Ken Thomas article “Auto industry guards against hacking” in USA Today offers a misleading summary of the state of security of the computers found in modern automobiles.

The computers that are used in cars are properly referred to as embedded systems. In general, the lack of embedded system security is one of the dirty little secrets of the information security profession.

There are three factors to consider for securing embedded automotive systems:

1. 1)Safety. When considering security for general purpose computers, e.g., PCs, the goal of information security is protecting confidentiality, integrity, and availability. But the embedded systems in a car may control important driving functions (engine and braking systems) in addition to auxiliary functions (lighting and sounds systems).  Imagine a car travel at highway speed on a rainy night. Then imagine any of the following events occurring:
   - the engine speeds up, causing the car to accelerate to an unsafe speed;
   - the brakes stop working;
   - the interior and exterior lights all turn off and won’t turn on;
   - the sound system turns on at a high volume and won’t turn off.
   Could any of those events cause the driver to lose control of the car, and as a consequence cause an accident that could possible injure the driver, passenger, or other drivers? These imagined events could potentially occur if the cars embedded systems were compromised.
   

2. 2)Lack of software updates. General purpose computers running mainstream operating systems (Windows, Mac OS, Linux) receive frequent software updates. Computer and smartphone users expect security vulnerabilities to be resolved with periodic software updates. But when was the last time an automobile embedded system received a software update to correct a security vulnerability? The answer is “never.” Is this because there are no security vulnerabilities in automotive embedded systems? Or, should it be assumed that there are millions of automobiles on the road today with vulnerable embedded systems?
   

3. 3)New attack vectors. In the past, automotive embedded systems would require physical access to exploit. In other words, the attacker needs to have physical access to an unlocked car to attack the embedded systems. This ties the risk of embedded system attack to the risk associated with physical security, which is fairly well understood (and fairly low). But consider more recent cars that have bluetooth wireless interfaces or built-in cellular telephones. These vehicles can be attacked by someone outside the car, and in the case of the cellular telephone interface, possibly thousands of miles away.
   

The threat of new attack vectors combined with vulnerable embedded systems in automobiles creates a serious risk of potential accidents and injuries.

While I’m gratified that, as the article reports, “the industry formed a panel to investigate the issue during the past month and hopes to develop common standards and ways to address hacking within the next year,” this sounds to me like having a committee meet to discuss fire safety in a building that’s already on fire. I think car companies should stop selling cars with bluetooth or cellular interfaces until they can guarantee the security (and safety) of their products.

—Jim Herbeck