The National Highway Traffic Safety Administration (NHTSA) put on a forum yesterday to discuss cyber security and cars. The conclusion of the author of the article on the subject is that cars will never be secure.
I don’t know if I am THAT pessimistic, but it is certainly a difficult problem because of conflicting requirements that cannot be easily satisfied at the same time.
That being said, at least people are starting to talk about it publicly, formally and seriously. As in other 12 step programs, admitting that you have a problem is a critical first step. Unfortunately, I think that the automakers are only at step one of their twelve step program.
The article summarizes the day in 7 points:
- Serviceability – the right that a car owner or third party mechanic has to fix your car makes securing it much harder. If you could just snap closed a padlock over it, that would make securing it a lot easier.
- Software updates are a fact of life. In a high end car with millions of lines of code, the likelihood of zero errors is, well, zero. If the car company can send you a flash drive to patch your car like Dodge recently did with it’s trucks, what is to stop a hacker from doing the same thing and owning your car?
- Should software updates be mandatory or optional? The consensus of the group, apparently, was not applying updates should void your warranty. Of course, that addresses cars in their first two or three years of life (I own 3 cars, none of which are under any warranty), but ignores the majority of the cars on the road. And, that doesn’t address the security of the update process
- Auto makers need to support the security research community. In 2015 there were several very public examples of where researchers worked with automakers, but my guess it that we only saw the tip of the iceberg. We need to do a lot more work in this area.
- The ODB-II port is a gaping security hole. Enough said. Gaping hole is polite. This HAS to be fixed and soon.
- Car makers are conflicted over spending money on securing your car because there is no “car security certification” which would get them off the legal hook and security is not like tailfins or power windows – you can’t charge extra for it. It is a war that carmakers can’t win and can’t even charge for the fighting of.
- Car makers don’t really comprehend the scope of the problem. I liken this to PC security about 15 years ago – that is the level of appreciation of the problem. Car makers figure that automobile cyber security hasn’t affected sales yet, but they do understand the potential for that and also the potential for Washington to “help them” run their business. Still they are grappling with what and how much to do.
Given my assertion that automakers are, today, where PC software makers were 10 or 15 year ago, combined with the fact that each year there is more software in every new car, means that we should expect to see more demonstrations like the one we saw roll out in real time on national prime time TV (60 Minutes) last year.
May we live in interesting times. We do.
Information for this post came from SemiWiki.