Senator Wants Cybersecurity Answers from Automakers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://smallbusiness.yahoo.com/advisor/senator-wants-cybersecurity-answers-automakers-210307861.html

A U.S. senator has asked 20 automobile manufacturers how each plans to
stave off wireless hacking attempts on vehicle computer systems, as well as
prevent violations of driver privacy.

"I write to request information regarding your company's protections
against the threat of cyberattacks or unwarranted invasions of privacy
related to the integration of wireless, navigation and other technologies
into and with automobiles,"wrote Sen. Ed Markey, D-Mass, in a letter to
Daniel Akerson, CEO of General Motors, on Monday (Dec. 2).

Markey's questions imply that he wants carmakers to apply computer-industry
security processes, including implementation of anti-virus software,
incident logging, incident-response planning, software vulnerability
patching and third-party penetration testing — the last of which would
stage real hacker attacks on mass-production vehicles.

"Today's cars and light trucks contain more than 50 separate electronic
control units (ECUs), connected through a controller area network (CAN) or
other network," Markey said. "Vehicle functionality, safety and privacy all
depend on the functions of these small computers, as well as their ability
to communicate with one another."

Identical letters were also sent to the heads of the North American
divisions of Aston Martin, Audi, BMW, Chrysler, Ford, Honda, Hyundai,
Jaguar Land Rover, Lamborghini, Mazda, Mercedes Benz, Mitsubishi, Nissan,
Porsche, Subaru, Tesla, Toyota, Volkswagen and Volvo. (Audi, Lamborghini,
Porsche and Volkswagen share ownership.)

Car hacking isn't just in the movies

Markey, one of the half-dozen lawmakers on Capitol Hill who has
demonstrated a clear understanding of computer technology, cited research
done earlier this year by two Pentagon-funded "white hat" hackers.

"In a recent study that was funded by the Defense Advanced Research
Projects Agency (DARPA)," Markey wrote, "Charlie Miller and Chris Valasek
demonstrated their ability to directly connect to a vehicle's computer
systems, send commands to different ECUs through the CAN and thereby
control the engine, brakes, steering and other critical vehicle components."

Miller, whose day job is at Twitter, and Valasek, who works for Seattle
security firm IOActive, used the Pentagon's grant money to open up the
dashboards, and then take control, of a Toyota Prius and a Ford Escape.

Because the duo plugged laptops into the cars' wiring, the vulnerabilities
they found wouldn't be covered by Markey's requests for information, which
concern wireless access to vehicle computer systems.

However, because Ford and Toyota dismissed Miller and Valasek's research as
unrealistic and unlikely to take place in the real world, it made the
companies' responses fair game for Markey's questions.

"Both companies reportedly noted that the researchers directly, rather than
wirelessly, accessed the vehicles' computer systems," Markey wrote, "and
referred to the need to prevent remote hacking from a wireless device."

As Markey then noted, vehicle hacks have indeed accessed car systems
wirelessly. Other hacks have used methods that didn't require digging into
dashboards or getting under hoods.

In the past few years, white-hat hackers have started cars using text
messages, modified smartphone apps and specially crafted audio CDs. Real
criminals have used mechanics' diagnostic tools to steal luxury vehicles.

Tough questions for car makers

Markey's security-related questions ask each manufacturer:

— How many vehicles in its 2013 and 2014 production fleets have wireless
access.

— What kind of consumer-accessible vehicle computer systems are present,
including Wi-Fi, Bluetooth, smartphone integration, Web browsers, OnStar
and similar cellular systems, as well as vehicle-to-vehicle communications.

— Whether the vehicles have been subjected to third-party penetration tests.

— Whether any kind of dedicated security technology is in place.

— What kind of security breaches have already occurred.

— Whether the company has procedures to mitigate incidents and push out
software patches.

The senator also asked several privacy-related questions, including how
each company collects, stores and distributes information collected by
in-car systems relating to driver behavior and history, navigation,
location, speed and mileage.

Markey wants to know whether such information is shared with law
enforcement, debt-collection agencies or insurance providers, collected by
auto dealers or auto-rental companies or sold to third parties.

In a series of questions that affect both security and privacy, Markey asks
how many vehicles contain technology, such as General Motors' OnStar, which
could remotely shut down a vehicle, and whether customers were made aware
of such features.

The senator asks that each company respond to his questions by Jan. 3.

The Auto Alliance, an association of auto manufacturers whose 12 members
were all sent Markey letters, issued a pre-emptive statement that
"cybersecurity is among the industry's top priorities and the auto industry
is working continuously to enhance vehicle security features."

The two-page statement cited the reliability and advantages of in-car
computing, as well as cooperation in research and development with other
transportation industries, but did not answer Markey's questions.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.