Automotive Cyber Security Is Finally Progressing

When I first joined Guidehouse Insights as an analyst in August 2014, the very first entry I wrote for this blog came on the heels of the annual Black Hat and DEF CON security conferences in Las Vegas. Up to that time, automakers had been conspicuously quiet on the subject of security. Fortunately, in the past 18 months the industry has awoken to the very real problem of automotive cyber security and is taking steps to ensure that increasingly connected and automated vehicles will remain safe.

Over the past several years, security researchers have demonstrated a series of increasingly sophisticated hacks of vehicles. Back in 2010, we were seeing hackers connect to vehicle internal networks by way of wireless tire pressure sensors or from a back seat via a thick bundle of wires connected to a diagnostic port. In the first half of 2015, we saw cars from two different automakers remotely controlled after researchers were able to wirelessly connect to the telematics modules from a safe distance and take control of the brakes, acceleration, and steering.

White Hat Help

In that first blog I wrote, I called on automakers to embrace white hat hackers and security researchers who were trying to invade automotive electronic systems. Today, both Tesla and General Motors (GM) have official responsible disclosure programs where researchers can submit any vulnerabilities they discover. The automakers review those submissions and work to remediate the flaws to help keep customers safe. Tesla launched its program in mid-2015; GM followed suit in January 2016.

Unlike Tesla (and many technology companies including Google, Facebook, and Microsoft), GM is not currently offering any rewards in its program—though it has not ruled out doing so in the future. The GM program is administered through an online portal run by a San Francisco startup called HackerOne. HackerOne provides the disclosure portal free of charge and makes money by taking a percentage of any rewards paid out for verified vulnerabilities.

Industry Response

Another important step forward for the industry was the establishment of the Automotive Information Sharing and Analysis Center (Auto-ISAC). ISACs are now increasingly common in a wide range of industry verticals including utilities, healthcare, financial services, and more. The Auto-ISAC currently includes most major automakers from North America, Europe, Japan, and South Korea; its goal is to provide a platform to share information about cyber security threats and vulnerabilities that put both the general population and auto-industry at risk. The Auto-ISAC began operations in late 2015 and is likely to become a very important tool in the effort to prevent malicious attacks on the transportation ecosystem.

The mobility business is changing. Guidehouse Insights’ Autonomous Vehicles report projects that there will be almost 85 million autonomous-capable vehicles on the world’s roads in the next 20 years and far more vehicles that will have some level of connectivity. Road safety is already a difficult issue to tackle without the problem of malicious attackers intruding from a distance. Fortunately, the industry is now tackling the issue head-on on numerous fronts via improved system architecture, more robust software development processes, and collaboration with anyone willing to step up and help.