Last December two hackers, Charlie Miller, security engineer for Twitter, and Chris Valasek, (left, bottom) director of security intelligence at IOActive, tried their hand at standup comedy with the unlikely topic of automotive security. Like Comedy Central’s Key & Peele (left, top) they sought to mine the process of vehicle hacking for yuks and I can honestly say, they were pretty successful. The proof: http://tinyurl.com/kczelqr
This week the Miller and Valasek comedy team have released their roster of “the world’s most hackable cars” as reported in InformationWeek:http://tinyurl.com/m8eouau. And they will present today at Blackhat 2014 in Las Vegas (“A Survey of Remote Automotive Attack Surfaces - http://tinyurl.com/mwbm4x7) where, at the conclusion of their talk, they are expected to demonstrate a device, created from $150 in parts, to detect and prevent hacking in a car. The device plugs into the OBDII port and monitors vehicle network traffic.
There are two kinds of security presentations: The ones that scare you half to death and send you running to cancel your credit cards, and the ones that clearly delineate the extent of the problem and the known solutions.
But Miller and Valasek have taken a third path morphing from comedians and fear-mongers into pitchmen. Key & Peele cum Ron Popeil. Their vision of vehicle security apparently boils down to an aftermarket device. No marketing or sales plans have been announced.
There are a few things wrong with the Miller and Valasek message:
#1 They attempted to show how easy it was to “hack” into a vehicle network to access vehicle controls such as brakes and steering. For the purpose, they chose a Toyota Prius and a Ford Escape equipped with parking assist technologies.
The reality is that their “hack” – much of which could have been achieved with off-the-shelf diagnostic tools – required months to achieve as was made clear in the video. In retrospect this is oddly reassuring rather than terrifying. There was nothing simple nor was there anything remote about their vehicle “security breach.”
#2 Their roster of most hackable cars appears to be based entirely on whether or not the car has integrated controllers for safety and connectivity. In their estimation, the more segregated the vehicle systems are from each other and from connectivity, the better.
The reality is that vehicle systems are becoming increasingly integrated for the purpose of enabling autonomous driving and other safety-related applications including diagnostics. Commensurate with this integration has been a much greater focus from car makers on the security of on-board systems.
#3 They offer a device for monitoring for vehicle intrusions. But vehicle security is not an aftermarket product. If anything, the attachment of an aftermarket device is more likely to increase rather than decrease system vulnerability.
Vehicle security is a multi-layered proposition encompassing everything from the semiconductors to the wireless connections to the on-board networks all the way down to individual ECUs. Vehicle security is a philosophy that takes into account hardware and software and even leverages wireless connectivity for authentication and access (soon) to public key infrastructure and software updates.
The industry is rapidly moving toward a more robust gateway-ed and firewalled approach to security, but one that will enable off-board to on-board communications. Is remote control possible – sure – but it is not easily achieved, as Miller and Valasek have shown - chafed knuckles and all.
Miller and Valasek have helped to raise awareness of the security problem. Where they have failed is raising the understanding of the solutions to the problem which exist and are being implemented from suppliers as varied as Harman International and Covisint to Intel, NXP, Freescale, AMV Networks, QNX, and Cisco. Maybe, like Key & Peele, they need a little dose of Liam Neeson.
