Is your car secure? Maybe not, but enterprise users can still learn something

In some cases, the automotive industry can serve as an example on how not to do security

If you're looking for a good lesson in enterprise security, there might be a few sitting in the parking lot. The automotive field is a glaring example of "worst practices" in security, say several automotive experts. And, the problem is only getting worse, not better.

Over the past few years, the cars have come under fire for many things -- constant recalls, safety hazards, and diesel-engine tricks to name a few-- but security experts have noticed a disturbing trend.

While it might be hard to break into a BMW unless you have a rock handy, there hasn't been as much effort in protecting wireless signals, establishing standards, creating new regulations and laws, and patching much more aggressively.

Experts tell CSO that the automotive field needs to address some of these issues, especially as cars become more high-tech and start connecting to the infrastructure around us, road signs, and to each other. It also shows how security has to keep pace with innovation.

[ ALSO ON CSO: Once your car's connected to the Internet, who guards your privacy? ]

Most importantly, those who work in enterprise security should start paying attention to see how the problem is resolved, because changes will be coming soon.

The problem is getting worse

It's easy to see how far car technology has advanced. Google has been able to let a car drive on its own in traffic. In Michigan, there's a test underway where cars can communicate with each other. Tesla has built a massive electric car charging infrastructure.

Yet, as Dave Sullivan with the automotive analyst firm AutoPacific points out, there are constant signs of trouble. Nissan made an app for their Leaf electric car but then found it was easily hackable and promptly removed it. "This is a whole new world for automakers," says Sullivan.

"They are venturing into an area that is still very new and very fresh with the inability to update security vulnerabilities quickly. This can easily be patched on say a smartphone."

Dave Sullivan, automotive analyst, AutoPacific

Instead of aggressive patch schedules, automakers tend to test longer and adhere to rigid safety standards, but don't follow the smartphone model. Sullivan says this needs to change, that automakers should be paying ethical hackers a bounty to try and break the wireless security in a car and then issue patches. This is far less expensive, he says, than a recall.

Diogo Mónica, a security researcher and chair of the Institute of Electrical and Electronics Engineers Public Visibility Committee, told CSO there's hasn't been much progress.

He says car companies are too cavalier about penetration testing. He agreed with Sullivan that this leads to massive recalls because, given the patch cycles for cars, it's often too late when they add a new app or some communication feature in the car and a vulnerability is found.

Enterprise security lessons

You may have noticed already there are many lessons to learn.

Ironically - given their brilliant automotive innovations - one example of good security for phones is Google. Sullivan noted how Google aggressively patches the Nexus line. With Chrome OS and the Chrome browser, the Internet giant puts automakers to shame as well. Google updates its software in the background and patches constantly, but the end-user barely notices. Your typical Ford or Buick has nowhere near that level of sophistication for security.

Another lesson is related to openness. Mónica noted how the automakers do not report on vulnerabilities as thoroughly and tend to hide behind a curtain, which creates a vicious cycle -- ethical hackers do not get any credit if they find a problem so they lose all incentive to help.

"They rely too much on security-through-obscurity," says Mónica.

"They rely on the fact that it is hard to inspect what software is actually running inside of the car to provide security. This has been proven to be the wrong way to do security, and cars are the perfect example of it."

For the enterprise, it's much better to come clean about vulnerabilities when they occur and tap the security community for help, then to be more aggressive about including security experts in penetration testing rather than trying to obscure the process for them.

Mónica has another good example of what's broken. Researchers have been able to consistently break into the key fob used for unlocking cars. Automakers tend to make their own software for this and reinvent the protocols, but Mónica said they do a poor job. If it was a more open process, one that tapped existing expertise, the security would improve. For enterprise managers, this is a lesson in collaboration and involving outside experts.

What should be done

Inaction is not a good approach in this case. Monique Lance, a spokesperson for Argus Cyber Security, a company that works in the connected car field, says best practices in cybersecurity need to be injected into every stage of the manufacturing process, not as an afterthought.

[ MORE: Will your next car steal itself? ]

Lance says there is very little regulation when it comes to car security, although that is changing--slowly. The Spy Car Act of 2015 calls for new federal standards for car security. In Michigan, there's a Life Imprisonment Bill that would lock up car hackers for life. The SEA-issued J3601 guideline injects security practices into the manufacturing process.

The most important lesson? Do something. With security, letting a sleeping giant stay dormant and looking the other way is never a good approach.

Andy Gryc, a spokesperson for the auto industry and for what is now known as AutoMobility LA (instead of the LA Auto Show), told CSO that steps are being taken. For example, car makers are starting to phase out the older bus architecture (known as the Controller Area Network or CAN) used in cars in favor of a more secure architecture called E-AVB (Ethernet Audio Video Bridging Solution). "Techniques like white-box encryption or code obfuscation are just starting to get traction, and have mostly been absent from vehicle software designs," he added.

Sadly, Gryc said these changes take time to implement. There isn't enough momentum in an industry that is all about horsepower and automated driving. In enterprise security, there are some clear lessons, even if the automotive field hasn't learned any of them.

Show Comments