A push for the less-hackable car

There is no such thing as 100% software security. But groups representing the auto industry say it is possible to come close in vehicles. One thing is for sure, however – they have a long way to go

The auto industry now has at least a couple of “best practices” guide for cybersecurity.

One, from the Automotive Information Sharing and Analysis Center (Auto ISAC), was released about a month ago, generated a flurry of stories that highlighted the group’s exhortations to automakers to start building security into their software from the ground up – from design through production.

Another is from Intel Security, which released a white paper earlier this month titled "Automotive Security Best Practices," a set of, “recommendations for building security into the design, fabrication and operation phases of the automotive production process,” according to McAfee blogger Lorie Wigle (McAfee was acquired by Intel in 2011).

“More than just a set of recommendations, this paper is a call to action for the industry to integrate best practices into their processes now to achieve automotive security,” she wrote.

[ ALSO ON CSO: Should you worry that your car will be hacked? ]

And, a cynic might add, a long-delayed call to action. While welcome in the security community, the call for best practices also raises the question of why it has taken so long to put a serious focus on automotive cybersecurity.


David Barzilai, cofounder, Karamba Security

Vehicles have been increasingly “connected” for decades – and the attack surface is now, according to more than one study, varied and porous.

GPS became available in production cars in the mid-1990s, Bluetooth started becoming common by 2007 and Wifi connectivity arrived several years later, along with video chat and streaming content. That connectivity has also made them “smarter” – they can call 911 if there is a crash, and many have accident-avoidance features built into them.

All of which has improved physical safety and made vehicles into entertainment centers. But it has also made them much more vulnerable. Anything that is connected is hackable.

In a white paper titled "Commonalities in Vehicle Vulnerabilities," released earlier this month, the cybersecurity firm IOActive noted the breadth of the attack surface – data can enter vehicles through cellular radio, Bluetooth, Wifi, V2V radio, infotainment media, companion apps and Zigbee Radio.

The company said it had spent 16,000 hours researching vehicle cybersecurity since 2013, and using a formula combining how serious a vulnerability is and how likely it is to be exploited, ranked 22 percent of more than 150 vulnerabilities it found as critical. “These are the high-priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” wrote Corey Thune, senior security consultant and the report’s author.

The problems have been increasingly apparent for several years now. A report from the financial advisory firm Stout Risius Ross found that the percentage of vehicle recalls attributed to software problems tripled between 2011 and 2015.

Obviously people’s laptops, smartphones, bank accounts and increasingly their “smart” homes are also hackable. But the stakes are much higher in a moving vehicle. If your credit card gets compromised, you can get a different one. If your bank account is hacked, you could lose a lot of money. But if your car gets hacked, you could lose your life.


Steve Grobman, CTO, Intel Security Group

That has been most famously demonstrated at the past two Black Hat conferences by Charlie Miller and Chris Valasek, hackers who now work for the ride-hailing service Uber. They showed that an attacker with physical access to a vehicle’s computer systems (in this case a 2014 Jeep Cherokee) can bypass Controller Area Network (CAN) protections and hijack functions including steering, acceleration and brakes.

Chrysler recalled 1.4 million vehicles after last year’s demonstration, and patched the flaw that allowed the two to hack the car remotely. This year, the two had to have a laptop plugged into the Jeep’s CAN through a port under the dashboard. But they were able to create much more dangerous mischief – turning the wheel or slamming on the brakes at any speed.

And they and other experts say it is only a matter of time before hackers will find ways to do that remotely.

As software management consultant Art Dahnert put it in a post on Dark Reading, "the age-old problem of software development failing to 'build security in' is leading to insecurity in automobiles today.”

So yes, Thune agrees that, “best practice initiatives are late. We have legacy technology mixed with modern technology being developed by companies that are just exploring this area of technology,” he said, “and all of that is a recipe for security gaps.”

But he and others say there is almost always a delay when a new technology is brought in to a well-established industry.

The auto industry is, “dealing with the challenge of adding connectivity to systems that were never intended to be connected,” said Steve Grobman, CTO for Intel Security Group.

Thuen agrees. “The emerging technologies have moved these auto companies from automobile manufacturers to Silicon Valley companies who also manufacture automobiles,” he said.

And there is evidence that the industries big players, which have always been notoriously secretive about both their plans and their problems, are concerned enough about their software vulnerabilities to share cyber threat information and solutions with one another.

“We’ve seen a sense of urgency, and the players – in a break with past industry tradition – are willing to share knowledge and best practices,” said David Barzilai, cofounder of Karamba Security, a company that makes security programs to protect automotive software.

There are at least some political leaders who believe it will take a push from government to get automakers to address their vulnerabilities, much like it took legislation to require safety features like seat belts and airbags.

U.S. Sen. Ed Markey (D-Mass), who released a report in February 2015 titled, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” also filed legislation last year, called the "SPY Car Act of 2015," to require the National Highway Traffic Safety Administration (NHTSA) to issue rules to require “reasonable” protections for the physical security and privacy of those in connected cars. The report noted that, “today’s cars and light trucks contain more than 50 separate electronic control units (ECU) that collect driver information and are also vulnerable to attack.

But that bill never went beyond a referral to committee. Markey’s staff did not respond to questions on the status of the bill.

And experts generally argue that legislation would not be as effective as various private sector pressures. One of the most obvious problems is the difficulty with defining "reasonable."

Barzilai said automakers are already under major pressure to improve the software security of their products for two reasons: “To avoid brand damage that may harm sales of their current models, and to make sure cyber security is an enabler for autonomous cars.”

Autonomous cars and ride-sharing, “are seen as the industry’s two main growth engines in the coming years,” he said, adding that if there are significant and successful hacks of vehicles, “growth and sales expectations will be negatively affected.”

Thuen said he thinks pressure will also ramp up with the adoption of cybersecurity insurance. “No companies are better at assessing risk than insurance companies,” he said, “and if anyone can figure out what activities actually make us more secure, it’s them.

“Also, a statement like, ‘Having a vulnerability assessment done on a component will reduce your premiums by X dollars,’ is an actual ROI that business leaders and policy makers can factor into their calculations.”

Of course, there is also the reality that, in the online world, nothing is bulletproof. Even Auto ISAC notes in its best practices document that, “a future vehicle with zero risk is unobtainable and unrealistic.”

But Barzilai, while he agrees with Auto ISAC, said he also believes that, “cars and drones can be hardened in a way that will make the risk of cyber hacking tamed to levels that are close to zero.”

That, he said, is because, “cars, drones and IoT devices in general, are not user-configured. They should run according to factory settings, so any foreign code or unexpected in-memory operation imply hacking attempts.”

And Grobman notes that semi- and fully autonomous vehicles are already in the works. He said the Automotive Security Review Board (Intel is a founding member), “has a vision of driving research to achieve intelligent, self-healing vehicles.”

And he said it is important to focus on the “aggregate” improvement that connected cars bring to vehicle safety, and not dwell only on a few failures.

“Just as the airline industry now relies on automation and ‘fly by wire’ to improve air safety in inclement weather, we should look forward to similar benefits in the automotive world,” he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags automotive IT

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Taylor Armerding

Show Comments

Brand Post

PC World Evaluation Team Review - MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?