Black Hat 2014: Hacking the Smart Car – IEEE Spectrum

Posted from WordPress for Android

1 Comment

  1. Tomi Engdahl says:

    Survey: Cars Contain Few Barriers to Hackers
    ‘OEMs don’t yet have desire, skills, tools or processes to make a secure car’

    Recent survey results on car cybersecurity, conducted in July 2015, have revealed that the automotive industry is still ill-equipped to protect connected vehicles from hackers—regardless of the industry’s assertions to regulators, the media and consumers.

    Ponemon Institute, who asked questions—via telephone, secure Web and direct interviews—of 500 automotive developers, engineers, and executives primarily from automotive OEMs and Tier One suppliers, produced a damning report entitled “Car Cybersecurity: What Do the Automakers Really Think?”

    The report found that automotive developers do not believe their companies are either taking security seriously enough, or empowering them to make software more secure.

    the most shocking revelation was that “security was a priority for less than half of respondents.”

    According to the report, only 41 percent of developers polled agree that secure software is a priority for their companies. In fact, 28 percent disagreed.

    Even worse, 69 percent of these developers believe that securing the applications are difficult/very difficult, and nearly half believe that a major overhaul of the car’s architecture is required to make it more secure.

    The survey further revealed that at least 44 percent of the developers queried believe that hackers are actively targeting automobiles.

    The survey concluded: “OEMs and their suppliers do not yet have the desire, skills, tools or processes to make a secure car.”

    That sounds pretty harsh.

    But the survey results showed also that there is fundamental knowledge gap—among automakers—about how to move forward to avoid security failures.

    In defense of automakers, the report says that this lack of knowledge doesn’t mean that automakers are sitting still.

    The survey found that 63 percent are running automated software scans during development. Half are running scans after the application has been released, and 36 percent are conducting penetration tests.

    Most significantly, though, the survey found only a quarter of those surveyed say that “they are adhering to secure coding standards or conducting high-level assessments such as threat models.”

    According to the report, “Surprisingly, 43 percent felt that white hat hackers should be subject to the Digital Millennium Copyright Act (DMCA), which means hackers could be potentially arrested for experimenting on automotive application code.” Further, of the 42 percent that believe white hat hackers shouldn’t be subject to the DMCA, 54 percent of respondents said these hackers shouldn’t be encouraged to test car software.

    Over the last several years, carmakers in general chose complacency over action. Among their reasons for this complacency were: “it can’t happen here,” “too much effort for too little reward,” and “no known actual breaches,”

    The automotive industry’s behavior has not changed.

    By this summer, though, several celebrated hacking incidents had emerged. These include the vulnerabilities found in Chrysler Jeeps, which resulted in Chrysler’s recall of 1.4 million vehicles, and a flaw in General Motors’ OnStar RemoteLink system, through which a hacker found a way to remotely unlock doors and start engines. These incidents contradicted carmakers’ arguments that such incidents are “unlikely scenarios” and “scare mongering.”

    CAN Bus Can Be Encrypted, Says Trillium

    Until the recent wave of carmakers rolling out more and more connected cars for the consumer market, cyber security was always a matter of indifference to car OEMs and Tier Ones. Now, it’s a big deal.

    “Hacking research has shown that nearly all access points can be compromised.” To cope with this reality, technology suppliers are beginning to launch a number of cyber security solutions, he said. They range from hardware security to CAN (Controller Area Network) bus firewalls and ECU software monitoring.

    But what the world hasn’t seen yet – and Juliussen hasn’t seen either – is a technology capable of encrypting CAN bus itself.

    That’s about to change, according to Trillium, a Japan-based start-up headed by David Uze, former CEO of Freescale Japan. Uze told EE Times this week that a small team of Trillium engineers has developed what it calls SecureCAN — “a CAN bus encryption and key management system for protecting payloads less than 8bytes.”

    Essential to this assertion is a claimed ability to handle data “in 8bytes,” instead of the 128-bit block the Rijndael algorithm needs for AES-based encryptions.


Leave a Comment

Your email address will not be published. Required fields are marked *