A Wakeup Call for the Connected Car IndustryBy Ariella Brown | Posted 2015-09-21 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
In the rush to embrace the connected car, auto manufacturers failed on due diligence. At this point, they had better do whatever they can to put things right.
It's the stuff of nightmares. You're driving a car but can't control it. You try to brake, but it refuses to stop. That's the scenario that Andy Greenberg vividly described in his article, "Hackers Remotely Kill a Jeep on the Highway—With Me in It."
The article went viral and finally got the public's attention about what the pair of researchers behind it—Dr. Charlie Miller from Twitter security and Chris Valasek, director of the Vehicle Security Research—have been trying to get across for years. They just published "Remote Exploitation of an Unaltered Passenger Vehicle," which is more than a how-to for hacking cars. It relates the history of their battle with the car industry to get them to concede that these vulnerabilities exist and should be addressed.
The very public Jeep demonstration forced a recall of the 1.4 million cars that came equipped with the Harman infotainment system that allowed entry to hackers. Yet, the manufacturer remains in denial about the possibility that any of their other systems may also need beefed up security.
The official statement issued by Dinesh Paliwal, the company's CEO, is "We believe—based on our assessment with all other customers we supply our system to—that the Chrysler system is the only one exposed to this particular experimental hack. So it's a unique situation."
That's the "we will assume everything is safe until proven otherwise" approach. It's the business equivalent of saying we'll just assume the weather will continue to be sunny until we feel the rain, so why get an umbrella now?
That's not a smart—or safe—business plan.
It's not a matter of identifying a single infotainment system as the culprit; it's about being proactive about finding any possible points of vulnerability and securing them before putting them in cars and selling them. Waiting until after it comes to the public's attention when researchers have already warned you about the risk opens up new risks for companies: a class action suit on the basis of fraud.
The suit against Chrysler and Harman points out that Miller and Valasek had alerted the companies to the vulnerability ahead of time, so they knowingly passed on a potentially dangerous product to customers. The danger is not "unique" (as Harman put it) to Chrysler or even to infotainment systems.
Another publicized car hack hit the news last month. University of California computer security professor Stefan Savage's research team demonstrated a successful hack of a Corvette through SMS messages. You can see it at work in this brief video.
Even before the Corvette hack hit the news, back in July, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced legislation under the somewhat cumbersome title ''Security and Privacy in Your Car Act of 2015'' or the more catchy ''SPY Car Act of 2015'' to offer some transparency and protection for people who drive connected cars. Making the case for the law, Senator Blumenthal pointed out that "Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers."
Indeed, they have. In the rush to embrace the connected car as an inducement to people to trade up to the very latest technology on the road, carmakers failed on due diligence. At this point, they had better do whatever they can to put things right.
It's time for the auto industry to wake up. Otherwise, the hacking possibility will prove not only a nightmare for drivers, but for the carmakers, as well.