05:55 PM
Connect Directly

Driving Information Security, From Silicon Valley to Detroit

As software interacts with more and more of our daily lives, technology providers may be liable for more damages than they have in the recent past.

Many ways to attack
For an attacker, getting access to a car’s network is not as hard as it may initially seem. The most obvious attack point would be the On-Board Diagnostics connector that is usually located in a discrete spot under a vehicle’s steering wheel where a small and cheap micro controller could be connected. More interesting attacks could be launched via malware contained on CDs, DVDs, or USB devices loaded into the vehicle’s infotainment system. Moving into the wireless realm, many cars come equipped with Bluetooth or WiFi connectivity for smartphones and other devices within the vehicle.

All of these attack vectors would require the attacker to be in or near the target vehicle, but services like GM’s OnStar, BMW’s Assist, and others utilize mobile cellular connections to connect vehicles to the outside world. New smartphone apps that allow vehicle owners to interface with their cars remotely can open up these interfaces essentially to anyone on the Internet. It’s not too far-fetched to imagine that a few years from now bored Chinese hackers could spend their downtime crashing cars instead of trying to cause trouble at water treatment plants.

Motor vehicles have been built with mechanical and hydraulic linkages for over a century, and the basic safety principles for those types of systems are well understood. Designing reliable software for complex vehicles is a fairly new discipline that is only understood by a few companies (and even they make mistakes). Malfunctions or outside interference with operating vehicles can easily have fatal consequences, and the increasing use of networked control systems connected to the outside world increases the likelihood of accidental or malicious incidents.

The developers of the electronic systems in our vehicles would do well to heed the the saying “with great power comes great responsibility.” As we’ve seen with both Toyota and GM’s recent troubles, safety issues can bring heavy financial consequences for manufacturers. Congress is starting to pay attention to the issue of car hacking as well, and it will likely only take one high-profile incident to provoke regulatory action.

Tesla Motors has already shaken up the industry by bringing its Silicon Valley approach to the automobile business and continues with this approach by actively soliciting information from the public on security vulnerabilities in its vehicles and publicly posting a “Hall of Fame” for security researchers who have assisted them. Perhaps this is part of the future, manufacturers working closer with their customers to find and address issues.

As Google experiments with some of the first realistic self-driving cars, it isn’t too far fetched to imagine them following the same path as Tesla when it comes to working with security researchers, especially in light of Google’s existing bug bounty programs. In any case, one habit of Silicon Valley that we can be almost assured won’t carry over to the automotive world is the practice of disclaiming liability for damages from the improper operation of software; the Toyota case has shown us that those days are already over. Who knows? Before long, it may be Silicon Valley looking to Detroit for advice on how to handle product liability concerns.

As a footnote, many of the issues raised here are applicable to other industries outside the automotive sector as well (software vulnerabilities in medical devices and industrial control systems have been getting quite a bit of attention as of late). But it’s hard to imagine any other industry that is as integral to the national (and global) economy, whose products are used more frequently by such a large proportion of the population, and the correct operation of which carries life-and-death consequences.

Christopher Camejo is an integral part of the Consulting leadership team for NTT Com Security, one of the largest security consulting organizations in the world. He directs NTT Com Security's assessment services including ethical hacking and compliance assessments. Mr. Camejo ... View Full Bio
2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Becca L
Becca L,
User Rank: Author
8/31/2014 | 7:56:04 PM
Re: big shift in software liability coming?
Chris, fascinating read. It's an eyeopening argument about software vendors role in securing the pathways they open up forhackers. I think Greg is right that as the world becomes more digital - more "internet-of-things"-esque - software vendors are going to have to take on responsibilitis in security.

It may styme innovation, though, as it will be harder to get new products to pass whatever measures are already in place. But when it's a matter or life and death, that's not necessarily a bad thing.
Greg MacSweeney
Greg MacSweeney,
User Rank: Author
8/21/2014 | 8:38:11 AM
big shift in software liability coming?
It does seem that there will be a shift in how software providers are covered under the license agreements. As the author stated, more software is being used in every part of our lives. As software is hacked, there could be life threatening consequenses. I don't see how courts would allow software providers to simply walk away.
More Commentary
Voice Biometrics Improve Transaction Monitoring Fraud Detection
Why voice biometrics should be a part of your fraud prevention strategy in the call center.
Fintech Fast Forward 2015
What will shape the future of Fintech in 2015 and beyond?
Look Deeper at Business Connections
When a business person or practice crosses the line, what should a professional do?
Big-Data Analytics & Cloud: The Perfect Storm
Most signs are pointing to a big increase in investment in big-data analytics and cloud in the coming year.
Verifying Behavior, Not Input, to Detect Sophisticated Attacks
Understanding how users interact with the touch points with biometric information is an increasingly important part of digital security.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.