Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Transportation Intel Security

Intel Establishes Automotive Security Review Board 39

An anonymous reader writes: To help mitigate the cyber-security risks in connected automobiles Intel has established the Automotive Security Review Board (ASRB). Intel says: "The board will encompass top security industry talent across the globe with particular areas of expertise in cyber-physical systems. The ASRB researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cybersecurity solutions and products to benefit the automobile industry and drivers. Intel also published the first version of its automotive cybersecurity best practices white paper, which the company will continue to update based on ASRB findings."
This discussion has been archived. No new comments can be posted.

Intel Establishes Automotive Security Review Board

Comments Filter:
  • First post? It'll be interesting to see who else gets on board with this.
    • by epyT-R ( 613989 )

      Yup. All wrong. No one's been able to secure much of anything these days. As a result, mission critical equipment like personal vehicles should not have unnecessary complexity or connectivity. Let owner's cellphone do that for auxiliary purposes only (music streaming, navigation etc).

    • Just need consumer reports to start ranking reviewed cars on their information security.

      Entertainment system has a network connection with the life-safety network without a one-way transfer? D. And a connection to Bluetooth or the Internet? F.

      Note that this means Tesla would get an F.

      • Just need consumer reports to start ranking reviewed cars on their information security

        How the hell is Consumer Reports going to rank cars based on this stuff? It's not like they have a panel of computer security experts on hand. Their reviews are based on feedback from their customers, which gives them reliability info. No one knows that a vehicle is insecure until suddenly some hacker figures out how to take it over remotely.

        Entertainment system has a network connection with the life-safety network wit

        • They have panels of other experts on hand to evaluate cars on other metrics. Consumer satisfaction is only one measure they use. Why can't they put together a panel of computer security experts?

          • Because a panel of people who know how to drive cars and who have basic knowledge about how cars work isn't going to help much with computer security. In fact, even a panel of computer security experts isn't going to help any: how are they going to evaluate the system, unless they can find a bunch of serious hackers (like the guys who hacked into the Jeep and drove it remotely)? Most of these systems are closed-source and proprietary, so you can't just poke around in there to see if it was written correct

            • Dude, it's really simple. You don't need the source code to see which physical components do which jobs and how they're interconnected.

              Assume that any sufficiently complex component has errors. Can a hacker send crafted data to each component? If he breaches one of them, what does he have access to now?

              What do the claimed features tell you about the system structure? Remote updates to the drive train? That means that after finding the errors a hacker can insert arbitrary data in to the drive train.

              Poke at t

    • The reality is as soon as you add apps and a network connection you need a login. As soon as you have a login you have a huge security problem. Imagine some mechanic saving all the login details for cars he has on a system then hackers break into the poorly secured computer and before you know it they can now break into a few hundred cars network interface. So unless you have some complex multi layered security setup securing a car connected to a public network is pure fantasy. At the end of the day the bes
  • Only hire women and other URMs?

    • by Anonymous Coward

      Obviously. Men are too stupid to do anything the way it should be done. Everything should be connected to everything else because convenience for women is more important than security, privacy, or rights.

  • by phantomfive ( 622387 ) on Monday September 14, 2015 @06:42PM (#50522147) Journal
    Intel should get their own game in gear [youtube.com] before telling other people what to do. It takes special effort to create a system that's exploitable on both Mac and Windows, but Intel has done it.
  • by phantomfive ( 622387 ) on Monday September 14, 2015 @06:44PM (#50522159) Journal
    The real danger here is that manufacturers can use this as an excuse to avoid liability.......they can say, "It's not our fault the car got hacked and rammed into the building, we followed industry standards!"

    We don't want them to "follow industry standards," we want them to write secure software.
    • by epyT-R ( 613989 )

      ..or avoid software altogether if they can't/won't write secure code.

      • Auto manufacturers don't need to write secure code.

        There's plenty of companies out there that specialize in writing mission-critical, secure code. Any company that writes avionics code would probably be a good choice. The automakers can outsource the software work to these companies, and concentrate on designing nice cars and operating assembly lines.

  • by Anonymous Coward

    Will this board also include also include experts from the actual automotive industry or is this yet another bandwagon?
    Everyone from outside the industry seems to treat automotive security like IT security on embedded processors and then reacts surprised when the automotive industry does not even want to talk to them.

    Here's a hint to automotive security researchers who want to be taken seriously:
    Try and learn how the development of a vehicle actually works. It is a complex process with tens of thousands of

    • and isn't double digit millions and development costs nothing to a big OEM like GM or Toyota?

      • by Anonymous Coward

        and isn't double digit millions and development costs nothing to a big OEM like GM or Toyota?

        I guess that is what Intel is hoping

  • by jonwil ( 467024 ) on Monday September 14, 2015 @07:18PM (#50522281)

    The best place to start in making cars more secure is to stop connecting them to the Internet or cellular networks. It makes them vulnerable to remote exploits and increases the cost of the car.

    But now we have some jurisdictions (EU I think is one) mandating cellular connections in new cars so they can support "emergency features" (presumably stuff so when the car is involved in a serious crash, the car can notify emergency services automatically in case the occupants are pinned down or unconscious and cant make an emergency call themselves)

    Get rid of the cellular connections, get rid of all this "infotainment" crap (whoever thought "apps" in a car is a good idea is an idiot). And spend some money on really strong encryption in things like the remote unlock keyfobs and engine immobilisers so hackers cant get in.

    • But now we have some jurisdictions (EU I think is one) mandating cellular connections in new cars so they can support "emergency features"

      Wow, that's a horrible idea. First thing I'm going to do is disable that shit.

      • You mean disable your vehicle?
        Just wait, they'll pass a law. If law enforcement can't remotely interface with you car you are in violation. Since you disabled the security system you must have stole it and you won't be listened to until after booking when you get to see an actual judge the next day/week.
        You will have no defense except against charges, being jailed was your fault and you won't get your time or job back. Employer already got someone. And you still have to pay for impound, where you will find

      • by Anonymous Coward

        Its perfectly reasonable to have an open source audit-able and removable box in your car that has read only access to some of the car's data and a network connection for emergency purposes. Its even ok if cars have to come with them, and support them.

        I don't know what they are proposing, but I suspect the problem is in the details (by that I mean things obvious to anyone who cares about any security or privacy issues), not in the actual concept. This isn't a case of features are bad, or usability vs privacy

    • The best place to start in making cars more secure is to stop connecting them to the Internet or cellular networks.

      Never going to happen. Seriously. Waste of time to even discuss it. If you want to discuss best practices for it then you might have a worthwhile discussion. But the internet is going to be a part of our driving experience whether we like it or not.

      Get rid of the cellular connections, get rid of all this "infotainment" crap (whoever thought "apps" in a car is a good idea is an idiot).

      Wasting your breath and frankly a lot of smart people disagree with you. If customers want it then it will happen. If they don't then it will go away. The fact that you don't find such things valuable is irrelevant.

      And spend some money on really strong encryption in things like the remote unlock keyfobs and engine immobilisers so hackers cant get in.

      Encryption isn't some magic pixie dust t

    • A simple "emergency beacon" is a reasonable requirement. Having that same cellular radio be able to provide user input to critical vehicle systems? Bad idea. Nobody wants to thing they'll be the driver who runs off the edge of the road into a ravine in the middle of the night with no one around. But if it happened to be me, I'd be glad of the automatic emergency beacon.
    • You sound like a luddite.

      The best place to start in making cars more secure is to stop connecting them to the Internet or cellular networks. It makes them vulnerable to remote exploits and increases the cost of the car.

      It also increases safety by allowing drivers to talk on the phone hands-free using a built-in Bluetooth system. On my car, I press a button on the steering wheel, speak "call John Smith", it finds someone with that name in my phone's contacts, and calls him, all without my hands leaving the

      • by Toshito ( 452851 )

        But now we have some jurisdictions (EU I think is one) mandating cellular connections in new cars so they can support "emergency features" (presumably stuff so when the car is involved in a serious crash, the car can notify emergency services automatically in case the occupants are pinned down or unconscious and cant make an emergency call themselves)

        Again, what's the problem with that? Would you rather just sit there and die because you're unable to reach your phone and you're in the middle of nowhere? Honestly, this is probably a bigger issue here in the US where we have a lot more very rural and remote roads where there might not be any passersby for a while, or worse you go into a ravine or something and no one can see you.

        So you don't care being tracked whenever you go just so it could maybe someday save your life?

        Whatever happened to "Live Free or Die"?

      • by Toshito ( 452851 )

        Secondly, these systems give us navigation, which saves a lot of time and gas and improves safety a lot (since you aren't driving in circles looking for something that's not easily found on a map). Of course, you can add this stuff in with your phone and a mobile mount, but that's clumsy and not as well integrated.

        The fact that it's fully integrated with everything else in the car IS the major problem with those gadgets.

        What can you do with a 10 years old car where the manufacturer doesn't offer updates anymore for the navigation system? You do like most people who had this problem, you go buy yourself a cheap 100$ GPS and stick it on the dash, ignoring the onboeard navigation. Out of date maps are worse than no map at all.

        These things should be modular, like car radios where before. Industry should define a standard

        • Maybe it would stirr up a little competition and we could have better systems and interfaces (I have the Dodge uconnect 4.3, and boy is this interface fucked up and hard to use. 4 clicks on a touch screen to send heat to the feets instead of the face? Who tought of that????)

          Why'd you buy it then? My new Mazda3 is loaded with tech features and an infotainment system, and it still has a fully separate HVAC system (albeit a dual-zone automatic one), so changing that setting is a simple dedicated button. Inte

          • by Toshito ( 452851 )

            Why'd you buy it then?

            Because it's litterally the only 7 passenger vehicle we could buy... that was not a minivan.

            You see, fitting our 6 kids in a comfortable yet affordable vehicle was a more important factor than the shitty interface of the HVAC.

            I know standards cannot predict the future and that's why we were stuck with those tiny buttons. Maybe my solution is not the best, but I cannot fathom how those shitty interfaces could be approved and put into production.

  • Step one: No connection between the EMU (Engine Management Unit) and the entertainment system or the outside world.
    Step two: There is no step two.

    • by stooo ( 2202012 )

      hmm.
      What do you do about the braking system ? airbags ? speed regulator ? etc etc etc...
      There is useful communication between these systems and "insecure" systems like infotainment.
      You can't just cut that communication. It needs a redesign of the whole network HW architecture first (with each little change costing millions on one platform)

      • by gnupun ( 752725 )

        What do you do about the braking system ? airbags ? speed regulator ? etc etc etc...

        These systems may be connected to the engine system as needed, however, none of them should be connected to the entertainment system or the internet.

        Do you need the internet to run a car? No, so stop adding useless tracking/spying computers to everything.

IN MY OPINION anyone interested in improving himself should not rule out becoming pure energy. -- Jack Handley, The New Mexican, 1988.

Working...