The Automotive Information Sharing and Analysis Center has published an executive summary of their Automotive Cybersecurity Best Practices.
From the summary
As vehicles become increasingly connected and autonomous, the security and integrity of automotive systems is a top priority for the automotive industry. The Proactive Safety Principles released in January 2016 demonstrate the automotive industry's commitment to collaboratively enhance the safety of the traveling public. The objective of the fourth Principle, "Enhance Automotive Cybersecurity," is to explore and employ ways to collectively address cyber threats that could present unreasonable safety or security risks. This includes the development of best practices to secure the motor vehicle ecosystem.
Unfortunately the public executive overview is somewhat content free and refers to NIST documents on security practices but something is better than nothing. It's been six years since the publication of Experimental Security Analysis of a Modern Automobile and five years since Comprehensive Experimental Analyses of Automotive Attack Surfaces . In those research papers compsci students splay open the control system of a car through standard security analysis techniques such as fuzzing. My favorite technique they used was to install custom software into the QNX powered OnStar device then use it to bridge between the body bus and the bus that handles the engines, brakes, steering, etc. Very clever indeed.
How does the community feel about the poorly secured two ton (metric or imperial, you pick) rolling robot that the modern vehicle has become?
(Score: 2) by melikamp on Sunday July 24 2016, @04:19PM
Direct link to pdf, if you want to avoid javascript: http://www.automotiveisac.com/assets/img/executive-summary.pdf [automotiveisac.com]
I agree, this is exactly the case here. From the customer's point of view, being able to understand and control the software is absolutely necessary for any kind of security evaluation, let alone assurance, but free/libre software is simply not on the table. This is all about security of auto manufacturers from lawsuits, and nothing else. Any resulting safety of passengers, other drivers, and pedestrians is just a nifty side-effect they can keep pointing to, while they are trying to "sell" us a car with software which we cannot analyze, control, or modify.