The German government made an unprecedented move this week by issuing requirements for all new vehicles’ software to be made accessible to country regulators to ensure that emissions loopholes aren’t exploited. While the government should be congratulated for taking this step, why not use this new requirement to address the much bigger, looming problem: vehicle software insecurity.
As vehicles become increasingly connected, insecure code poses a significant threat to not only the security of the data from cars, but also the physical safety of the driver and others. Earlier this year, researchers from German motoring association, Allgemeiner Deutscher Automobil-Club (ADAC), discovered a vulnerability in the BMW’s Connected Drive system, which allowed the researchers to imitate BMW servers to send remote unlocking instructions to the cars.
At Black Hat USA 2015, researchers demonstrated a full takeover of the physical controls – breaking, acceleration, ignition – for a Jeep Cherokee. While thankfully in these cases the issues were patched and no real-world issues resulted, the cases highlight the potentially disastrous results which could occur if vulnerabilities were to be targeted in a connected car’s electronic performance controls or networked infotainment systems.
Insecure code is an issue plaguing every industry and the automotive sector is not alone. Despite nearly two decades of exploring application security risks, many organisations are not taking the necessary steps to ensure code security. Veracode’s research shows that businesses will leave up to 70 percent of internally developed applications unaudited for common, addressable threats such as SQL injection.
With innumerable threats posed by a compromised connected car, it is essential that all software be extensively assessed and vulnerabilities addressed before any harm can be done. This is not a simple task given the general newness of application security in the automotive industry, however, regulators can look to other mandates for guidance. The financial industry is generally regarded as having fairly robust application security standards that can provide a framework for the automotive industry (look to the Monetary Authority of Singapore’s Technology Risk Management Guidelines and FS-ISAC). At a minimum, automotive code should be assessed to make sure the OWASP Top 10 – an industry benchmark for the most serious software vulnerabilities – are not present.
The German government, in gaining access to manufacturers’ proprietary code, is now in the position to take the responsible step of looking to the greater threats in this industry and ensure all vehicle software meets a minimum security standard.