Washington's role in hack-proofing cars: A light touch?

Collaboration, not mandates, will help secure cars from the hackers who can hijack them over the internet. Such was the tenor of a legislative briefing for Hill staffers delivered this week by the Institute for Critical Infrastructure Technology and security consultancy IOActive.

In a conversation that used the July story of researchers killing a Jeep on a St. Louis highway as its jumping off point, security experts and a congressional staffer called for the National Institute of Standards and Technology – but not necessarily other agencies – to step up to help secure one of the deadliest “things” in the Internet of Everything.

Danger, danger everywhere

“Could a script kiddie have done what we did?” asked Chris Elbring, IOActive’s senior vice president for research and delivery. “No.”

(The team behind the July Jeep hack included Chris Valasek, who headed up IOActive’s vehicle security research until Uber poached him in August.)

But just because teenage hackers can’t do it easily doesn’t mean it’s not a huge threat, Elbring noted.

In a report released Sept. 21, the same day as the briefing, ICIT and IOActive detailed the extensive vulnerabilities that made a remote car hack possible.

Chief among them: cellular connectivity and a lack of segmentation.

The 2014 Jeep Cherokee’s head unit connects to both of the vehicle’s controller area network (CAN) buses, meaning that, with some work, the researchers were able to access the head unit through the cellular radio (telematics system) – “the holy grail of automotive attacks,” researchers wrote, because of its extended range – and then move laterally to gain control over the engine, brakes and other functions.

Modern convenience and safety features, including automatic parallel parking, lane assist and adaptive cruise control, have helped link all critical car functions to electronic control, and car companies are struggling to properly segment steering and other critical functions from outside connectivity.

“Pretty much every system we encounter, [system design and segmentation] is done incorrectly,” Elbring noted.

There’s also a danger, researchers say, of personal information getting pilfered as cars allow syncing with wireless devices and can function off Wi-Fi hotspots.

Researchers focused on the 2014 Jeep Cherokee because that’s the car they could afford to purchase and examine, but they pointed to widespread vulnerabilities across most modern vehicles.

“The Harman Uconnect [telematics infotainment] system is not limited to the Jeep Cherokee, and is quite common in the Chrysler-Fiat line of automobiles and even looks to make an appearance in the Ferrari California!” the report noted. “This means that while the cyber physical aspects of this paper are limited to a 2014 Jeep Cherokee, the Uconnect vulnerabilities and information is relevant to any vehicle that includes the system. Therefore the amount of vulnerable vehicles on the road increases dramatically.”

A place for government?

At the legislative briefing, security experts called for car companies to collaborate to better understand their vehicles’ vulnerabilities, and for independent researchers like IOActive to keep prodding systems as an external watchdog.

But whose responsibility is car security, ultimately? Are industry information-sharing groups enough?

“To be honest with you, that’s a very complicated question and I think the answer is unknown at this point,” said Matt Rahman, IOActive’s sales EVP. “From legislation to manufacturers to component makers to consumers, they all have a responsibility with this.”

While calling for a “strong approach” to car security, a staffer in Texas Democratic Rep. Sheila Jackson Lee’s office sang the praises of NIST’s “voluntary standards” and collaboration with industry.

“[NIST] will need the resources to address this holistic approach to securing the Internet of Things,” the staffer noted.

“I do think NIST is a great source for best practices,” agreed HP security strategist Stan Wisseman.

NIST is currently accepting public comments on its Draft Framework for Cyber-Physical Systems.

Wisseman also pointed to the IoT work being done by the Federal Trade Commission and Department of Transportation.

“DOT has spent a lot of time trying to solve this connected vehicle issue, and I wouldn’t be surprised if they continued to do research and continued to push that area,” Wisseman added. “Unfortunately I think the manufacturers are going on their own paths now, and it’s a market-driven thing.”

While all agreed that more work was needed to secure cars from Internet-enabled attack, neither the security experts nor the Hill staffers present made a strong push for hard regulation or legislation.

The staffer from Jackson Lee’s office, who asked not to be named, spoke to the danger of forcing rules on an evolving industry without plenty of stakeholder input.

“You throw off the innovation curve [with knee-jerk rules],” the staffer said. “There’s a reason we’re ahead of the rest of the world.”

The staffer added that agencies, industry and researchers all need to dedicate resources to security solutions. “Specifically looking at automobiles,” the staffer said, “this is going to need everything.”