Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday July 24 2016, @01:46PM   Printer-friendly
from the not-just-locking-the-doors-anymore dept.

The Automotive Information Sharing and Analysis Center has published an executive summary of their Automotive Cybersecurity Best Practices.

From the summary

As vehicles become increasingly connected and autonomous, the security and integrity of automotive systems is a top priority for the automotive industry. The Proactive Safety Principles released in January 2016 demonstrate the automotive industry's commitment to collaboratively enhance the safety of the traveling public. The objective of the fourth Principle, "Enhance Automotive Cybersecurity," is to explore and employ ways to collectively address cyber threats that could present unreasonable safety or security risks. This includes the development of best practices to secure the motor vehicle ecosystem.

Unfortunately the public executive overview is somewhat content free and refers to NIST documents on security practices but something is better than nothing. It's been six years since the publication of Experimental Security Analysis of a Modern Automobile and five years since Comprehensive Experimental Analyses of Automotive Attack Surfaces . In those research papers compsci students splay open the control system of a car through standard security analysis techniques such as fuzzing. My favorite technique they used was to install custom software into the QNX powered OnStar device then use it to bridge between the body bus and the bus that handles the engines, brakes, steering, etc. Very clever indeed.

How does the community feel about the poorly secured two ton (metric or imperial, you pick) rolling robot that the modern vehicle has become?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by bzipitidoo on Sunday July 24 2016, @02:51PM

    by bzipitidoo (4388) on Sunday July 24 2016, @02:51PM (#379419) Journal

    Security has been marketed as safety for everyone against dangers to everyone.

    But it's been twisted. Sometimes security changed to security for vendors against their own customers. Microsoft did that with their campaign against piracy, a few times slipping anti-piracy and spying measures into their security updates. When caught, they tried to claim anti-piracy was in fact security for users. Incredibly, they used Mafia style reasoning. Yes, those "security" measures "protect" the customer from committing piracy! Be a real shame if you were investigated by the BSA and sued for copyright infringement. No one should blindly trust MS's security measures.

    So with cars, I can certainly see manufacturers being a little too interested in protecting themselves by putting their own customers at greater risk. Cars are all getting black boxes now? What happens if police are actually given access to data from all black boxes not just the ones involved in accidents? Police always want more information, and privacy be damned. Even if denied that, do they still get to go on fishing expeditions with black boxes that have been in accidents? Do these black boxes have any sort of protection against unauthorized access? Does the owner have the option to password protect the data that cars record, or just turn that feature off?

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by canopic jug on Sunday July 24 2016, @04:10PM

    by canopic jug (3949) Subscriber Badge on Sunday July 24 2016, @04:10PM (#379427) Journal
    There is apparently no security inside current automobiles. Every single electronic or automotive device is part of a giant, interconnected, unmanageable mess that is the networked environment. It would be somewhat less catastrophic if it were in any way isolated from the outside world, but it is connected to the outside via any number of radios, media players, USB ports, and other things. It's not anything that can be modified, upgraded, patched, kludged, or otherwise fixed short of a complete redesign from the basics upward. The situation is so severe that there are few write-ups with an overview. USENIX 2016 had a short presentation by Stefan Savage from UC San Diego [youtube.com] covering it though, if you can sit through it. It's getting harder to avoid the electronic cars as the old ones are less and less available on the used market.
    --
    Money is not free speech. Elections should not be auctions.
  • (Score: 2) by melikamp on Sunday July 24 2016, @04:19PM

    by melikamp (1886) on Sunday July 24 2016, @04:19PM (#379429) Journal

    Direct link to pdf, if you want to avoid javascript: http://www.automotiveisac.com/assets/img/executive-summary.pdf [automotiveisac.com]

    Security has been marketed as safety for everyone against dangers to everyone. But it's been twisted. Sometimes security changed to security for vendors against their own customers.

    I agree, this is exactly the case here. From the customer's point of view, being able to understand and control the software is absolutely necessary for any kind of security evaluation, let alone assurance, but free/libre software is simply not on the table. This is all about security of auto manufacturers from lawsuits, and nothing else. Any resulting safety of passengers, other drivers, and pedestrians is just a nifty side-effect they can keep pointing to, while they are trying to "sell" us a car with software which we cannot analyze, control, or modify.