A group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars.

In an open letter to “Automotive CEOs” posted (PDF) on the I am the Cavalry website, a group of security researchers called on automobile industry executives to implement five security programs to improve car safety and safeguard them from cyberattacks. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation.

“The once distinct world of automobiles and cybersecurity have collided,” read the letter. “Now is the time for the automotive industry and the security community to connect and collaborate..”

Vehicles are “computers on wheels,” Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the open letter. The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.

Computers manage engines, brakes, navigation, air-conditioning, windshield wipers, entertainment systems, and other critical and non-critical components in modern cars. Security experts have warned that unless the systems are built with better security features, cyberattacks against cars could result in a physical injury to the driver and possible passengers. The five star plan can conceivably be used by consumers, ala Consumer Reports style, to understand which automakers are thinking about security, Corman said.

The first “star,” safety by design, simply means automakers should design and build automation features with security in mind. Engineers should be stopping to think about how the systems could be tampered with and then build in blocks to prevent such an attack. Automakers should also implement a secure software development program within their companies to encourage better coding and design.

Third party collaboration asks automakers to establish a formal vulnerability disclosure program, to clearly state what its policies are and who to contact. This doesn’t mean bug bounties—where companies would pay for bugs—but rather designing a process that ensures bug reports and other information from third-party researchers reach the right engineers.

“Tesla already gets a star,” Corman said, noting the electronic car maker recently established such a policy.

Evidence capture is the first technical piece in the Five Star program, and asks for forensics capabilities such as events logging in car systems.

“We have black boxes in airplanes,” Corman said, noting it’s currently impossible to collect any information on why something failed in car systems. Security updates mean the issues found and reported which have been fixed actually get pushed out to individual cars in a timely and effective manner. And the final star—and the last technical piece—is segmentation and isolation, referring to keeping critical systems separate from the rest of the car’s network.

“With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes,” said Corman.

Vehicles, transportation systems, industrial control systems, and medical devices represent some of the hottest areas of cyber research. At Black Hat this year, Charlie Miller, an engineer at Twitter, and Chris Valasek, director of vehicle security research at IOActive, demonstrated how they could remotely control vehicles by compromising non-critical systems. The panel built on last year’s research, which showed how they could take over the breaks and the car’s steering from the back seat of the car. There were sessions discussing medical device security, and a DEF CON presentation looked at how traffic control systems were not secure.

The security industry reaching out directly to the automobile industry was a good idea, said Andrew Ruffin, a former staffer for Sen. Jay Rockefeller (D-WV), a member of the Senate Commerce Committee. Ruffin attended the press conference at DEF CON 22 on Friday. “I’m encouraged by the letter and hope there’s a quick response,” said Ruffin. “I think this has some legs.”

Considering how technology has permeated practically all parts of modern life, the group wants manufacturers to think about security and start implementing security features in their designs and business processes. The goal is to start thinking about security and implementing safeguards before the major cyberattack happens, said Corman. To people who say these things take time and would require a lot of work, Corman had two words: “We know.” The time to start is now, so that in a few years, these efforts would actually show results, he said.

Along with releasing the open letter, the group participated in a closed-door session with automobile and medical device representatives in a private meeting in Las Vegas on Tuesday and plan to discuss automotive hacking at DEF CON on Sunday. There is also a change.org petition demanding automakers pay attention car safety and cybersecurity.

“When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles,” the letter said.

Signatures and instructions for signing  the petition can be found online. 

Podcast: Car Hacking with Charlie Miller and Chris Valasek

Related: Car-hacking Researchers Hope to Wake up Auto Industry

Related: Forget Carjacking, What about Carhacking?

Tags:

• NEWS & INDUSTRY
• Incident Management
• Vulnerabilities
• Management & Strategy

If nothing else, the breach at Target brought this point home – point-of-sale [POS] systems are firmly on the radar of attackers.

So much so that US-CERT just recently warned retailers to do a better job of protecting their systems.

“In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming,” the organization noted. “In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards.”

“As POS systems are connected to computers or devices, they are also often enabled to access the internet and email services,” the advisory continued. “Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system. The return on investment is much higher for a criminal to infect one POS system that will yield card data from multiple consumers.”

In the case of Target, malware was discovered on the company’s POS systems Dec. 15. At that point, Target disabled the malicious code and began the process of notifying card processors and payment card networks. As many as 40 million debit and credit card accounts may have been impacted. But that was just the most recent example of an attack. For example, in 2012, hackers hit the point-of-sale systems at Barnes & Noble and compromised credit card readers at 63 stores.

“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems,” said Mark Bower of Voltage Security.

These systems are in constant use around heavy shopping periods like Black Friday, when they are often less frequently patched and updated, he added. To take the profit out of the attacks, savvy retailers are utilizing point-to-point encryption to protect data before it even gets to the POS system, he said.

“If the POS is breached, the data will be useless to the attacker,” he said. “Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don’t like stealing straw.”

Organization need to take stock of what devices they have running and what gaps they need to close, said Chris Strand, compliance consultant at Bit9.

“Taking a better approach to automating the vulnerability analysis to get better visibility of the threat landscape and find a solution that allows organizations to see where high priority and critical areas are on those systems,” Strand said.  

US-CERT also recommends organizations restrict POS access to the Internet, disable remote access and update POS software applications.

Then there is the prospect of more secure EMV cards, which security experts say may have made the attack on Target a non-starter for those behind it.

“EMV is a big part of the answer and would likely have prevented the Target breach,” noted Chester Wisniewski, senior security advisor at Sophos. “Merchants have been resistant as it requires newer payment terminals, but Target is one of the few who were already EMV-ready. It is currently scheduled to roll out (for most transactions) in the US in the autumn of 2015. It took us about 18 months to fully embrace it here in Canada; let’s hope the US can one-up us.” 

Related Reading: PCI DSS 3.0 – The Impact on Your Security Operations

Tags:

• NEWS & INDUSTRY
• Cybercrime