Review: 3/14 ISSA Ft. Worth Chapter Meeting

I attended the Ft. Worth Chapter ISSA meeting yesterday for the first time in a while. My new position has made it difficult to get away and they have undergone some changes that I was excited to go see. At this point, there is a lot of aspiration. I am excited to see what the perspiration is able to produce. Nevertheless, the first meeting's presenter did a great job. Ms. Sharon Reynolds, CISO of Omnitracs, LLC, gave a presentation over the security, or lack thereof, of the computers within our automobiles. While she is in the area related to trucking and freight, the issue is much larger in scope. Essentially, this issue stems from poor designs developed decades ago before IT computer security was on the tip of everybody's tongue like it is today. Controller Area Networks (CANs) are used in automobiles today and essentially let anyone send messages of any kind across the network. This is like in the "old days" of shared ethernet...but worse. When your computer crashes, you reboot. When your car crashes...  Because it is a shared bus with not authentication, once you access the system, you can start sending commands to virtually anything connected to the CAN. Unfortunately, in today's automobiles, that can be an awful lot. Consider that braking, steering, ignition, fuel, etc all tend to be computer controlled in new automobiles. Toss in Bluetooth functionality and all of a sudden, attack vectors go wireless too. This can get scary really quickly. See the video below. In their case, Chrysler had to issue a recall which can get extremely expensive.

Now, Jeep Grand Cherokees were not her only example. Toyota, Fords, and even other "unnamed" vehicles were cited. One of the more recent examples was Tesla. However, in the case of Tesla, something interesting happened. Tesla issued a patch within 10 days of the exploit that automatically updated their cars remotely, thus representing a significantly more efficient process of addressing the issue than having to perform a recall. Additionally, they upped the security of their cars by requiring updates to be digitally signed by Tesla for the car to download a patch. Pretty nifty Mr. Musk;). At least passenger car do have one thing going for them. Their CAN design is unique to each manufacturer, model, and year. So, they have security through obscurity. For those of a security mind. That is of little comfort but at least it is something. Large vehicles, including semis, school buses, etc are standardized meaning as these hacks get easier, it would be easier for organized crime to shut down a fleet of vehicles, holding them for ransom until a company paid. Nation states could paralyze critical infrastructure by making it unsafe for trucks to safely deliver needed goods and services.

Now, it was not all doom and gloom. There are a number of acronyms working on this problem from the National Highway Traffic Safety Administration (NHTSA) to the Federal Bureau of Investigations (FBI). They are looking to develop standards as well as policy to make it more difficult to hack vehicle and impose stiff penalties for those who do. In the mean time, they next time you are driving down the road and your car does something weird, maybe it's a glitch. Then again, maybe it's your friendly neighborhood hacker;)