Vehicle manufacturers are making many of the same security mistakes as each other, creating scores of vulnerabilities in the process.
Not very reassuringly, half of the vulnerabilities discovered by security researchers at IOActive could result in "complete or partial loss of control" of a vehicle.
IOActive’s study is based on real-world security assessments with the world’s leading vehicle manufacturers, covering three years’ worth of data and active vulnerabilities. An alarming 71 per cent of the vulns uncovered during the research could be exploited without much difficulty, or are almost certain to be exploited.
Vulnerabilities stemming from design-level are often unfixable because the vehicle is "insecure by design", so short of a product recall and major retrofit exercise, makers are stuck with them.
“Security is a relatively new concern for the automotive industry,” said Corey Thuen, a senior security consultant at the outfit. “These systems were designed without security in mind and security is much more difficult, if not impossible, to bolt on after the fact.”
“The Automotive industry has been making improvements in the awareness department. But, as we’ve seen in other industries, it can still be difficult to get appropriate spending in security as its ROI [return on investment] is difficult to gauge,” he added.
IOActive is at the forefront of vehicle vulnerability research. For example, former staffer Chris Valasek was one of two researchers behind the famous Jeep Cherokee hacking exercise last summer.
Thuen reckons the involvement of the insurance industry, rather than government regulation, will help drive improvements in the vehicle security.
“Government regulations for safety actually help and hurt the cybersecurity aspects,” Thuen said. “Things like insecure access to the Controller Area Network Bus are mandated in the OBDII [on-board diagnostic] spec. Government regulation for safety is a primary defence against cyberattack in the Automotive and Industrial Control System sectors.”
He added: “Insurance companies are very good at assessing risk. If anyone can figure out what the value of 1,000 man hours of cybersecurity vulnerability testing is worth, it’s them. This will allow us to reframe the ROI of security from “invest in security or something bad might happen to you… but it might not” to “invest in security to reduce your insurance premiums by $X per year.".
IOActive’s yet-to-be-published paper explains the differences in testing methodologies, with recommendations on the most appropriate methods for testing connected vehicle systems. Detailed findings including the impact, likelihood, overall risk, and remediation of vulnerabilities IOActive consultants have discovered over the course of thousands of testing hours. ®