A small segment of the security research community has been spending a lot of time tearing apart the innards of various vehicles and looking at ways that the computers and local networks that reside in modern cars can be hacked. There has been some remarkable success on this front, and while auto makers haven’t paid much attention so far, the acting head of the National Highway Traffic Safety Administration says that it’s time they did.
Researchers Chris Valasek and Charlie Miller have done several public demonstrations of the kinds of attacks that are possible on some current vehicles, attacks that can take over a car’s steering, brakes and other vital operations. They, along with other researchers, have tried to talk with manufacturers about the vulnerabilities that in-vehicle systems have and the real-world attacks that are possible, but with little or no success. Valasek and Miller have found potential remotely exploitable vulnerabilities in some vehicles, and have said that fixing such a bug once vehicles are on the road could be incredibly difficult–and expensive.
“It’s going to be really hard when an exploit comes out and everyone has a vulnerability that needs to be fixed,” said Valasek, director of vehicle security research at IOActive, during a talk at Black Hat last month.
Auto makers are famously slow to adapt and change their methods, but David Friedman, the acting administrator of NHTSA, which sets vehicle safety standards in the United States, said on Tuesday that manufacturers need to get ahead of the problem and begin talking to each other about information security issues.
“Certain things about safety should not be at all about competitive advantage,” Friedman said, according to the Detroit Free Press. “I think cybersecurity is one of those perfect examples where sharing information will ensure that everyone is better off.”
Information-sharing initiatives have been a tough go in many industries, especially those verticals where competitive edges are razor thin. The automotive industry is that, and, unlike technology or banking, it has product cycles that are measured in years or sometimes decades. But the need for industry wide sharing of vulnerability and threat information is real, and the consequences for mistakes or lax responses are extremely high in the auto industry. A broken update or successful attack on a vehicle could have serious real-world effects, not just a browser crash.
Valasek and Miller already have developed an idea for an in-car intrusion detection system that could help detect anomalies, but Valasek said it would likely be a tough sell.
“Auto manufacturers don’t like adding complexity to their cars,” Valasek said after he and Miller delivered a talk on the topic at the Kaspersky Security Analyst Summit in February. “If you’re trying to tell them to change the architecture, you’d get massive pushback.”
Some of the other information sharing and analysis centers that exist in vertical industries have had help from the federal government, but it’s not clear whether NHTSA will help kick start an ISAC-style organization for Detroit.