OCCEAC Risk Partners: Automotive

Greetings!

Prepared by the CyberWire (Tuesday, September 20, 2016) — A firmware flaw in the air bag sensing and diagnostic module has led General Motors to issue recall notices for some four hundred million vehicles. The recall affects twenty GM marques over the 2014 to 2017 model years. In a September 8 notice, the US National Highway Traffic Safety Administration (NHTSA) described the flaw: "certain driving conditions may cause the air bag sensing and diagnostic module (SDM) software to activate a diagnostic test. During this test, deployment of the frontal air bags and the seat belt pretensioners would not occur in the event of a crash." It also prescribed the remedy: dealers will reflash the SDM software. Infosecurity Magazine reports that the flaw has been linked to at least one death.

Some security analysts claim that vehicle software safety would be better served were the controller area network (CAN) bus and other onboard systems engineered to accept over-the-air updates and patches as opposed to requiring a trip to the dealer for fixes.

Vulnerability researchers at Black Hat USA demonstrated forty-seven exploits in twenty-three Internet-of-things devices. Black Hat Europe is expected to see another IoT proof-of-concept exploit: an "undetectable" rootkit affecting programmable logic controllers.

These vulnerabilities have drawn renewed attention to the challenge of securing the supply chain as manufacturers increasingly rely on just-in-time logistics in a globalized network of suppliers.

On September 14, 2016, Volkswagen announced the formation of a joint venture with Israeli researchers to "develop advanced cyber security solutions for next-generation connected cars and mobile services." The new company, Cymotive, will operate from both Herzliya, Israel, and Wolfsburg. No details on Cymotive's governance, ownership, or specific technical goals were initially forthcoming.

The US Department of Transportation announced its first policy for autonomous vehicle safety.

On September 9, 2016, former Volkswagen engineer James Robert Liang pleaded guilty to conspiracy in Volkswagen's diesel emissions scandal. His plea was entered in a Detroit court. Liang, who worked in Wolfsburg on diesel development from 1983 to 2008, is the first person to agree to a plea bargain in any of the several actions pending against Volkswagen and its personnel.

Not an automotive case, but one that will bear watching, is St. Jude Medical's suit against Muddy Waters Capital and vulnerability research firm MedSec. St. Jude alleges these organizations and collaborators combined to issue misleading reports of flaws in medical devices in order to short St. Jude stock. The case will have implications for both stock trading and vulnerability disclosure practices.

[408]

Selected Reading

Cyber Attacks, Emerging Threats, and New Vulnerabilities (4)

Security Patches, Mitigations, and Software Updates (2)

Cyber Trends (4)

Marketplace (4)

Technologies, Techniques, and Standards (3)

Legislation, Policy, and Regulation (2)

Litigation, Investigation, and Law Enforcement (5)

Cyber Attacks, Emerging Threats, and New Vulnerabilities

GM Recalls Millions of Cars After Critical Bug Found (Infosecurity Magazine) General Motors has been forced to recall over four million cars following a software defect linked to at least one death…

PLCs Possessed: Researchers Create 'Undetectable' Rootkit (Dark Reading) New attack to be revealed at Black Hat Europe conference silently overtakes industrial network processes…

Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON (CSO) The results from this year's IoT hacking contest are in and it's not a pretty picture…

Shocking! USB Killer Uses Electrical Charge to Fry Vulnerable Devices (Bleeping Computer) A commercial device known as USB Killer 2.0 allegedly has the ability to fry a number of electrical devices by sending an electrical charge to a public-facing USB port…

Security Patches, Mitigations, and Software Updates

Tesla Fixes Software Bug That Exposed Hacking Vulnerabilities (IndustryWeek) Unlike most automakers, Tesla, based in Palo Alto, California, can push out security fixes "over the air" and directly into its cars’ computer systems …

With unhackable impractical, Tesla touts quick fix from Chinese infiltration (Automotive World) The latest white hat hack on Tesla allowed remote access to various systems, but the OEM believes the important thing is how quickly it issued a remedy…

Cyber Trends

Government, carmakers more worried than ever about vehicle cyber attacks (Computerworld) Automakers and legislators appear to be coming together on the need for greater cybersecurity for vehicles that are increasingly connected to the internet and controlled by ever-more sophisticated computer systems and software…

IoT and your digital supply chain (CSO) “Money, it's a gas. Grab that cash with both hands and make a stash”, Pink Floyd is always near and dear to my heart. No doubt the theme song to a lot of producers of devices that fall into the category of Internet of Things or IoT…

Securing information in the age of external collaboration (Help Net Security) A new Enterprise Strategy Group (ESG) research study, which was completed by 200 senior IT and security professionals with influence over purchasing decisions, highlights the need for organizations to have the necessary technologies in place to ensure policies travel with sensitive data wherever and however it is shared…

Top trends in security testing and vulnerability management (Help Net Security) Many businesses fail to conduct frequent security testing despite believing that it’s critically important to securing their systems and data. One in five of businesses surveyed admitted they don’t do any security testing, despite the fact that 95 percent of survey respondents reported encountering one of the dozen common security issues associated with security vulnerabilities…

Marketplace

Volkswagen launches new cybersecurity firm to tackle car security (ZDNet) The automaker is partnering with Israeli cybersecurity experts to stay on top of digital threats to its vehicles…

Meet This Year’s Top Ten Automotive Startups (has a cyber company) (Fortune) Winners hit that sweet spot between transportation and technology…

Boards failing to protect customers against cyber attack (Financial Director) Boards are failing to protect their companies and customers against cyber attack, despite more companies taking out cyber insurance, according to new research…

SINET Announces 16 Most Innovative Cybersecurity Technologies of 2016 (SINET) SINET, an organization focused on advancing Cybersecurity innovation through public-private collaboration, announced today the winners of its annual SINET 16 competition. The companies, which were selected from a pool of 82 applicants from nine different countries, including Australia, Canada, Israel, Japan, Norway, Singapore, Sweden and the United Kingdom, represent a range of Cybersecurity solution providers who are identifying cutting-edge technologies to address Cybersecurity threats and vulnerabilities. The selected companies will share their work with buyers, builders, investors and researchers during the SINET Showcase on Nov. 2 – 3, 2016 at the National Press Club in Washington, DC…

Technologies, Techniques, and Standards

Auto-ISAC Seeks to Protect Internet-Enabled Connected Cars (Government Technology) The nonprofit Automotive Information Sharing and Analysis Center has developed a series of auto cybersecurity best practices that cover governance, risk management, security by design and threat detection, to name a few…

NIST Seeks Input on Cybersecurity in a Digital Economy (MeriTalk) Comments close Friday at 5 p.m. on the NIST Commission on Enhancing National Cybersecurity’s request for information (RFI) on how best to address the “current and future states of cybersecurity in a digital economy"…

Harman develops ‘5+1’ cyber-security framework (Just Auto) Harman says that the prospect of cyber attacks on vehicles is becoming an increasingly serious one as vehicle connectivity is being enhanced and it has developed what it claims is an appropriate framework to deal with the threat…

Legislation, Policy, and Regulation

Federal Automated Vehicles Policy (US Department of Transportation) As the digital era increasingly reaches deeper into transportation, our task at the U.S. Department of Transportation is not only to keep pace, but to ensure public safety while establishing a strong foundation such that the rules of the road can be known, understood, and responded to by industry and the public…

Feds: Data Gathering and Sharing Will Be Key to Safe Adoption of Self-Driving Cars (Car and Driver) Self-driving cars are one step closer to being ready for the road, and data will be the fuel that gets them there. The U.S. Department of Transportation unveiled its long-awaited new policy on automated vehicles Tuesday, and the 116-page document provides needed clarity on how it wants manufacturers to proceed with the development and deployment of these machines…

Litigation, Investigation, and Law Enforcement

Volkswagen engineer pleads guilty in emissions scandal [Updated] (Ars Technica) James Liang met with the EPA but did not mention any defeat devices…

Why the Justice Department Is Taking a Closer Look at Connected Devices (Fortune) The Internet-of-things is getting a safety check…

St. Jude Medical, Inc., Plaintiff, vs. Muddy Waters Cosulting LLC [etc] Defendants (United States Court for the District of Minnesota) St. Jude Medical, Inc. brings this action for false statements, false advertising, conspiracy and the resultant manipulation of the public markets against defendants (i) Muddy Waters Consulting LLC and Muddy Waters Capital LLC, (ii) MedSec Holdings, Ltd. and MedSec LLC, (iii) Carson C. Block, (iv) Justine Bone and (v) Dr. Hemal M. Nayak (collectively the “Defendants” and each a “Defendant”). Defendants’ wrongful conduct conclusively demonstrates a total disregard for the patients whose lives depend on cardiac rhythm management devices and their conduct is indefensible…

Free Speech vs. Costly Speech (Minnesota Litigator) Imagine intentionally alarming the public with fabricated dangers of a company’s life-saving medical devices in the hope that the company’s share price will fall and you will make massive profits by placing bets on the company’s falling share price…

FDA, DHS Investigating St. Jude Device Vulnerabilities (Threatpost) The U.S. government has entered into the St. Jude-MedSec-Muddy Waters fray with an investigation into claims St. Jude medical devices are vulnerable to cyberattacks…

 
OCCEAC Risk Partners
Compiled and published by the CyberWire editorial staff. Views and assertions in linked articles are those of the authors, not the CyberWire or OCCEAC Risk Partners.