The Driver as Weakest Cyber Link
Upstream Security published its annual Global Automotive Cybersecurity Report 2020 last week highlighting the near doubling of publicly reported incidents documented by the Upstream team. The report is an extraordinary document, worthy of the attention of senior-most executives in the automotive industry, but it overlooks the weakest link in automotive cybersecurity: the driver.
Upstream Security report available here: https://www.upstream.auto/upstream-security-global-automotive-cybersecurity-report-2019/
The Upstream report highlights the multi-layered challenge of securing cars implicating the supply chain, aftermarket devices, and roadside infrastructure. The report notes the predominance of keyfob, OBDII, and mobile app vulnerabilities and even emphasizes the growing risk of server attacks which not only expose thousands of vehicles (and customer data) with a single hack but also expose the broader automotive enterprise.
The report details the results of various bug bounty programs from car makers and aftermarket device and service providers and also reviews global regulatory activities. Where the report fails, however, is in identifying the process of customer engagement in the battle against vehicle hacking and cyber intrusions.
After years of battling hackers the automotive industry remains woefully under-resourced to prioritize and take on the issue of securing cars. The Auto-ISAC in the U.S. - now preparing a European initiative - has finally convinced auto makers to share information regarding hacks, attempted intrusions, and known vulnerabilities. But the industry has yet to define a process for communicating this same information to consumers.
I can understand why auto makers might not want to communicate the status of vehicle vulnerabilities to consumers because, by and large, auto makers are ill prepared to do anything about vulnerabilities when they are discovered. The massive Takata airbag recall - soon to be expanded - exposed the automotive industry's limitations in locating and identifying the current owners of affected vehicles - a shortcoming that lingers to this day and limits the ability to respond to cyber issues.
Of course, correcting vulnerabilities most often involves over the air software updates but, again, the industry lags here as well. It all relates back to the automotive industry's tortured relationship with vehicle connectivity. More than half of cars produced in the world today are shipped with built-in wireless connections, but auto makers have yet to define a value proposition to make car connectivity universally appealing to car buyers (with the sole exception of Tesla Motors, of course).
In fact, most of the consumer messaging related to car connectivity suggests that it is a terrible thing infringing privacy, distracting drivers, and introducing cybersecurity risks, In fact, the over-riding recommendation of a ConsumerWatchdog.com report on cybersecurity is a requirement for a built-in vehicle kill switch.
Why Connected Cars Can be Killing Machines and How to Turn Them Off - https://www.consumerwatchdog.org/sites/default/files/2019-07/KILL%20SWITCH%20%207-29-19.pdf
The ConsumerWatchdog report has a robust roster of recommendations (below) to which I have one objection.
"Road Map Recommendations
- "Regulators should require automakers to publicly disclose the authorship, safety certifications, and testing methodology used for all safety and security critical software, allowing for analysis by independent regulatory and testing agencies.
- "CEOs of auto manufacturers should sign personal statements and accept personal legal liability for the cyber-security status of their cars.
- "The industry should agree to a general standard protocol that cars not be connected to wide-area networks until they can be proven immune to hackers.
"New car designs take three to five years to reach consumers. However, every car maker should commit before year’s end that:
- "Each one of their cars at the earliest possible date will come with an Internet kill switch that physically disconnects the Internet from safety-critical systems.
- "Future designs will completely isolate safety-critical systems from infotainment systems connected to the Internet or other networks because connecting safety critical systems to the Internet is inherently dangerous design. If car makers do not commit by December 31, 2019, legislators and regulators should mandate these protections."
It is my firm belief that cars will never be certifiably secure UNLESS they are connected - including the infotainment system. The reality is that it is impossible to achieve the kind of isolation of infotainment from safety recommended by ConsumerWatchdog. These systems are already connected in most new cars and must be.
The infotainment system and the instrument cluster display (as well as the related vehicle mobile app and Web portal) are vital points of communication with the consumer. Car makers need to work to harmonize these points of customer contact such that they are able to communicate the status of vehicle functionality and security.
We're all familiar with fuel levels, oil temperature, and tire pressure indicators. But the future of vehicle health reports promises the integration of vehicle health and data security.
Two other recent reports – both from news organizations – highlight the challenge of managing and protecting both vehicle and personal data. In one, a Washington Post reporter describes the horrible data hygiene practices in the automotive industry with emphasis on the lack of transparency and consumer control. His recommendation, like ConsumerWatchdoy, is for the addition of either a data and/or location kill switch as well as a button to erase data left behind in a vehicle.
“What Does Your Car Know about You? We Hacked a Chevy to Find Out” - https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out/
(Privacy4cars.com has an application providing model-by-model instructions for erasing vehicle data.)
The other report is a multi-part series from the New York Times on smartphone tracking pointing out the dozens of companies gathering and creating a market for location data extracted from smartphone applications.
“12 Million Phones, One Dataset, Zero Privacy - https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html?searchResultPosition=2
The temptation is to continue to regard automotive cybersecurity as a niche concern – a longshot – something for the other guy or gal – or the other company to worry about. The Upstream Security report makes clear that few car companies and, ultimately, few consumers will remain untouched by automotive cyber vulnerability.
The Department of Homeland Security's Common Vulnerabilities and Exposures (CVEs) report created by Mitre Corporation might suggest that the automotive industry is a lower priority for hackers. Upstream reports: “To date, there have been 66 CVEs related to the automotive industry, 7 of which have been listed in 2019. There are currently over 120,000 listed CVEs across many different industries.
“Compared to that, the 66 automotive-related CVEs seems like a small number, however, this only shows that the automotive industry is still in its infancy when it comes to publicly sharing this type of information. This is especially clear when looking at the small number of CVEs compared to the tens of thousands of components within a connected vehicle multiplied by the number of vehicles on the road. In addition, each one of those 66 vulnerabilities could potentially affect millions of vehicles currently in use.”
Those 66 automotive CVEs appear to be the tip of the ice berg.
The Auto-ISAC is not able to share its industry reporting of attacks and vulnerabilities with the public. What is clear is that the 367 reports analysed by Upstream Security taken in context with the thousands of reported vulnerabilities acknowledged by bug bounty program operators clearly suggest an open barn door situation in the automotive industry. Not only are millions of cars and the personal data of millions of car owners vulnerable, but so, too, are the enterprise assets of the car companies themselves connected as they are today with their vehicles.
Car makers may not want to communicate publicly regarding individual vehicle vulnerabilities as they arise. But the time has arrived to define the protocols for communicating such urgent conditions as they arise to consumers in a timely and appropriate fashion. The U.S. Supreme Court refused to hear FCA’s appeal of an adverse class action ruling in the Jeep hack case of 2016. Without legislation and without legal cover – at least in the U.S. – car makers are even more vulnerable than their own customers. It is time to act.
Enjoying mentoring and advisory engagements
4 年Keep beating the drum, but be sure to take enough time to properly enjoy the holidays.
President at AIRMIKA, Inc. / AUTOCYB
4 年Another useful article - thanks Roger and Happy Holidays.? ?