Carmakers have an uneasy relationship with those exposing security flaws in connected vehicles
Feet poking out of the window, Charlie Miller lay across the front seats of his Fiat Chrysler Jeep while it drove, seemingly by itself. Suddenly, it jerked to a halt, as his research partner Chris Valasek, sitting on the other side of the car park, used a laptop to slam on the brakes.
Mr Miller and Mr Valasek, car hackers, prompted a recall of 1.4m Fiat Chrysler vehicles last year after a magazine article detailed how they accessed a radio to disable a Jeep’s transmission as it drove along a road. Now they are back at work, showing that with initial physical access, they can trick a car into speeding up, braking, or force it to ignore a request from the emergency parking brake.
But they do not think carmakers are taking them seriously. “They all say their car couldn’t be affected,” the pair said, laughing on stage at this month’s Black Hat cyber security conference.
As more cars link up to the internet, their makers are having to tackle problems that the software industry has struggled with for decades. The more connected the vehicles are, whether through entertainment systems or self-driving mechanisms of the kind revealed by Ford, Volvo and Uber this week, the more vulnerable they could become.
Katie Moussouris, founder of Luta Security, which helps companies and governments work with so-called ‘White Hat’ hackers, says it is a big challenge. “How can we secure connected cars, when we’ve not yet perfected securing technology that is 35 years old?” she asks.
Many car manufacturers have made a good start in the last couple of years. Some are creating programmes to encourage the kind of research done by Mr Miller and Mr Valasek, who are now employees of Uber’s self-driving car lab. Other companies are focusing on recruiting their own security experts, while many have launched an information-sharing organisation to set guidelines on cyber security.
But it is still early days for the industry. There remains a reluctance to share cars with cyber security researchers, a complex supply chain where the carmaker does not usually own the software in its cars, and a very long lead time, which means when a car reaches the forecourt, its security is already out of date.
At Def Con, Black Hat’s more hands-on sister conference in Las Vegas, hackers gathered in a car-hacking village, where some offered their own cars for others’ tinkering.
The cyber security industry has a long history of pulling apart software and devices to discover flaws in an attempt to fix them, with companies from Google to Microsoft financially rewarding researchers with so-called ‘bug bounties’.
Yet it is a tradition the car industry is not yet completely comfortable with. While GM and Fiat Chrysler were among carmakers to launch programmes that encourage such research this year, the cars at Def Con still have gaffer tape over their logos in case they run the risk of legal action.
Craig Smith, transportation security research director at Rapid7, a cyber security company, runs the car-hacking village at Def Con. He first became interested in manipulating his car for a seemingly innocent reason: he wanted to play music videos on his car’s navigation system for entertainment during a boring commute.
“Five years ago, when you’d bring up security flaws to auto manufacturers, you’d pretty much just get a ‘cease and desist’ letter. Now it is way better,” he said.
Mr Smith now runs Open Garages, a community to share information on how connected cars work, and is the author of the Car Hacker’s Handbook.
He sees big variations between companies. Some still struggle to provide an email address for people to report flaws — and German carmakers in particular are very reluctant to run public vulnerability programmes, he says.
Few carmakers realise that security cannot be done in the same way as quality assurance, but is a constant battle against an active adversary hunting for flaws. “You can’t QA the bugs out. Google hasn’t even figured out how to do that,” Mr Smith adds.
Complex supply chains can make these programmes even more difficult, as some carmakers are worried about the legality of offering money for people to hack the software of another company, even if it is the software they use in their own cars.
A three-year study by cyber security company IOActive looking at car components found that more than half had flaws that could allow hackers to control parts of the vehicles’ core functions, such as braking or steering, with potentially “dire” consequences.
“Every system or component that we tested had at least one vulnerability,” said Corey Thuen, senior security consultant, who led the research.
“In fact, across all sectors of our customers, we have never not found a vulnerability. This research shows that the issues are systemic and plague virtually the entire industry.”
Self-driving cars will also change the security risks. There will be a greater attack surface, with more possible ways in to the cars’ network, but it will also be more of a challenge to trick the car, because it will rely on so many sensors, rather than just, for example, sensing that a driver has put his or her foot on the brake.
Beau Woods, deputy director of the Atlantic Council’s cyber statecraft initiative and part of a civil society organisation called I Am The Cavalry, said even when carmakers do find out about vulnerabilities, either from researchers or their own staff, a fix can be a long time coming. It can take between five and nine years to design a new car, which is then driving around for another seven to 11 years on average, he said.
“That’s 20 years of exposure once you know how to fix something. That is crazy,” he said.
When the 1.4m vehicles were recalled last year after research by Mr Miller and Mr Valasek, people were asked to take the cars to their dealer for an update. If they didn’t go, they were sent a USB memory stick to update the car themselves, but there is no guarantee they did it.
Instead, many cyber security experts argue carmakers should enable updates that carmakers can push remotely. “Over the air it might take six days — that is orders of magnitude better than six years,” said Mr Woods.
Ms Moussouris says these remote updates are crucial for carmakers, and the providers of a whole range of connected devices from lightbulbs to fridges, that have not yet figured out a way of keeping them secure. “Over-the-air updates are the biggest advance for ‘Internet of Things’ software,” she said.
Additional reporting by Peter Campbell
The first meeting of the carmakers’ cyber security information sharing body was a “very, very quiet room”, according to Jon Allen, an executive director of the Automotive Information Sharing and Analysis Centre, or Auto-ISAC.
“This is not an industry that talks to each other at all,” he said.
The two carmakers’ associations — the Auto Alliance and the Association of Global Automakers — came together to form a group using a model used by other industries, such as in finance two and a half years ago. It may have been later than many other industries, but unlike others, it did not need a large attack to push manufacturers into action, Mr Allen says.
Now, Mr Allen gives them an “A for effort”. Just two weeks ago, many carmakers and their suppliers got together to try out different car cyber security problems.
“We looked at a fake attack on a car, did different scenarios, one safety related, one that considered safety and discussed what would happen if the supply chain was exploited,” he said.
How to respond to an incident is also top of the list for the US Department of Transportation, after a government accountability office report published in March recommended the department define what it is responsible for after a vehicle is hacked in an attack that compromises safety-critical systems.
The Auto-ISAC hopes to develop its first set of best practices for seven key areas including governance, risk management and secure design.
Mr Allen agrees it is important that carmakers can update the vehicles from afar, but admits this is a challenge for older cars.
“Over-the-air updates will not be nearly as hard for future vehicles. The challenge for manufacturers is those connected vehicles created 10 years ago with vulnerabilities,” he said. “These are not iPhones that you discard after a couple of years.”
Copyright The Financial Times Limited 2016. You may share using our article tools.
Please don’t cut articles from FT.com and redistribute by email or post to the web.