Experts propose a rating system for cars' cyber security

Nick Percoco and Josh Corman of the security advocacy group I Am The Cavalry discuss their car computer safety proposal at Defcon 22. Seth Rosenblatt/CNET

LAS VEGAS -- Cars are often rated on things like performance, comfort, value, and safety. But what about computer security? As cars become more computerized, should there be a rating system to let consumers know how safe vehicles are from hacking?

That's exactly what security advocacy group I Am The Cavalry proposed at the annual Defcon hacker convention. Founded by longtime security researchers, the group aims to get hardware manufacturers and policy makers to take computer security seriously.

The Five Star Automotive Cyber Safety Program proposal offers a five-point checklist of computer technology best practices for automakers to implement. The checklist addresses issue like software design and development, third-party collaborators, and security updates.

I Am The Cavalry unveiled the proposal in an open letter to security researchers and car manufacturers on Friday, along with a petition to help raise public awareness and support for the measure. It's an important first step towards a collaborative future between security experts and automakers.

Cavalry co-founder Josh Corman said here that the proposal is a concerted effort to preempt disaster -- specifically the idea that hackers could gain control of vehicles and cause deadly accidents.

"As we have unfortunate events unfold, we will be better prepared to have the conversation" over Internet-connected car security as well as the security and safety of all devices being given Internet connectivity, Corman said.

One automaker already has achieved one of the five stars, he said. "Tesla gets a star for its coordinated disclosure policy," said Corman, a former director of security intelligence at Akamai and current chief technology officer at security firm Sonatype.

It's still the early days of car computer vulnerability research, but the hacks have moved beyond proof-of-concept. Last year, researchers at Defcon demonstrated taking control of a moving car's steering wheel and brakes. In July, a Chinese hacking team announced that they had hacked a Tesla Model S, but never delivered on promised follow-up details.

The Five Star Automotive Cyber Safety Program's five points -- Safety by Design; Third Part Collaboration; Evidence Capture; Security Updates; and Segmentation and Isolation -- are more than just a call to action. Cavalry explained why each one is important and what kinds of hacking problems each point could address.

Safety by Design requires car makers to inform the public of how security has been considered in the development of their in-car software design, including use of security industry standards, supply chain rigor, and adversarial testing -- the car computer version of car crash tests.

Third-Party Collaboration asks carmakers to have a Coordinated Disclosure policy that encourages independent security researchers to work with car companies to help discover and address flaws, similar to how many security researchers work with software manufacturers.

Evidence Capture would require cars to have airplane-style "black boxes" that can log forensic evidence for safety investigations but are also respectful of privacy concerns.

Security Updates, the fourth point, mandates timely, standards-based security updates for on-board computer software and firmware. The difficulty in delivering security updates for Internet-connected devices and vehicles is a major problem highlighted most recently by the Heartbleed debacle -- a security vulnerability that left user's sensitive personal data at risk across the Web.

The last point, Segmentation and Isolation, asks car companies to implement segmentation and isolation of computerized components. For example, if a hacker gains access to your car's entertainment system, they can't also hack your brakes or gas pedal.

Corman and Cavalry co-founder Nick Percoco said that the five points can be applied to other devices that are beginning to be built with Internet connectivity. They said their work is earning attention as they focus on four industries: medical appliances, car and truck makers, connected home and consumer electronics, and public infrastructure systems.

"We've spoken with real estate investors concerned about hacked elevators and HVAC [heating, ventilation, and air conditioning] systems," Percoco said. Corman added that the group has met with members of Congress and their staffers 71 times so far this year.

However, Corman acknowledged that the advocacy group faces an uphill battle. Not only do they have to convince manufacturers and politicians of their goals, they have to change hacker culture as well.

"Cyber's a bad word at Defcon, but it's how they talk on [Capitol] Hill," he said, explaining why a group with Cavalry's security bona fides would use a term derided as cliche by most hackers.

"We have to develop soft skills like empathy," he said. "We have to be more human."

This article originally appeared on CNET as "Want a safe car? Check its cyber safety rating."

  • Seth Rosenblatt On Twitter» On Facebook»

    Seth Rosenblatt is a senior editor at CNET, and has written about nearly every category of software and app available. At CNET since 2006, he currently focuses on browsers, security, and operating systems, with occasional forays into tech and pop culture.

Comments