Feds Prod Automakers to Play Nice With Hackers

Share this…

THE DEPARTMENT OF Transportation and its automotive safety branch, the National Highway Traffic and Safety Administration, are waking up to the threat of hackable vulnerabilities in Internet-connected cars and trucks. Now they’re nudging the auto giants that make those vehicles to wake up, too—starting with a mandate to listen more closely to the security researchers who expose their products’ hackable flaws.

On Friday the DOT and a list of practically every major automaker, from Chrysler to General Motors to Tesla, released a statement about “proactive safety principles” they will pursue in 2016 to head off the kind of safety and engineering scandals that rocked the auto industry in 2014 and 2015. One portion of that statement commits to a new approach on cybersecurity, including sharing cybersecurity threat data through an auto industry Information Sharing and Analysis Center, pushing automotive supplier firms to join in that info-sharing partnership, and developing a shared set of cybersecurity “best practices.” But perhaps most significantly, the DOT and the 18 automakers say they’ll “develop appropriate means for engaging with cybersecurity researchers as an additional tool for cyber threat identification and remedy.” In other words, to listen more closely to friendly hackers who discover exploitable bugs in their vehicles.

Feds Prod Automakers to Play Nice With Hackers

“We think it’s a fairly significant change in tone: There have been mixed approaches in the industry as to how to interact with independent researchers who find [security] exploits” that affect cars and trucks, said a DOT spokesperson who asked to remain unnamed because he wasn’t authorized to talk about the initiative. “We think committing to the principle of exploring ways to work more closely with them is a really positive first step.”

The new security and safety principles outlined by the DOT and auto industry stem in part from an early December meeting held by Transportation Secretary Anthony Foxx with industry leaders including GM CEO Mary Barra, Fiat-Chrysler chief Sergio Marchionne, and Volkswagen of America head Michael Horne. The meeting was intended to address several years of recalls, mishaps and scandals including GM’s and Chrysler’s ignition switch failures and Volkswagen’s emissions-cheating software. Another topic of the meeting, according to the DOT spokesperson, was the Jeep hack performed by security researchers Charlie Miller and Chris Valasek, which proved that hackers could remotely compromise the transmission and brakes of a 2014 Jeep Cherokee. That revelation shook the auto and security industries and led to Chrysler’s announcement of a 1.4 million vehicle recall just days later.

The hack, which was patched before it could be used for malicious intent thanks to the researchers, may have led other automakers to reconsider their relationships with independent hackers. Earlier this month, GM quietly announced a vulnerability disclosure program that gives security researchers some assurances of not being hit with a lawsuit if they report the results of their hacking research to the auto giant. “If you have information related to security vulnerabilities of General Motors products and services, we want to hear from you,” reads the company’s statement hosted by the security startup HackerOne, a company devoted to helping companies coordinate security vulnerability disclosure with independent researchers. “We value the positive impact of your work and thank you in advance for your contribution.”

Charlie Miller, one of the two hackers who found the Jeep vulnerability, remains skeptical of both the DOT announcement and GM’s vulnerability disclosure program. He notes that GM requires researchers to keep their submissions secret, and yet doesn’t provide any timeframe for how fast the flaws would be fixed. And the company also doesn’t offer a so-called “bug bounty”—the monetary awards some companies (including many tech firms and carmaker Tesla) pay for vulnerability information. As for the carmakers’ new commitment, along with the DOT, to better solicit help from security researchers, he’s similarly dubious. “I hope there will be more interaction between the security community and manufacturers and OEMs,” he says. “I’ll believe it when I see it.”

Within the DOT, the National Highway Traffic and Safety Administration has at least shown signs of a new attention to cybersecurity. When researchers from the University of California at San Diego and the University of Washington revealed a hacking technique that would allow dangerous levels of control over OnStar-enabled GM vehicles, NHTSA allowed GM to take nearly five years to fully patch its flaws. When WIRED published the news of the Jeep hack in July, by contrast, it immediately began pressuring Chrysler to issue a formal recall.

Aside from its commitment to thaw relations between the security community and automakers, the NHTSA’s guidelines promise to come up with a full set of automotive cybersecurity best practices. According to the DOT spokesperson, those will be published “fairly soon”. While he wouldn’t rule out new regulations around cybersecurity or more recalls if more serious cybersecurity flaws are uncovered, he argued that cooperative approach with the industry may be a more effective way to keep up with a shifting security world. “Cybersecurity is a difficult area from a regulatory standpoint, because it moves so quickly,” he said. “Having guiding principles and best practices developed with the industry that everyone buys into…that will lead to action more quickly than through the regulatory process.”