Car owners could face more danger from hackers if a draft bill (pdf) by the House Energy and Commerce Committee (HECC) becomes law. The law would make independent oversight of the electronic safety of motor vehicles a crime subjecting well intentioned security researchers to a $100,000 fine per instance. Today’s cars have 200 – 400 microcontrollers and microprocessors in them making the access of each an individual offense subject to fines that could add up to millions.
The security flaws of the Jeep Grand Cherokee were exposed this summer by security researchers Charlie Miller and Chris Valasek who were able to shut down the vehicle during operation by cracking the Wi-Fi password. The risks of huge fines would stop researchers from exposing critical motor vehicle vulnerabilities but it would not stop hackers with malicious intentions from invading vehicle control systems.
Trusting just the automobile manufacturers to implement adequate safety is a very bad idea according to world famous security researcher and CTO of Veracode Chris Wysopal, who said:
“Right now you can hack most of what you own. An exception is the threat of anti-reverse engineering clauses in EULAs being enforced by software vendors. Another is circumventing DRM controls protecting copyrighted works which is enforced by the DMCA. This HECC bill would seem to prohibit hacking a car even if you own it. This would be awful. The `trust us, we’re secure’ model has never worked and will never work. Unless there are checks and balances in the system like we have for all other consumer products when it comes to safety and security, we will see less safety and security."
Consumers, enterprises and electronics vendors have benefited from the community of independent security researchers who find system vulnerabilities and report them to vendors, users and other stakeholders. The HECC bill would stop researchers from identifying vulnerabilities that malicious hackers could potentially use to take control and denying auto makers the chance to patch the vulnerabilities. Apparently Congress, like most of the general public, doesn’t understand what goes on behind the scenes between manufacturers and security researchers, so here it is in a nutshell.
Security researchers follow a principle of responsible disclosure. A researcher will apply his or her knowledge using security tools and by writing software to find an exploitable weakness in the system; the system could be a smartphone, home Wi-Fi router or in this case a vehicle control system. The researcher is obligated, when a vulnerability is found, to give the vendor notice and a chance to patch the vulnerability before notifying the public. In more mature technologies segments such as mobile all the stakeholders have agreed to acceptable timeframes of around 90 days after which the researcher is obligated to notify the public of the vulnerability.
Malicious hackers haven’t targeted cars because there wasn’t an opportunity. Cars are malware targets just like PCs and smartphones, now that automakers have added a large number of processors and Bluetooth, Wi-Fi and 300-400 Mhz band radios.
Congress should account for the work of security researchers and auto makers should be forewarned by the computer makers experience – the only defense is software that can be easily and quickly updated remotely. As car computing and networking systems become more complex, more vulnerabilities will be identified. Without well designed software update systems, auto makers will suffer from frequent recalls.