Foley & Lardner LLP
Why the auto industry is the next ‘Big’ target for hackersApril 1, 2015By Michael R OverlyGiven the exponential rise in security breaches and hacking activity in past few years, and the almost constant headlines in the press of “yet another major security breach”, information security should be a front burner issue for every business. While the automotive industry has, for the most part, avoided being a primary target for hackers in the past, having only faced research demonstrating “possible” attacks, that is likely to change in the near future. There are four reasons for that change: Big Data, connectivity, increasing automotive complexity and the interconnectivity of the industry’s key stakeholders.Vehicle manufacturers, dealerships, and their suppliers and vendors have developed extremely large databases of consumer information, ranging from customer preferences, to financial information, to driving statistics, to location-based data. These huge databases make tempting targets for hackers. They are also drawing the attention of regulators, who are increasingly viewing dealerships as financial institutions in terms of the magnitude of personal consumer information collected in their finance and insurance departments.When it comes to connectivity, industry studies show that by 2017 more than 60% of new vehicles will be connected in some way to the Internet, making them part of the ’Internet of Things’. Many vehicles have wireless connections to the Internet via Bluetooth and wireless hot spots through cellular connections. In addition, cars now feature a multitude of applications that can be accessed and controlled by a driver’s smartphone, which, itself, connects to the Internet. These connections may pave the way for a hacker to gain control of car’s systems and data. This is not fantasy, but fact. Researchers at the DEF CON hacker conference recently presented evidence of how they were able to hack and take control of the electronic smart steering, braking, acceleration, engine, and other functions of several types of vehicles.This follows similar research several years ago conducted by the University of Washington and the University of California-San Diego, where various functions of a car were compromised using Bluetooth, modified CDs, and other techniques.On the third point, automotive complexity, the volume of programming in a modern car is staggering. Programming is typically measured in ‘lines of code’ (LOCs). For example, a heart pacemaker may have about 80,000 LOCs. The original space shuttle had about 400,000 LOCs. Only a handful of technologies have in excess of 100 million LOCs: the total DNA of a mouse, the code for the ill-fated US website, and the software in the average high-end automobile. A study at Carnegie Mellon University showed that, on average, commercial software contains between 20 and 30 bugs for every thousand lines of code, meaning the software in an automobile could have 1 to 2 million bugs that could be exploited by a hacker.In addition to the foregoing, the systems used by vehicle manufacturers in the design and manufacture of their vehicles, systems on which maintenance information is stored, systems maintained by dealers and their respective vendors and suppliers, etc. are all vulnerable to attack. This is particularly so in the context of the interconnections between and among those systems and the continuing trend to place many of those systems in the Cloud. The interconnected network of all those systems is only as strong as its weakest link. If one system is compromised, the others may fall. Hackers routinely exploit this exact interconnected nature of complex systems to compromise a weak outlying system and leverage it to gain access to far more heavily secured systems.Businesses must also take proactive measures to understand and address security issues. In particular, senior management should: ensure they are informed about information security, including security plans and policies; require formation of information security committee to oversee day-to-day security compliance efforts; require the committee to issue regular reports threats and mitigation strategies; prioritize security efforts and exercise prudence in allocating resources; inquire about business continuity, disaster recovery, and insurance as each relates to information security; ensure security is addressed with critical suppliers and vendors; and ensure security risks are part of due diligence in acquisitions, key new customers, and business partners.Just as the retail and oil and natural gas industries have done, the automotive industry is moving to create an Auto ISAC (Information Sharing and Analysis Center) to address information security issues. Involvement in groups of this kind is an important step in mitigating security risks.Michael R. Overly is a partner in the Information Technology and Outsourcing Group in the Los Angeles office of Foley & Lardner LLP. Foley & Lardner has created a white paper, entitled Taking Control of CyberSecurity: A Practical Guide for Officers and Directors ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.