Open Letter From Hackers Highlights Automobile Security Risks
Researchers are calling for support of a movement that pushes car makers to improve cyber-security in latest automobiles
A group of hackers and security researchers called upon attendees of the DefCon security conference in Las Vegas over the weekend to sign an open letter encouraging auto-makers to improve the security systems of their latest cars.
I Am The Cavalry, founded a year ago, said it differs from other security groups in that it is aiming to build relationships with car makers, rather than simply forcing them to take action by publicising security vulnerabilities.
‘Computers on wheels’
“Modern vehicles are computers on wheels and are increasingly connected and controlled by software and embedded devices,” the Cavalry said in the open letter, addressed to the chief executives of automobile companies.
“New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation.”
The group is encouraging car makers to adopt five key security strategies, including making public a secure, standards-based software development programme; collaborating with third-parties such as security researchers; including “black box”-style systems that can securely capture data in the event that something goes wrong; and enabling their cars to receive software updates without requiring vehicle recalls.
The group also called upon car makers to physically isolate the computer systems that operate critical systems such as brakes, steering or airbags from those that run entertainment systems or Internet connectivity – something that isn’t the case in most current vehicles.
“If systems share the same memory, computing, and/or circuitry (as most current generation cars do), these systems allow for loss of life and limb,” the Cavalry wrote in the letter “Such risks are entirely avoidable and merit a higher standard of care.”
‘Most hackable’ cars
Cavalry co-founders Joshua Corman, CTO of Sonatype, and Nicholas J. Percoco, vice president of strategic services at Rapid7, made a presentation at DefCon outlining the group’s achievements in its first year, including its efforts to ensure safety in the areas of medical, home electronics and public infrastructure technology.
“Our dependance on computer technology is increasing faster than our ability to safeguard ourselves,” the group said in a statement published on its website. “As the question around technology is less and less ‘can we do this?’, we must more and more be asking ‘should we do this?'”
Other security researchers are taking a more forceful approach where it comes to the auto industry, including Charlie Miller and Chris Valasek, who last week presented an analysis of wireless attack surfaces in 24 automobile makes, ranking the 2014 models of the Infiniti Q50 and Jeep Cherokee as well as the 2015 model of the Cadillac Escalade as the “most hackable” on their list.
“They say they know what they are doing,” Miller told Reuters. “But all the evidence points to the contrary.”
Security risks
The Auto Alliance, which represents car makers including BMW, Chrysler, Ford, Jaguar and Volkswagen, said companies are well aware of the importance of cyber-security.
“Cyber-security is among the industry’s top priorities and the auto industry is working continuously to enhance vehicle security features,” the group said in a statement. “Auto engineers are incorporating security solutions into vehicles from the first stages of design and production, and their security testing never stops.”
A spokesman for the group declined to comment on The Cavalry’s open letter.
Do you know all about the Internet of Things? Take our quiz.