Global automakers have formed a partnership to bolster the industry’s defenses against cyber attacks. All of the world’s major car companies are participating in an Information Sharing Analysis Center (ISAC) that will act as the industry’s warehouse for information about cybersecurity threats.
The ISAC, which is being facilitated by the Alliance of Automobile Manufacturers (Auto Alliance) and the Association of Global Automakers, will help carmakers share strategies for protecting against cyber threats and responding to them when they occur.
Auto Alliance hopes to have the ISAC operational by the end of the year, and OEM suppliers and telecoms are expected to join as time goes on. The aim is to have a dedicated team of analysts to diagnose and deal with threats.
The announcement of the ISAC’s formation came about a week before two security researchers hacked into the Uconnect dashboard computer of a Jeep Cherokee being driven by a reporter for Wired. The hack took control of the Jeep’s dashboard functions, transmission, steering, and brakes.
News of the Jeep’s hacking quickly garnered the attention of Washington lawmakers and regulators, including the National Highway Traffic Safety Administration (NHTSA).
Individual car companies address cybersecurity in different ways. The industry formed the ISAC to address its lack of a comprehensive approach to protecting against threats. Automakers are also hoping to dissuade US lawmakers from imposing stricter regulations on the industry.
Because connected cars are a young technology and there is little monetary gain associated with hacking into them, experts don’t foresee an epidemic of cyber attacks on the immediate horizon. However, connected cars can collect a vast amount of consumer data, and forming an automotive ISAC helps the industry get in front of the issue before new potential threats emerge.
The finance sector is an obvious target for cyber attacks, and that industry’s ISAC helped mitigate and respond to denial-of-service attacks that crippled bank websites in 2012 and 2013. Over time, bank hacks decreased as the ISAC helped develop countermeasures.
Other industries including the health care sector have also become victims of cyber attacks. Carmakers don’t want to become the next target-rich environment.
However, this month security researchers from the University of California at San Diego pulled off another connected car hack, this time on a 2013 Corvette. The researchers demonstrated an attack that could prove to be even simpler than the Jeep hack.
The hack reportedly uses a dongle connected to the dash of the Corvette. Such dongle devices are commonly used by insurance companies and fleet operators to monitor a vehicle’s speed, location, and efficiency. By sending messages to the dongle plugged into the Corvette’s dash, the researchers claim to have been able to send remote commands to the car’s internal network that controls physical driving components — including the windshield wipers and enabling or disabling the vehicle’s brakes.
The researchers contacted the dongle’s manufacturer, which then sent a wireless patch over the Internet to fix the identified vulnerability. The UC San Diego researchers pointed out that the security vulnerabilities had nothing to do specifically with inadequacies of the Corvette. They could have performed the attack on nearly any modern vehicle using the same methods.
This latest revelation of connected car vulnerability is an unsettling one for drivers and car companies. But such hacks — and the ones that are likely yet to come — should ultimately help the Auto Alliance ISAC better anticipate new threats and vulnerabilities and improve the industry’s overall level of cybersecurity.