(and don’t believe everything you read)
Each year, in the week prior to Black Hat USA, there is usually one security topic that seizes the media’s attention and floods the Internet with articles of apocalyptic doom. This year is no different. This year’s (lack of) security target is the automobile. Based on a couple of well publicized research hacks (Charlie Miller and Chris Valasek controlling cars’ brakes, steering wheel and seatbelt via a laptop, and Silvio Cesare unlocking a car remotely), some of the popular/business press have gone down the path of sensationalism. For example, CNN’s headline How hackers could slam on your car's brakes is technically accurate, but doesn’t capture the true essence of the research.
In order to take control of the vehicles, the researchers had to gain entry to the car, tear apart the dash, and then sit in the vehicle with a laptop in order to manipulate the car. The research was very effective in showing the interconnectivity of the different systems/buses/ECUs, but they weren’t trying to say that their techniques were in any way implementable today. The press also ignores the fact that a bad guy could cut brake wires in your car without going through all of this hacking effort.
But Researchers Highlight Security Concerns Over Interconnected Car Systems isn’t nearly a catchy enough headline to get clicks and comments.
The other area that isn’t addressed in most of these articles is that Automotive Manufacturers are aware that increased connectivity will lead to an increased Attack Surface which in turn opens up more possibilities for hacks. Many of them have been working on improving security for a while and most (if not all) of them are taking steps to mitigate these risks. We have seen an uptick in the number of automotive OEMs and Tier 1 suppliers who are seeking additional help on penetration testing, attack simulations, and Application Security training. I see this as an encouraging sign that the auto makers are moving along the AppSec Maturity curve and fixing vulnerabilities before they are exploited.
Invariably, one day a hacker will find a way to remotely hack into some car (however old it may be) and potentially cause catastrophic results. At that point, the alarmist articles may be justified, but let’s not “cry wolf” over research results today.