"By 2020 there will be no deaths from accidents in any of their cars," because of connectedness and smart automotive subsystems, or so claims a car manufacturer. Yet not a week goes by since BlackHat and DefCon in August without new revelations of previous car vulnerabilities, a new car hack, or new modifications to the previous big three hacks (Ownstar, Jeep, Tesla). Can we protect the squeamish public -- and avoid the perception of danger -- from rogue car hacks?
"If public car hacks continue, this life-saving technology won't be adopted," said Raj Samani, Intel's EMEA CTO, speaking of Intel's newly created Automotive Security Review Board (ASRB). Intel's ASRB has three founding members, all security research firms: IOActive, Open Garages, and I Am the Cavalry. More members, including manufacturers, are expected to be announced within the week.
The goal of the ASRB is to codify and design a framework, recommendations and best practices around automotive security. Chris Young, SVP, and general manager for Intel Security, summarized the reasons for creating the ASRB: "[Intel can]...encourage that cybersecurity is an essential ingredient in the design of every connected car. Few things are more personal than our safety while on the road..."
No longer sufficient to “lock the car,” Intel’s white paper shows 15 cyber attack surfaces in a typical connected car
Intel will provide the ASRB with its advanced development platform to facilitate research and plans to publish results as part of an ongoing process. Some security recommendations and general risks to this next generation of connected car are in the Intel-authored white paper.
General security building blocks applicable to building defense in depth for carsIn the paper, Intel presented a strong risk analysis of myriad ways to hack a car, considering such topics as supply chain risk management, secure boot, virtualization, and enforcement of approved and appropriate behavior, as well as a range of subtopics under network security and cloud security. The authors consider data privacy and discuss information security frameworks, industry examples such as fighter jet construction, and development life cycles. Interestingly, data privacy is considered as important as security, and both are considered as enablers.
Much of the paper is general in terms of cyber risk discussion, mentioning the applicable car subsystem, but not providing actual vulnerabilities. There is even a discussion of what motivates certain hacker groups, which would indicate that the group is expecting a general audience for the paper.
Given the car hacking news onslaught since late summer, it appears that manufacturers didn't heed good security practices and need(ed) a wake up call. Intel's goal appears to be to provide that kick, influence vehicle safety, and serve as a clearing house.
Intel will award the ASRB member who makes the best cybersecurity contribution to Intel's automotive platform a new car: www.intel.com/automotive/asrb.