This week prior to TU-Automotive Detroit there is automotive cybersecurity news including research, reprots and new collaboration. We do expect more announcements this week coming from TU-Automotive’s Cybersecurity conference. We are also pleased to announce that we have made progress on automotivecybersecurity.net and expect to launch the media outlet in the coming weeks.
Cybersecurity Authentication and Framework Proposed by Researchers
A new study by Maanak Gupta, doctoral candidate at The University of Texas at San Antonio, and Ravi Sandhu, Lutcher Brown Endowed Professor of computer science and founding executive director of the UTSA Institute for Cyber Security (ICS), examines the cybersecurity risks for new generations of smart which includes both autonomous and internet connected cars.
The researchers caution that as soon as cars are exposed to internet supported functionality, they are also open to the same cybersecurity threats that loom over other electronic devices, such as computers and cell phones. For this reason, Gupta and Sandhu created an authorization framework for connected cars which provides a conceptual overview of various access control decision and enforcement points needed for dynamic and short-lived interaction in smart cars ecosystem.
“There are vulnerabilities in every machine,” said Gupta. “We’re working to make sure someone doesn’t take advantage of those vulnerabilities and turn them into threats. The questions of ‘who do I trust?’ and ‘how do I trust?’ are still to be answered in smart cars.”
Gupta and Sandhu framework discussed an access control oriented architecture for connected cars and proposed authorization framework, which is a key to determine what and where vulnerabilities can be exploited. They further discuss several approaches to mitigate cyber threats in this ecosystem.
Using this framework, the team at ICS is trying to create and use security authorization policies in different access control decision points to prevent cyber attacks and unauthorized access to sensors and data in smart cars.
“There are infinite opportunities in this new IoT domain but at the same time cyber threats will have serious implications in smart cars. Can you imagine if someone controls your car steering remotely, or shuts down the engine in the middle of the road?” Gupta said. “There should not be absolutely any open end to orchestrate attacks on these cars.”
According to Gupta, the authorization framework can also be applied to driverless cars, noting that these vehicles may be even more vulnerable to cyber threats.
“If we’re going to open the world to cars driven by machines, we must be absolutely certain that they aren’t able to be compromised by a malicious attack,” he said. “That it what this framework is for.”
Black Duck Automotive Cybersecurity Suggestions
Black Duck’s cybersecurity report, notes that h Black Duck On-Demand audits revealed open source components in 23% of Automotive applications, it is prudent to consider the risks associated with inadequate application security risk management practices and the threat of malicious activity by hackers – not to mention the potential legal and intellectual property risks consequent to open source license non-compliance.
Black Duck’s report provides insight for automakers, suppliers, and members of the Automotive software supply chain.
The report notes “Open source is neither more nor less secure than custom code. However, there
are certain characteristics of open source that make vulnerabilities in popular components very attractive targets for hackers. Open source is widely used in virtually all forms of commercial and internal applications. For hackers, the return on investment for an open source vulnerability is high. A single exploit can be used
to compromise hundreds of thousands of applications and websites. Open source enters in-vehicle applications through a variety of paths. Automobile manufacturers rely on a wide range of component and application suppliers, who build solutions. with open source components and extend open source platforms like GENIVI.”
The Report Suggests:
- Fully inventory open source software.
- Map open source to known security vulnerabilities. .
- Identify license and quality risks.
- Enforce open source risk policies
- Alert on new security threats.- organizations need to continuously monitor for new threats.
- To Address Software Vulnerabilities:
- Examine custom source code for vulnerabilities during development.
- Test compiled applications for common runtime vulnerabilities.
- Ensure that open source use is not introducing security vulnerabilities during development, and monitor fornewly reported vulnerabilities.
Kudelski & u blox Team Working on IoT Security
The Kudelski Group (SIX:KUD.S), the world leader in digital security, and u blox (SIX:UBXN), a global leader in positioning and wireless communication technologies for the automotive, industrial and consumer markets, announced the signing of an MOU to bring premium-grade security to IoT devices.
Kudelski and u blox agreed to collaborate toward integrating the Kudelski IoT Security Suite into multiple u-blox product lines, thereby providing field-proven security technologies to empower businesses to sustainably secure their digital transformation, and optional services enabling further business growth.
Integration of Kudelski technology into u blox modules will enable premium device protection and security lifecycle management including secure firmware over the air upgrades (FOTA), but also secure communications and application data protection.
The Kudelski IoT Security Suite is a comprehensive set of solutions and services based on 30 years of Kudelski Group innovation in protecting digital TV content on more than 400 million devices, as well as its strong expertise in cybersecurity. It makes IoT security easy to embrace by providing secure control and protection of the key resources of any IoT solution: data, network, device, features, communications and applications. By leveraging state-of-the-art security hardware designed by Swiss engineers and its unique heritage in both pay TV and cybersecurity, Kudelski Group is uniquely positioned to provide companies with design, implementation and long-term security lifecycle management of their connected business models across a variety of industries.
Swiss born 20 years ago, u-blox is now a global company well on the way to becoming the leading industry quality supplier of communications and positioning components and solutions for the Internet of Things. As the IoT takes hold across the automotive, industrial and customer markets, the importance of dependable connectivity and location awareness is at an all time high – and continuing to grow. u-blox’s comprehensive portfolio of high quality chips and modules therefore help contributing to a more secure and sustainable connected world.
Put TU-Automotive On Your Security Radar
This week TU-Automotive will be offering Automotive Cybersecurity-with a vast list of cybersecurity experts and discussions. Starting off the conference is an awards dinner with some nominees that have been nominated or won AUTO Connected Car News Tech CARS Awards. Please check our TU-Automotive round-ups for automotive cybersecurity news and updates.
There is still time to register for TU-Automotive Detroit, use the code AUTOCC100 when you register for $100 off. Speakers include strategists, experts, researchers, from MIT, AUTO-ISAC, Visteon, Toyota, Continental, Uber, CVTA, HARMAN and McDermott Will and Emery LLP.
We suspect that many of the top automotive cybersecurity companies are holding off there announcements for the event.
You are welcome to subscribe to receive email notification of publication of Connected Car News Cybersecurity, you can also get weekly news summaries or daily emails.