Following the news that the two researchers who hacked the Jeep Cherokee car last year during BlackHat have now hacked it again with a similar attack, Paul Farringdon, senior solution architect at application security specialists, Veracode commented below.
Paul Farringdon, Senior Solution Architect at Veracode:
“With security researchers Charlie Miller and Chris Valasek’s latest connected car hack enabling them to apply a car’s breaks or spin the steering wheel remotely, the security of connected vehicles has once again been called into question. This time the researchers were able to access the car’s computer using a cell phone that links to Chrysler’s Uconnect system. This is a variant on what the researchers were achieve in 2015, this time they were able to hack the car from the comfort of their own home, whilst the vehicle drove down the highway. Fundamentally, manufacturers are not adequately performing Vulnerability Assessments and Threat Modelling on the systems they design. In this case, the researchers were able to access the ‘CAN bus’ of the car – which sends commands to perform vital vehicle functions such as steering, acceleration and breaking. For a part of the car’s software to be vulnerable is one thing, but for the designers to not built-in tamper protection or to ensure that the entertainment system is unable to take over the car, is an unfortunate oversight. Automated Code Scanning and Threat Modelling are key elements of secure software development. The industry must take these disciplines more seriously, to avoid the unthinkable.
Findings from a recent IDC report indicated that there could be a lag of up to three years before car security systems are protected from hackers, with vulnerable software posing a significant challenge to the automotive industry. With over 200 million lines of code in today’s connected car, not to mention smartphone apps linked to the car, the security industry must ensure that connected vehicles are developed with security at the heart of the strategy, rather than as an afterthought.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.