White-hat hackers key to securing connected cars
- 13 February, 2016 00:07
WASHINGTON -- It's a scary prospect, barreling down the highway when a hacker seizes control of your brakes and power-steering system.
The specter of hacking a vehicle, potentially a matter of life and death, demands auto makers to elevate security as a priority as they develop ever-more sophisticated in-car technology, a member of the Federal Trade Commission is warning.
"The age of connected cars has firmly begun, and will only accelerate from here," FTC Commissioner Terrell McSweeny said at a recent conference on connected cars. "This technology has a huge amount of promise for consumers, but also raises serious privacy and security considerations that must be part of the dialogue."
McSweeny cites a Senate report issued last year that found wide swings in the security practices throughout the auto industry. Some car makers engaged a third-party outfit for independent testing of the security in their cars, for instance. Others did not. And some manufacturers, but not all, had systems in place to remotely monitor for suspicious activity.
McSweeny says that she is a frequent visitor to security conferences, where researchers often demonstrate tactics for hacking into a vehicle's system.
"Some have dismissed these exploits as stunts, but I think it would be far wiser to treat them as important wake-up calls to the industry," she says. "What I've learned from visiting with hackers and security researchers is that cars are prominent targets, but also that this prominence can create a real opportunity to enhance the safety and security of cars and the trust of consumers."
Auto industry urged to embrace hacking community
She sees the potential for the auto industry to partner with the security community to help unearth vulnerabilities in their in-car systems in a similar fashion as the tech sector, where many firms offer bug bounty programs to incentivize responsible hackers to bring flaws to their attention and ultimately improve the security of their products.
"The auto industry, in my view, would be well-served by following the lead of the information technology industry, which has developed ways to work with hackers, rather than against them. For years, technology companies fought a losing battle in security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowdsourcing solutions can be an effective way of staying ahead of cyberthreats," she says.
"I'm convinced that white-hat hackers can be an ally in the technology-development process. Security researchers can work to uncover flaws and vulnerabilities in vehicles," she adds. "If you want to think about it, they are like the white blood cells spotting viruses, infections and flaws in the system and communicating to the brain the best way to respond."
In the meantime, there are certainly steps that car makers could take on the policy front to limit their risk and potential liability, beginning with how they handle data. For years, the FTC has been probing the ways that technology companies collect and use consumers' personal information, and agency officials often recite one of the central lessons that inquiry has produced, urging firms to limit the amount of data they collect and store.
[ Related: Firewalls can't protect todays connected cars ]
"A breach is less costly if there's less information stored," McSweeny says.
But she also notes the fast-increasing sophistication of in-car software systems, which appear to be headed down the same path as smartphones, raising the potential that companies could gather all manner of sensitive data about consumers, such as health and financial information. That raises the stakes of a breach, and McSweeny made it clear that the FTC expects auto makers to keep the customer information they collect under lock and key.
"Once collected that information must be protected," she says. "The more information that's collected, the more resources are going to need to be deployed to protect it."