DHS, vendor warn on automotive cyber flaws

The Homeland Security cybersecurity response team has notified automobile makers they should take a look at new research illustrating flaws in vehicle control modules to set the systems up for denial-of-service attacks and other mischief.

In a July 28 alert, the DHS National Cybersecurity and Communications Integration Center and Industrial Control Systems Cyber Emergency Response Team said they were tracking research that showed vulnerabilities in certain models of automobiles. The targeted control area network standard is also used in some healthcare systems, they said.

The alert said researchers identified a vulnerability exploiting a weakness in the protocol that could allow an attacker to perform a denial-of-service attack.

ICS-CERT has notified some affected vendors, primarily auto manufacturers and entities within the healthcare industry, about the report to confirm the vulnerability and to identify mitigations.

NCCIC warned that CAN is widely used throughout the critical manufacturing, healthcare and public health, and transportation systems sectors.

The warning came just days before a set of McAfee researchers presented a paper on automobile system vulnerabilities at the defcon 2017 hacking conference in Las Vegas at the end of July.

A few days earlier, CERT had issued an advisory about telematics control units used in BMW, Ford and Nissan Infiniti vehicles.

That research showed vulnerabilities in a control module used by Nissan, Nissan-Infinity, BMW and Ford in on-board telematics modules that allowed remote, unauthorized access to geographic information such as location, destination and other data. The researchers said they had notified the manufacturers, who had pushed out a fix for the problem.

"The vulnerabilities McAfee discovered show just how difficult it would be to regulate cybersecurity," said McAfee Chief Scientist Raj Samani in a statement to FCW. "Fundamentally, a car is like a jigsaw puzzle with multiple components, so applying patches to cars the way we would a phone, for example, is not feasible."

"The cars we're going to be using in the future will be dependent on technology, and there will always be vulnerabilities as we increase the amount of code in cars," he said. "What needs to happen, fundamentally, is the integration of security and privacy by design, with cybersecurity built-in to all the components of a device. The responsibility is on manufacturers to integrate security."

Samani said consumers should also bear some of the responsibility by asking manufacturers about their responses to cybersecurity incidents and vulnerabilities, as well as how they test products to ensure security.