ANN ARBOR – In July 2015, a pair of hackers commandeered a Jeep Cherokee through its Uconnect entertainment system to attack the vehicle’s brakes, engine and navigation system. Fiat Chrysler responded by patching the vulnerability and then issuing a recall for 1.4 million vehicles. Fast forward to July 2016: Fiat Chrysler announced it would pay “bounties” of up to $1,500 to security researchers who alert the company to hackable flaws in its software.
In so doing, Fiat Chrysler became the first of Detroit’s Big Three automakers to work directly with security researchers in an attempt to make vehicles safer from cyber intrusion. Tesla actually pioneered the security-flaw bounty program a year ago and pays upwards of $10,000 to hackers who find vulnerabilities.
This collaboration with the cybersecurity industry expanded on July 22 when the inaugural Automotive Cybersecurity Summit was held in Detroit.
Conference host Thomas K. Billington, chairman and founder of Billington CyberSecurity, said: “With an expected 75 percent of new cars equipped with online capabilities by 2020, this summit comes at a crucial time. We are honored to help advance this important dialogue between senior government and industry automotive leaders.”
Building a safety infrastructure
For years, a group of eight automakers has been working to develop a system to manage cyber risks. The system is a form of public key infrastructure that encrypts and authenticates data and is used extensively by online shopping sites and banks.
The system would allow two vehicles that have no existing relationship to securely exchange data, says Dan Lohrmann, chief security officer and chief strategist for Security Mentor of Garden Grove, Calif.
“All new cars are actually just computers on wheels, and the automakers know that the future is all about technology, innovation and cybersecurity,” Lohrmann says. “The potential ramifications of hacks and data breaches are just too important to not take notice.”
Rick Beckers, CEO of CloudTech1, a Farmington Hills, Mich., managed services company, agrees.
“The telematics of a car that gives it communications capability — whether information, entertainment or autonomous capabilities — are nothing more than a mixture of computer networks,” says Beckers. “As such, the communications between whatever entity it is — OnStar, Sirius or something else — all need to be encrypted. Those vehicles also need an embedded firewall to control what traffic goes in and out.”
Beckers also recommends automakers take a cue from the cybersecurity technology used in business and install intrusion detection.
“Sniffing the network and finding anomalies before they become issues is what is needed in vehicles,” Beckers says. “You find instances where something is out of the ordinary, then use technology to go in and suppress it.”
A long way to go
Is the auto industry finally taking cybersecurity more seriously after stuffing cars and trucks full of connected communications, entertainment and navigation equipment for a decade? No question about it, Beckers says, particularly with the drive toward autonomous vehicles. But a couple of recent accidents involving semi-autonomous Teslas demonstrate there’s still a long way to go before cars drive us home.
“The automobile and the potential for autonomous operations dictate that technology has to be flawless,” Beckers says. “It has to be addressed at such a high level of confidence that consumers will buy and use these products. To trust the artificial intelligence we build into vehicles to perform 100 percent of the time, for now, remains unrealistic.”
Nick Lumsden, vice president of technology and product safety for Online Tech, headquartered in Ann Arbor, Mich., believes it is unrealistic to expect the auto industry to have connected technology perform perfectly so quickly. Typically it takes two to three generations of evolution to flesh out all the flaws. But awareness is the first step, says Lumsden. Knowing what has been tested and certified secure, and what has not, is critical for automakers.
“New threats will always emerge, but the basics need to be covered,” Lumsden says. He recommends using basic principles of security such as changing default usernames and passwords.
This article, written by MITechNews.Com Editor Mike Brennan, appeared in the September 17 issue of Venture Michigan magazine. To view more cybersecurity articles, click on http://www.venturemichiganmag.com/focus/2016/9/17/cyberworld-dangers