Dude, where’s my car? Vehicle hacking trends & analysis; #14

Defenses

                As the vehicle advanced in its application of technology, it has become more connected. This has increased the attack points and vulnerabilities. The market has produced a vast number of persons interested in looking for these to report. Although these continue to be found, there are a number of defenses that may be put into place to in the least provide layers of security.

The vehicle manufacturer has the opportunity to implement a secure communication channel intra- and inter-vehicle.  This includes using TLS 1.2 and SAML 2.0 and other cryptographic protocols. This should not be avoided for the convenience of management or the engineers. This may be an issue especially later when additional functionality would be added as technology and its application abilities are enhanced. It is much better to be late with a project than allow the next generation to address this.

The vehicle is in effect a computer on wheels. As with any system there are a number of ports that are not used and available. The ports that are not used should be closed. These may not be a point of attack at the present time, however with later functionality there may be problems. The engineering team cannot guaranty the functionality in the future. As has been noted, new attacks are regularly exploited. New attack points are found regularly with both old and new equipment and systems.

Nearly all consumer and commercial systems have AV and at least one firewall. The vehicle functionally is no different. The vehicles should have some form of this defense in depth in place. Although these tools are not perfect, this is better than nothing being in place. A bit of system protection is better than nothing. Along this same thought, the vehicles should have embedded some form of IDS/IPS.

The threats and vulnerabilities for the vehicles are not unknown until the issue becomes too significant to patch quickly. These are regularly published in various social media outlets. The info sec groups should learn from this in comparison to ignoring these, as being from an unknowing lay person. The threat feed should be gathering information from other threat feeds, blogs, vendor updates, twitter accounts, and other sources. These may provide updates in general or to specific vehicles. Also if an attack works on a certain vehicle, it may be viable on others.

In short, the vehicle cyber security is an issue that can be mitigated to a reasonable level. There is no panacea that will bring the risk to 0%, but to a very manageable level. This will take a paradigm shift however from the present mode of hurrying to get a project done merely to move to the next. The security team must not allow info sec to be treated as some function to be bolted on at the last milestone of a project.  The planning needs to be more long-term versus short-term. Without these being in place, there will continue to be a massive expense and embarrassment to the manufacturer.