Intel Establishes Automotive Security Review Board 39
An anonymous reader writes: To help mitigate the cyber-security risks in connected automobiles Intel has established the Automotive Security Review Board (ASRB). Intel says: "The board will encompass top security industry talent across the globe with particular areas of expertise in cyber-physical systems. The ASRB researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cybersecurity solutions and products to benefit the automobile industry and drivers. Intel also published the first version of its automotive cybersecurity best practices white paper, which the company will continue to update based on ASRB findings."
Another boondoggle? (Score:1)
Re: (Score:3)
Yup. All wrong. No one's been able to secure much of anything these days. As a result, mission critical equipment like personal vehicles should not have unnecessary complexity or connectivity. Let owner's cellphone do that for auxiliary purposes only (music streaming, navigation etc).
Consumer Reports (Score:3)
Just need consumer reports to start ranking reviewed cars on their information security.
Entertainment system has a network connection with the life-safety network without a one-way transfer? D. And a connection to Bluetooth or the Internet? F.
Note that this means Tesla would get an F.
Re: (Score:2)
Just need consumer reports to start ranking reviewed cars on their information security
How the hell is Consumer Reports going to rank cars based on this stuff? It's not like they have a panel of computer security experts on hand. Their reviews are based on feedback from their customers, which gives them reliability info. No one knows that a vehicle is insecure until suddenly some hacker figures out how to take it over remotely.
Entertainment system has a network connection with the life-safety network wit
Re: (Score:2)
They have panels of other experts on hand to evaluate cars on other metrics. Consumer satisfaction is only one measure they use. Why can't they put together a panel of computer security experts?
Re: (Score:2)
Because a panel of people who know how to drive cars and who have basic knowledge about how cars work isn't going to help much with computer security. In fact, even a panel of computer security experts isn't going to help any: how are they going to evaluate the system, unless they can find a bunch of serious hackers (like the guys who hacked into the Jeep and drove it remotely)? Most of these systems are closed-source and proprietary, so you can't just poke around in there to see if it was written correct
Re: (Score:2)
Dude, it's really simple. You don't need the source code to see which physical components do which jobs and how they're interconnected.
Assume that any sufficiently complex component has errors. Can a hacker send crafted data to each component? If he breaches one of them, what does he have access to now?
What do the claimed features tell you about the system structure? Remote updates to the drive train? That means that after finding the errors a hacker can insert arbitrary data in to the drive train.
Poke at t
Networked car will never be secure (Score:2)
Did they remember to (Score:2)
Only hire women and other URMs?
Re: (Score:1)
Obviously. Men are too stupid to do anything the way it should be done. Everything should be connected to everything else because convenience for women is more important than security, privacy, or rights.
Pot, Kettle (Score:3)
The danger (Score:3)
We don't want them to "follow industry standards," we want them to write secure software.
Re: (Score:2)
..or avoid software altogether if they can't/won't write secure code.
Re: (Score:2)
Auto manufacturers don't need to write secure code.
There's plenty of companies out there that specialize in writing mission-critical, secure code. Any company that writes avionics code would probably be a good choice. The automakers can outsource the software work to these companies, and concentrate on designing nice cars and operating assembly lines.
Security experts only? (Score:1)
Will this board also include also include experts from the actual automotive industry or is this yet another bandwagon?
Everyone from outside the industry seems to treat automotive security like IT security on embedded processors and then reacts surprised when the automotive industry does not even want to talk to them.
Here's a hint to automotive security researchers who want to be taken seriously:
Try and learn how the development of a vehicle actually works. It is a complex process with tens of thousands of
Re: (Score:2)
and isn't double digit millions and development costs nothing to a big OEM like GM or Toyota?
Re: (Score:1)
I guess that is what Intel is hoping
How about not connecting cars to the Internet (Score:4, Insightful)
The best place to start in making cars more secure is to stop connecting them to the Internet or cellular networks. It makes them vulnerable to remote exploits and increases the cost of the car.
But now we have some jurisdictions (EU I think is one) mandating cellular connections in new cars so they can support "emergency features" (presumably stuff so when the car is involved in a serious crash, the car can notify emergency services automatically in case the occupants are pinned down or unconscious and cant make an emergency call themselves)
Get rid of the cellular connections, get rid of all this "infotainment" crap (whoever thought "apps" in a car is a good idea is an idiot). And spend some money on really strong encryption in things like the remote unlock keyfobs and engine immobilisers so hackers cant get in.
Re: (Score:3)
But now we have some jurisdictions (EU I think is one) mandating cellular connections in new cars so they can support "emergency features"
Wow, that's a horrible idea. First thing I'm going to do is disable that shit.
Re: How about not connecting cars to the Internet (Score:1)
You mean disable your vehicle?
Just wait, they'll pass a law. If law enforcement can't remotely interface with you car you are in violation. Since you disabled the security system you must have stole it and you won't be listened to until after booking when you get to see an actual judge the next day/week.
You will have no defense except against charges, being jailed was your fault and you won't get your time or job back. Employer already got someone. And you still have to pay for impound, where you will find
Re: (Score:1)
Its perfectly reasonable to have an open source audit-able and removable box in your car that has read only access to some of the car's data and a network connection for emergency purposes. Its even ok if cars have to come with them, and support them.
I don't know what they are proposing, but I suspect the problem is in the details (by that I mean things obvious to anyone who cares about any security or privacy issues), not in the actual concept. This isn't a case of features are bad, or usability vs privacy
Get over it (Score:2)
The best place to start in making cars more secure is to stop connecting them to the Internet or cellular networks.
Never going to happen. Seriously. Waste of time to even discuss it. If you want to discuss best practices for it then you might have a worthwhile discussion. But the internet is going to be a part of our driving experience whether we like it or not.
Get rid of the cellular connections, get rid of all this "infotainment" crap (whoever thought "apps" in a car is a good idea is an idiot).
Wasting your breath and frankly a lot of smart people disagree with you. If customers want it then it will happen. If they don't then it will go away. The fact that you don't find such things valuable is irrelevant.
And spend some money on really strong encryption in things like the remote unlock keyfobs and engine immobilisers so hackers cant get in.
Encryption isn't some magic pixie dust t
Re: (Score:2)
Re: (Score:2)
You sound like a luddite.
The best place to start in making cars more secure is to stop connecting them to the Internet or cellular networks. It makes them vulnerable to remote exploits and increases the cost of the car.
It also increases safety by allowing drivers to talk on the phone hands-free using a built-in Bluetooth system. On my car, I press a button on the steering wheel, speak "call John Smith", it finds someone with that name in my phone's contacts, and calls him, all without my hands leaving the
Re: (Score:2)
But now we have some jurisdictions (EU I think is one) mandating cellular connections in new cars so they can support "emergency features" (presumably stuff so when the car is involved in a serious crash, the car can notify emergency services automatically in case the occupants are pinned down or unconscious and cant make an emergency call themselves)
Again, what's the problem with that? Would you rather just sit there and die because you're unable to reach your phone and you're in the middle of nowhere? Honestly, this is probably a bigger issue here in the US where we have a lot more very rural and remote roads where there might not be any passersby for a while, or worse you go into a ravine or something and no one can see you.
So you don't care being tracked whenever you go just so it could maybe someday save your life?
Whatever happened to "Live Free or Die"?
Re: (Score:2)
Do you have a cellphone? If so, you're being tracked. What does it matter if the car makes use of that data connection?
You want to live free, go find some land in rural Alaska, buy a doomsday survival kit, and shack up there.
Re: How about not connecting cars to the Internet (Score:2)
Sorry, forgot the /sarcasm tag
Re: (Score:2)
Secondly, these systems give us navigation, which saves a lot of time and gas and improves safety a lot (since you aren't driving in circles looking for something that's not easily found on a map). Of course, you can add this stuff in with your phone and a mobile mount, but that's clumsy and not as well integrated.
The fact that it's fully integrated with everything else in the car IS the major problem with those gadgets.
What can you do with a 10 years old car where the manufacturer doesn't offer updates anymore for the navigation system? You do like most people who had this problem, you go buy yourself a cheap 100$ GPS and stick it on the dash, ignoring the onboeard navigation. Out of date maps are worse than no map at all.
These things should be modular, like car radios where before. Industry should define a standard
Re: (Score:2)
Maybe it would stirr up a little competition and we could have better systems and interfaces (I have the Dodge uconnect 4.3, and boy is this interface fucked up and hard to use. 4 clicks on a touch screen to send heat to the feets instead of the face? Who tought of that????)
Why'd you buy it then? My new Mazda3 is loaded with tech features and an infotainment system, and it still has a fully separate HVAC system (albeit a dual-zone automatic one), so changing that setting is a simple dedicated button. Inte
Re: (Score:2)
Why'd you buy it then?
Because it's litterally the only 7 passenger vehicle we could buy... that was not a minivan.
You see, fitting our 6 kids in a comfortable yet affordable vehicle was a more important factor than the shitty interface of the HVAC.
I know standards cannot predict the future and that's why we were stuck with those tiny buttons. Maybe my solution is not the best, but I cannot fathom how those shitty interfaces could be approved and put into production.
Re: (Score:2)
McAfee makes the worst software on the planet. I'm not kidding or exaggerating: Mr. John McAfee, founder of the eponymous company, says so himself. If you can't believe him, then why would you believe someone else (including another company that's so stupid they continue to hang onto the name of the founder who now calls their products garbage)?
This ploy seems pretty lame to me really. Intel may be have been trying to push into the automotive market, but I doubt they've made much progress. The CPUs used
Step one: (Score:2)
Step one: No connection between the EMU (Engine Management Unit) and the entertainment system or the outside world.
Step two: There is no step two.
Re: (Score:2)
hmm.
What do you do about the braking system ? airbags ? speed regulator ? etc etc etc...
There is useful communication between these systems and "insecure" systems like infotainment.
You can't just cut that communication. It needs a redesign of the whole network HW architecture first (with each little change costing millions on one platform)
Re: (Score:2)
These systems may be connected to the engine system as needed, however, none of them should be connected to the entertainment system or the internet.
Do you need the internet to run a car? No, so stop adding useless tracking/spying computers to everything.