In cyber car hacks, loose lips can kill, says expert
While every expert wants to be first to discover a security breach, information must not get into the wrong hands
With a crowded playing field in the cyber-security business, companies and experts seek ways to stand out. For cyber experts, that often means being the first to discover a new virus, security breach, or other hole that needs to be plugged up.
That’s the way the business is supposed to work, said Yoni Heilbronn of Israeli Internet of Things security firm Argus; but there are rules.
“You can’t go public with a vulnerability without informing the company that has the security breach, so they can repair it,” he said on the sidelines of last week’s CyberTech 2016 event in Tel Aviv. “If you do reveal the weaknesses of a device or system without giving the team responsible a chance to mitigate it, you could be putting the money or even lives of people at risk. It’s not just unethical – it’s dangerous.”
Especially in the business Argus deals with – the connected car business. With more vehicles than ever connected to the Internet – either through an in-vehicle communications system or via a connection to a driver’s smartphone – the opportunities for hackers to mess with cars is greater than ever.
Argus has developed a solution that analyzes communication packets (the segments of data) that come into and go out of the vehicle, determining if the packets are associated with the kind of behavior expected (e.g., signals from specific IP addresses, commands that make sense given the current activity of the vehicle, etc.). Suspect connections can be blocked or traced, preventing hackers from remotely grabbing control of a vehicle’s steering or braking system.
Argus supplies car manufacturers, their Tier 1 suppliers and aftermarket connectivity providers with ready-to-embed technology that can be seamlessly integrated into any vehicle product line for any connected vehicle anywhere in the world without changes to the vehicle’s architecture, said Heilbronn. Among the company’s customers are some of the top Tier 1 auto part and component suppliers.
That such remote vehicle hacking is possible was proven beyond a shadow of a doubt last July, when white-hat hackers Charlie Miller and Chris Valasek took control of a Chrysler Jeep vehicle being driven at top speed by Wired journalist Andy Greenberg. Miller and Valasek turned the radio on full-blast, ran the air-conditioner, and even took control of the accelerator – scaring Greenberg to the point where he was forced to “drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.”
One person who did not reveal his intentions about revealing a vulnerability to a targeted company was Corey Thuen of Digital Bond Labs, who Progressive Insurance said did not inform it of a security flaw in a dongle it distributed to insured drivers to report on their on-road driving habits and behavior, qualifying them for a safe driving discount. After finding a security flaw in the dongle, he went public.
Contacted by business magazine Forbes for comment, Progressive said that “if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.” Forbes noted that Thuen told them that he tried to reach the dongle’s manufacturer Xirgo in advance, but received no response.
In any event, there’s a right way and a wrong way to reveal cyber-safety problems, and Argus “would never reveal things in that manner, out of concern for the safety of the public,” said Heilbronn. And Argus has a great deal of opportunity to do the right cyber-thing. “There are only a handful of companies in the world doing cyber-security for connected cars, and we are the biggest one,” he said.
The company has been in touch with any number of manufacturers and Tier-1 suppliers about security issues; in 2014, for example, it revealed a problem with a connected-car solution made by Zubie, which, upon hearing of the problem, immediately dealt with it – and it was only then that Argus told the story.
“Once we detected Zubie’s security gap we duly notified Zubie with full details of our findings as required by our responsible disclosure policy,” said Heilbronn.
It’s not about reputation or profits, but about keeping hackers from pushing the envelope too far.
“Very often we will hear about hackers who tried to duplicate exploits that were tried and succeeded,” said Heilbronn. “When it comes to money or identity theft, as painful as that is, it usually does not put the lives of people at risk; with all the hassle involved, banks and other institutions are insured, so the public, while inconvenienced, usually gets compensated. In hacking of connected vehicles, things are different – and any exploit that succeeds could end up endangering the lives of drivers and others who are on the road with them.
“Who knows if any of the many car accidents that take place each year are the result not of failed brakes and the like, but of hacking?” added Heilbronn. “There are a lot of dangerous people out there – hackers, hacktivists, criminals, and terrorists – who are potentially capable of doing this. By 2020, there will be as many as 400 million connected vehicles on the road – meaning that there will a lot more hacking opportunities. We should not be giving these people material to work with.”