US Carmakers Want Hackers To Help Them Improve Cybesecurity

Uploaded on 2016-07-26 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Today's automobile is rapidly becoming a computer on wheels, with more micro-processing power than can be found in a typical home or office. 

It's not uncommon for a modern vehicle to use more than 100 million lines of code to control everything from the engine management system to the onboard infotainment technology. By comparison, there are about 8 million lines of code on the latest F-35 fighter jet.

Until recently, hackers tended to focus on desktop and laptop computers and, more recently, smartphones and tablets. But there are growing indications the "black hat" world of what's known as the "dark internet" is shifting attention to automotive targets.

When police in Houston, Texas, recently began reporting a series of unexplained robberies, the only apparent clue was a security camera video showing one of the thieves pulling out a laptop computer after breaking into the vehicle. After tapping on the keys for a few moments, the Jeep Wrangler's engine fired up and the thieves drove away.

There has long been fear that someone might find a high-tech way to break into vehicles. And just a year earlier, a pair of so-called "white hat" hackers had shown how they could remotely take control of a Jeep, demonstrating that by driving it into a ditch.

Hacking has become one of the auto industry's biggest concerns, especially as modern cars add more and electronic controls and infotainment systems. With a major cybersecurity conference scheduled for this coming week in Detroit, Jeep parent Fiat Chrysler Automobiles has taken one step to fight back, announcing a "bug bounty" for hackers who can find and help it patch vulnerabilities in its vehicles' software.

"The idea is to go out to the hacker community itself and ask for help," explained Casey Ellis, CEO and founder of Bugcrowd, a San Francisco-based collective that can draw on their knowledge and efforts of an estimated 32,000 hackers around the world. "Crowdsourcing is very effective when applied to this sort of problem."

It's not uncommon for a modern vehicle to use more than 100 million lines of code. By comparison, there are about 8 million lines of code on the latest F-35 fighter jet.

So far, most of the reported incidents have been the result of security experts uncovering vehicle vulnerabilities. That has led to recalls by a number of manufacturers including FCA and BMW, with Nissan shutting down a smartphone app used to control the Leaf battery-car because of potential problems.

The issue of cybersecurity "is real, critical, and here to stay," warned Ellis, whose firm tries to harness hacker skills for good - but who admits one of the challenges is not opening the door for "black hat" hackers to find new ways to crack into vehicle software code.

The concern in Houston is that thieves might have found a way to pair their own electronic car keys with the digital engine control systems in the vehicles they target.

And the situation is only getting worse, said Saar Dickman, an executive with Harman International, the multinational electronics firm and CEO of TowerSec, the Israeli firm he founded that is considered a leader in vehicle electronic security. 

He and other experts point to a number of potential concerns:

Hackers could take control of a vehicle remotely, shutting the vehicle down or causing steering or brakes to fail

That would become even more of a risk as automakers launch the first self-driving vehicles

That might even allow hackers to kidnap or kill motorists by programming in their own destinations

Personal data could become vulnerable, as has happened with smartphones, laptops and desktops.

In years past, hackers would have had to gain physical access to a vehicle, as seems to have been the case in Texas. But modern vehicles are adding a variety of wireless communications systems, such as onboard 4G LTE WiFi hot spots. Even the wireless tire pressure monitoring systems, or TPMS, required on all new vehicles, could give hackers a path into the vehicle, experts warn.

"You're providing more services and more access," said Dickman. "You want to embrace innovation, but you have to understand the risks that come with it."

Anti-viral software and other security systems have become the norm, whether on a cellphone or a corporate computer network, but vehicles provide some peculiar challenges, both BugCrowd's Ellis and TowerSec's Dickman agree. Not only are there a variety of "mission critical" devices and numerous access points, but it's a challenge to set up anti-hacking systems that can be constantly updated to block newly discovered threats.

Tesla has built into its battery-electric vehicles a system that allows it to use over-the-air, or OTA, updates, and that is likely to become the norm, rather than the exception in years to come. OTA also allows automakers to correct defective software code without issuing recalls forcing customer to drive into showroom service bays.

Even over-the-air updates might not be enough, however. TowerSec and other cybersecurity firms are working on new approaches, unique to automobiles, that would automatically lock out suspect software and revert to the original, factory code, if something unusual begins to happen.

One way or the other, automakers say they will have to address the issue - and quickly. The more high-tech equipment they build into the vehicles, the bigger the risk of being hacked.

NBC

« Snowden iPhone Case Alerts Users To Surveillance
Ransomware: Should You Pay The Ransom? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

International Conference on Information Systems Security & Privacy (ICISSP)

International Conference on Information Systems Security & Privacy (ICISSP)

The ICISSP event is a meeting point for researchers and practitioners to address security and privacy challenges concerning information systems.

OSSEC

OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).

6cure

6cure

The 6cure Threat Protection solution eliminates malicious traffic to critical services in real time and protects against DDoS attacks.

Efecte

Efecte

Efecte is a Nordic SaaS company specialized in IT Service Management, Self-Service, Identity Management and Access Governance solutions.

Phew

Phew

Phew are New Zealand cyber security specialists with expertise and experience forged in global financial markets, IT&T, management consulting and SME business management.

VS Security Products

VS Security Products

VS Security Products design, manufacture and sell the most extensive range of degaussers and data destroyers on the market, suitable for all types of magnetic media.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Berezha Security Group (BSG)

Berezha Security Group (BSG)

BSG is a cybersecurity consulting firm specializing in all aspects of application security and penetration testing.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Fibernet

Fibernet

Fibernet's innovative solutions in the fields of cybersecurity and fiber optics range from telecommunications infrastructure to small business cybersecurity.

Utimaco

Utimaco

UTIMACO develops on-premises and cloud-based hardware security modules, solutions for key management, data protection and identity management as well as data intelligence solutions.

Laneden

Laneden

Laneden specialise in helping organisations identify security concerns and quantify the risks you may have across your assets, using Penetration Testing, Threat Simulation and Compliance Testing.

Halcyon

Halcyon

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks.

Avatar Managed Services

Avatar Managed Services

Avatar offers proven, process driven IT support to companies who want to utilize their technology to their best advantage.

Net Essence

Net Essence

Net Essence is a Managed IT Services Provider. We deliver effective, reliable and fit-for-purpose IT solutions for SMEs based in the UK.

Etalon Cyber

Etalon Cyber

Etalon Cyber provides a range of advanced features to ensure the highest level of security for your website.