Thinking About Cyber Security for your CAR

Published: March 11, 2015 at 07:08 PM EST
Updated: March 6, 2017 at 10:01 AM EST
— Added this article to IOT categories as well as some others.  Added links to RSS feeds at the bottom.

I have been involved in discussions lately on a discussion list regarding cyber security for cars.  This is becoming a significant problem, with numerous reports of researchers showing vulnerabilities of modern cars which can be attacked and sometimes crackers exploiting them.  The car manufacturers are apparently more concerned with function than security.  The information below is adapted from those discussions.

A recent Security Now podcast was on the topic of Vehicle Hacking. They interview the team that was on 60 minutes who hacked the test car that Lesley Stahl was driving and disabled the brakes. The researchers are Lee Pike and Pat Hickey. The first part of the show has some other security related news and some non security related news and even some fluff. I don’t mind listening to it. However, if you want to jump to the meat and potatoes, the interview segment starts at 59:20.

The researchers are a bit cagey and vague, because they don’t want to attack specific manufacturers and they don’t want to give the bad guys any help. They say all manufacturers are equally bad. But, it’s interesting nevertheless.

You can access the show at:
Low bandwidth versions, show notes, and transcripts will be posted here later:
Here’s an article from the CBS site about the 60 minutes show including a short but scary video clip:

Here are my conclusions: Your car IS internet of things, and, it’s heavy, mobile, fast, and potentially deadly. You might want to avoid cars with communications to the outside world, since it’s sometimes possible to call the car’s built in cell phone number and hack into it. You might want avoid cars with extensive automation. When this becomes prevalent in terms of year models is up for debate. As I’ve said in another thread, I’ve avoided some 2011 and 2012 cars last time I was shopping due to them having “electric” steering. One of the researchers said he was “somewhat optimistic” about security. That did NOT give me confidence.

(For this piece, I had expressed concerns about the lack of the auto makers’ response to growing evidence that there are potential problems.  Someone else asked what response would be appropriate, how fast should it be, how do you know if they responded, and who determines what response should occur.  These were my thoughts.)

I have a few thoughts. Those ARE hard questions. Here are some general ideas. I’m not an expert in legalities, politics, automation, automotive design, or security; just an interested consumer. Some of my answers create more questions.

First, every “thing” we mandate to be added to a car increases cost. Every law we add to an industry increases the complexity and risk to provide the products to us, which increases cost. I am not a fan of big and pervasive, sometimes onerous and intrusive government regulation. But, it seems self regulation isn’t working. I think we’d agree that door locks, air bags, anti lock brakes, traction control, stability control, seat belts, crumple zones, crash tests, and roll cages, etc. are a good idea. I think most if not all those are mandated now. It’s likely that we wouldn’t have them, except as expensive “options” if they weren’t mandated.

At the very least, manufacturers shouldn’t be negligent, whatever that is.

Let’s think about a kid’s tricycle for a moment. What does the manufacturer have to do not to be negligent. Unfortunately, the answers contain lots of ambiguity. Making this up, this is not a legal recitation.

* all the parts should fit together appropriately
* the parts should carry out their function
* they should be sturdy enough to withstand the expected usage, including a kid jumping up and down on them or tumbling the trike down a hill or whatever
* it should last a reasonable amount of time
* it should not have small parts kids might choke on
* it should not be toxic
* the interaction of the parts should not be prone to cut or pinch or bruise the kid

And so on. These are things that most buyers of trikes would expect them to do. If the handle bars, rear axle, or pedals break under reasonable use, that’s a problem. We know trikes are inherently unstable while cornering. Does that make the manufacturer negligent for not putting 10 training wheels on it? Probably not. People don’t expect it to have that and most people know the things are unstable. What if the rear axle has places for a kid to stand but there are no grippy rubber pads? I don’t know about that. If you’re going to encourage a kid to stand there by having a platform, maybe you need grippy rubber pads.

Are they negligent because the trike doesn’t have brakes? Probably not. People don’t expect them to have brakes. You brake by applying back pressure to the pedals or dragging your feet on the ground. But, what if there comes a time when most trikes DO have brakes? That may change things. If everyone expects trikes to have brakes, and may have even grown up riding one that did, and somebody sells a trike without brakes, then people might consider them negligent. So, what is appropriate and what is not appropriate is to some extent related to customers’ and jury’s expectations.

I don’t know where I read it, but, we’d all be much safer if we rode around in an Abrams Tank. But, most people don’t want to pay $ Millions for their ride and use 5 gallons of fuel (or whatever) per mile. Engineering is always a trade off of how to get the most value and safety for the least money. The question is, where do you make the trade offs so you don’t have to pay $ Millions for your ride and so most reasonable people wouldn’t think you’re negligent.

Here are some things to think about. Hopefully, you have customers and jury’s of average but hopefully intelligent and sincere people. What do they expect? What should they expect? In the legal world, you have to talk about reasonable doubt and preponderance of evidence. Is there a reasonable doubt that XYZ Co. is negligent? Is there a preponderance of the evidence that they are?

Again, it partly gets back to expectations. Is making a certain small car that likely bursts into flames when it’s rear ended negligent? Yes. Is making a car without brakes negligent? Yes. Is making a car without dual redundant brake systems negligent? Don’t know. Is making a car without air bags negligent? Yes. Because we have DEFINED a standard, and law, that says we consider that to be a mandatory part of a car.

Two other terms to consider are “best in class” and “industry standard”. Frequently, if you don’t do something that’s “industry standard”, you might be negligent. Sometimes, if you don’t do something that’s “best in class”, you might be negligent.

See the following web resources:

In terms of cars specifically, I think your 5 star framework is good. I think there are 4 key tiers of safety to consider. Operational and crash safety, which they have a pretty good handle on. And, safety from attack and sabotage, which is a whole new realm.

For the latter two, I think we should put EXTREME efforts into preventing attack remotely WITHOUT physical access to the car. Those systems related to this should employ best in class preventive measures. The dangers from remote attacks are potentially catastrophic. The ability to launch a remote attack from a distance and probably not get caught is a severe risk that makers should consider.

I think we should employ SUBSTANTIAL efforts into preventing attack WITH physical access to the car from the OUTSIDE. A car maker can never prevent a perpetrator from planting a bomb under a car. But, the maker can make the key systems of the car inaccessible from the outside and can make it very hard to get inside the car.

I think we should employ REASONABLE efforts into preventing attack WITH physical access to the car from the INSIDE. Theoretically, we’re very selective about who we let in our cars and who can connect to the OBD port, for example. But, some precautions should be taken to avoid dangerous things and malicious things from inside. Maybe it should be impossible to reprogram the ECU to violate certain laws or create hazardous operations. If I happen to plug in a memory stick to the entertainment system, even if it has a virus on it, it should not be possible for that to infect critical parts of the car.

By the way, I dread the day when I go to my car, try to crank it, and a display says, please wait while we update the firmware of 28 microcontrollers. Please plug a LAN cable into your front porch. We are currently updating the firmware in your door handle. Please do not attempt to exit the vehicle. This will take about 22 minutes. …

(This further addresses some relevant points.)

I just reread the main points of your 5 star framework doc.  It’s good.  Just a thought, you might wish to add an “information privacy” star.  Consider that the car may have access to and may store: everything in your phone via bluetooth, all your favorite locations via the nav system, your garage door access codes, all your driving habits, the times you go places, the people you talk to, when and if you text and to whom, even (potentially) how often you have passengers and how many and how heavy they are (from seatbelt and air bag seat sensor telemetry).  It might even know if you’re using a car seat for your kid or not.  Private information should not be shared, made available, or hackable, except where it may be subject to law or subpoena.

This can be a big issue with the evidence capture portion of your document.  Who’s entitled to obtain telemetry from your car and when.  The car maker?  The cop on the street?  Your insurance company?  Your mechanic?  A crash investigator?  A court?  A reporter?  YOU?  What about live, on the fly telemetry and monitoring?  Can this data be transmitted out when you’re driving?  After all, new cars have a connection to the net.  And, even if it could be and should be, is it properly encrypted and secured?

Also, all the user based data and history should be erasable by the user in order to sell or dispose of the car and this process should be certifiable.  And, what do you have to keep for “evidence” before a crash?  After a crash?  What if the car is totaled or has a salvage title?  What if it’s stolen?  What data lives forever?  Not sure I like the idea of NTSB air line like crash investigations for auto wrecks.

I just noticed that you do mention some stuff about privacy in your document.

In terms of updates, just like with computers, there’s an issue of how long you can get the updates.  How many updates are the manufacturers on the hook for and how many years?  How much tech support are they going to provide?  What if users are non technical, or don’t have internet, or phone?  My car should NEVER just stop working, even if it cannot get its updates.

It’s a brave new world.

Then there’s the whole other thing of people being snooped on with the onboard help system, etc.

Finally, some things should have manual over-rides.  For example, making this up, but, if the user is pressing hard enough on the brake pedal, then the brakes should apply … period.  Based on the unintended acceleration issues with prior name brand cars, I told my wife to remember, if she ever HAS to shut down the car as a last resort, press and hold the magic Start button.  Hopefully, that would work.

Also, the user should be able to disable all outside wireless contact to the world if he wants.

You may keep up with updates to this article via the RSS feeds for the IOT category or the security category or any other category which is listed at the bottom of the article.