Each year BlackHat USA shows us what’s trending in the cyber security community. This year’s event was buzzing with the latest research into car hacking.
In fact, the show featured several presentations on this topic. The most renowned one involved two security researchers who took control of a Jeep Cherokee using the vehicle’s wireless communications system.
What’s interesting about the Jeep Cherokee incident, is that it demonstrates that car hacking is more than hype. Vehicles are increasingly becoming computers on wheels. As we evolve further into the “Internet of Things” (IoT), auto manufacturers will concurrently need to address cyber security issues.
The matter of remote vehicle monitoring and management (including remote real-time theft interdiction) is a brave new world of legal challenges for both manufacturers and consumers. To date, the federal government has provided no guidance on best practices. Nor has it described any way for companies that produce vehicles or automobile components to find legal safe harbor against liabilities.
The vulnerability that hit Chrysler – and apparently many other auto manufacturers – using a common, vulnerable wireless subsystem, is uncharted territory. Very little information is provided by manufacturers on their designs, security, or penetration testing results. However, it’s not as though there is no body of science, testing and certification to achieve public trust in these systems. Just see Common Criteria Certification (https://en.wikipedia.org/wiki/Common_Criteria) for one example.
Car Hacking Vulnerabilities Have Likely Been Long Known
I would not be surprised to eventually learn that designers of the compromised Chrysler systems were well aware of the cryptography and firewall technology needed to isolate infotainment systems from life-safety systems (like the engine, brakes and steering) within the vehicles. In all likelihood, they decided not to implement the solutions due to cost and long term reliability concerns.
Allowing an insecure system with Internet access to be shipped, and putting citizens at physical risk, is gross negligence. Therefore, the US Government should fine Chrysler billions of dollars. The EU should sue their parent company, Fiat Chrysler Automobiles, for billions of EUROs. Only with harsh penalties and punitive consequences will the message be sent (and received) that security for IoT must be taken seriously by companies.
The Jeep Cherokee hacking disclosure will certainly change the thinking on the number of layers of security – both physical and logical – that should be required in vehicle designs. It remains to be seen if the latest research into car hacking also prompts the US government to force well known design standards on life critical systems in automobiles.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.