slashing car tires - and its answer might be "no."

See Also: Identity Security Clinic

"We would reject a blanket assertion that a cyber risk is a defect," Mitch Bainwol, who heads the Alliance of Automobile Manufacturers - a Washington lobbying group that represents a dozen car companies, including General Motors Co. and Toyota Motor Corp. - tells The Wall Street Journal. "There is a difference between a routine function of a vehicle where a problem arises and the intervention of a bad actor."

From a safety standpoint, however, the bigger-picture question is what responsibility automakers should have for using buggy code in their vehicles, as well as "cyberproofing" all of the systems in their vehicles. Likewise, when should software bugs count as defects that trigger expensive, mandatory safety recalls and potentially ding an automaker's reputation?

Not surprisingly, the automotive industry appears to be wanting to downplay any liability or responsibility it might have if a hacker discovers flaws in millions of passengers vehicles that could be exploited to disable a car's brakes, honk the horn, jerk the seat belt, take control of the steering wheel or otherwise turn the vehicle into a public-safety threat.

Of course, that is exactly what well-respected researchers Charlie Miller, a security engineer who until recently worked at Twitter, and Chris Valasek, IOActive's director of vehicle security research, were able to do thanks to bugs they had found in the entertainment and navigation systems installed in many Fiat Chrysler cars, SUVs and trucks. The pair, who presented their research earlier this summer at the Black Hat conference in Las Vegas, also warned that anyone who knew the IP address of any vulnerable vehicle could exploit the bugs from anywhere in the world (see Hot Sessions: Black Hat 2015).

In a first, the research led to Fiat Chrysler Automobiles issuing a voluntary recall for about 1.4 million vehicles in the United States so they could be upgraded with emergency security patches. But the company was not forced to label the software bugs as a defect, and it remains to be seen how many vulnerable vehicles will actually get fixed, going forward. On a related note, however, the National Highway Traffic Safety Administration says it has launched a "recall query" to assess the success of Fiat Chrysler's efforts.

Such software flaws are not isolated incidents. In July, for example, Land Rover recalled 65,000 Range Rover and Range Rover Sport vehicles sold from 2013 until now, after discovering that a software bug could be exploited to "unlatch" their doors without any dashboard warning, BBC reports.

Software Bugs: Defects

You don't have to be a security expert to cry "defect" when you hear about those types of exploitable risks, and many people outside the automotive industry feel likewise. "A cybersecurity vulnerability is a safety defect in the same way an exploding air bag or a malfunctioning ignition switch is a safety defect," says Sen. Edward Markey, D-Mass. "Automakers cannot ignore their responsibility to ensure the cars they sell are safe from hacking."

Markey and Sen. Richard Blumenthal, D-Conn., last month introduced a bill that would require regulators to create and enforce cybersecurity standards for automobiles. The Security and Privacy in Your Car Act - Spy Car for short - would require the NHTSA and the Federal Trade Commission to establish automotive as well as privacy standards. The legislators say it is important to get standards in place now, as cars gain more wireless, and eventually self-driving, capabilities.

Outdated Safety Regulations

Setting car-related privacy standards is an important step, because Internet-connected cars have the potential to begin amassing numerous types of data about drivers and applying it for "big data and predictive analytics" purposes, says market research firm Frost and Sullivan. But it notes that automakers have yet to capitalize on these possibilities.

The new legislation is needed because current automotive safety laws date from 1966, and tend to focus on physical safety systems and crash resilience. "There really is no precedent for a hacking situation," Allan Kam, a former senior NHTSA enforcement lawyer who now runs consultancy Highway Traffic Safety Associates, tells The Wall Street Journal. Under current car-safety regulations, furthermore, he warns that regulators could likely force a recall for a software bug only if it could prove that the bugs were worse than the industry average.

Automakers Finally Promise ISAC

One upside of Miller and Valasek's research, however, is that it's finally driven the Alliance of Automobile Manufacturers and the Association of Global Automakers to promise that by the end of 2015, they will launch an Information Sharing and Analysis Center dedicated to car hacking and software flaws. The ISAC is being advertised as a way for the auto industry to share information on software bugs and potential vulnerabilities.

Mark Rosekind, who heads the NHTSA - which reorganized its research organization to focus on vehicle electronics back in 2012 - has also welcomed the move, calling it overdue. "NHTSA has been urging the industry to form an ISAC for some time, and the agency sees this announcement as a milestone in cybersecurity efforts," he said in a July 21 speech. "ISACs serve as clearinghouses for information on the latest cyber threats, and can help coordinate security efforts, both before an incident occurs and in the midst of a crisis. The finance, aviation and utility industries all have established ISACs to help protect their critical infrastructure."

Many security experts also say it's a good move, even if the automotive industry's products do not currently appear to be coming under serious or sustained attacks. "Is it dire right now? I wouldn't say so, but now is the time to form the ISAC so the infrastructure and trust is there when they need an ISAC," Denise Anderson, chair of the National Council of ISACs and formerly a vice president of the financial services industry's ISAC, tells Automotive News. "You don't want to be caught unprepared. Healthcare is being heavily targeted right now, but in the past they weren't."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.