News broke earlier this week that some Mazda cars can be easily hack into, by using a USB flash drive plugged into the dashboard to exploit a series of bugs, which have been known about for a number of years. Art Dahnert, Managing Consultant at Synopsys commented below.
Art Dahnert, Managing Consultant at Synopsys:
“This kind of story is indicative of the nature of Hot Rodding or in this case Hacking. They are so very similar. Basic curiosity turns into focused reality, where the “hot rodder” or “attacker” is now able to use the vehicle’s technology in a way that it wasn’t designed to be used.
The Mazda car isn’t alone in this scenario either. Most of the major automotive brands have a following that have tapped into the various computer systems on the vehicle to add new features or turn off existing ones. In the computer age, this really started when “hot rodders” were adding chips to the computers to make more horse power. Unfortunately, today, because there are so many more computer controlled features and the vehicles are connected to the internet we have a Perfect Storm of Vulnerability. And to make matters worse this can make family commuter car a dangerous weapon in the hands of a skilled attacker. Although it is more like to get the car stolen, then crashed.
In this case, the early efforts of the enthusiast community used the vulnerabilities in the Mazda software to make the cars more enjoyable, however as with any technology it can be used for nefarious purposes. And this is a fine line that the automotive community has to manage, because car buyers still have the right to modify their vehicles including the software in the computers that make it run. Preventing the loyal customer base from customizing their car will not win over new buyers and will most likely lose existing ones. However, it is extremely important that the car is safe and will not injure the driver or occupants, so making sure that software running the various computer modules is secure should be priority one.
The automotive Software Development Life Cycle needs to include a security methodology or process that ensures that there aren’t egregious design flaws that allow an attacker to take over various part of the car. This is something that Synopsys has great experience with. Making sure that Threat Models and Penetration tests are performed with various levels of rigor and that the results feed back into the design and development process, help to ensure that security requirements are applied before the implementation of the software and that they are tested before the software is installed into the car.
Keep in mind there will always be “hot rodders”, and the best way the automotive industry can make the cars safer and secure, is to work with them and not against them. In the past, the car manufacturers used to work with various racing bodies to make cars go faster and get feedback on how to make the cars safer. The same thing can be done with today’s modern, ‘hacker.'”.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.