Craig Young, Cybersecurity Researcher at Tripwire:
“At first glance, it would appear that the details provided by the researchers conflicts somewhat with the information released by Tesla. While the researchers indicated that they could compromise a car from 20km, Tesla has reported that the car must be connected to a malicious Wi-Fi and the standard range for this is at most 300m. This could indicate that the attackers found a way to gain persistence on the car after it has disconnected, but then the 20km range seems oddly short. Instead I suspect that the attack may have actually been possible by another user on the same cell tower or with a cell site stimulator. In this case, I hope that the researchers do release further details to help understand the automotive attack surface better.The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car. Ideally these systems should be completely isolated from one another.”
“Tesla will continue to invest and work very hard in making their cars as secure as possible. When it comes to software there is always the possibility of it being compromised, no matter how good you think your code is. The key differentiator here is how quickly you listen, change and modify any confirmed flaws found through bug bounty type programs, get them rectified and then push these out to all affected. More and more cars are going to be connected, unlike your desktop machine if it becomes compromised it’s not just money that could go missing, these types of security incidents could in the worst case scenario cause harm or even loss of life.
Unfortunately, cyber security with regards to autonomous cars is a very real threat and one that should be treated with the utmost respect. Interconnected cars will be as common as getting your latest social networking fix wherever you are on the move these days but it comes with a real danger. The potential is huge if something goes wrong at speed and even the simplest of things could cause the driver to become distracted and be the cause of a road traffic accident. When we drive we expect to be in total control of our own vehicle, mirrors or windows moving, braking or even sudden sounds internally could all be the cause of taking our eyes off the road for the shortest of times and that could prove fatal.
The problem is that delivering secure software is a constantly changing factor, what is considered secure today may not be secure tomorrow. The ability to modify and push our updates is very important, making sure the user is well aware of any updates and making it easy for them to be applied needs to be top of the list when it comes to protecting the users of these types of vehicles.
The biggest single thing that you as a drivers can do to improve security is making sure you have applied all patches relating to security that are available for your vehicle. Even if you think it’s unrelated or does not affect you it may be an avenue for attack. Keeping your car up to date is even more important than keeping your desktop computer updated, making sure you keep your details up to date to enable the manufacturer or supplier to contact you if any urgent modifications need to be done that cannot be pushed over-the-air.”
“These hacks demonstrate the serious problems around identity verification in today’s connected cars. Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today. Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.
For connected cars to become more secure, relationships must be established within each and every component within a vehicle, to ensure that only a legitimate operator can control the connected devices within a car. Given the huge number of components in connected cars, hackers usually find a pathway by following a ‘weakest link’ scenario which attacks the easiest point of entry to the vehicle. This problem is compounded by the array of parts that comprise a vehicle, and the lack of a security protocol that ensures they will all work together safely and securely.
The current security checks often fail because they rely on slow, centralised identity verification services. To connect the components more quickly and autonomously, manufacturers should deploy a distributed trust model which allows for fast pre-authorisation, and removes the roadblock of a centralised service.
All of this requires a serious system upgrade and a greater drive for security awareness among manufacturers as well as consumers who use connected cars.”
“Perhaps it goes without saying that the most dangerous part of the connected car is the “connected” part. Criminals, using a little lateral thinking, can use one part of the car’s anatomy to get to another. This could have dangerous consequences if hackers found their way into more critical functions, such as the brakes as researchers were able to do with the Tesla recently. The lack of subject matter expertise with mechanical and electrical engineers is leaving systems wide open to attack. While it’s unfair to expect them to shoulder this burden, it is also unfair to place the onus squarely on the consumer who is likely to know even less about security. This is something which vendors, regulators and manufacturers must carefully consider as the evolution of connected cars continues.
The prpl Foundation advocates three focus areas to make IoT more secure: using open source, forging a root of trust in hardware and security by separation. Interoperable open standards are the key requirement if we’re to improve IoT security– they will reduce that complexity by effectively outsourcing the trickiest work to the subject matter experts.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.