One of the noteworthy activities coming out of BlackHat/DEF CON was the open letter to the auto industry from I am the Cavalry espousing 5 principles for making the computers in cars safer – before someone gets hurt. As our pal Josh Corman says in a CSO article on the initiative:
“This initiative is not only about finding bugs,” Corman said. It’s about building relationships between researchers, industry and government, which is much harder, he said. [sic]
It is indeed all about the relationships. Researchers (most notably Charlie Miller and Chris Valasek) have hacked the crap out of cars, because all these fancy car tech systems are just computers with WiFi and/or Bluetooth. Egads! Of course they can be hacked. The question is whether auto makers will get ahead of the issue.
The principles are pretty straightforward. Things like building security in, having independent researchers try to break it, updating software remotely, and isolating important stuff (such as the steering system and power train). This isn’t brain surgery and some auto makers (notably Tesla) are hiring teams to do a lot of this research on their own cars.
I applaud the efforts of the Cavalry and other organizations which work to build these relationships and progress based on mutual interest, without an adversarial relationship. There was a bunch of trolling on Twitter earlier this week, which was largely about the futility of these movements. Just because it’s hard doesn’t mean it’s not worth doing.
Of course security will get better in cars and other areas where connectivity is expected (like medical devices). It can happen via productive discussions with organizations like the Cavalry. Or it can happen after someone dies, when Congress gets involved to grandstand and hijack the conversation. The choice lies with industry. We’ll see how it goes.
Photo credit: “cavalry charge” originally uploaded by The U.S. Army