The “Father of Car Hacking” was just announced the winner of the 2015 ACM-Infosys Foundation Award, but the first step on the path that lead here started several years ago.
University of California – San Diego (UCSD) professor Stefan Savage was honored by The Association for Computing Machinery (AMC) and the Infosys Foundation for his research which included studies into the cybersecurity of connected automobiles that helped raise awareness throughout the industry.
“It’s a huge honor, especially given the tremendous respect I have for past winners of the award,” Savage told SCMagazine.com.
In 2009 Savage began working with some of his students to reverse engineer automobile systems and look for points of entry that cybercriminals could use.
Savage said he and his team found a host of problems including vulnerabilities that hadn’t been seen in computer systems since the 90’s, some of which could enable remote access to a vehicle’s systems.
One of the vulnerabilities found in earlier models included the coding language Strcpy, which Savage called an unsafe function that no one should use, and other soft spots that wouldn’t make it through code review on a personal computer (PC), he said.
Another problem that was uncovered, Savage said, is that many parts are manufactured by third parties, each using their own codes. He and his team found problems at the points where these systems met.
In 2010, he presented the findings to the Federal Department of Transportation (DOT) and automotive firms then worked with these manufacturers to eliminate and mitigate vulnerabilities in millions of automobiles.
Savage noted that one of the biggest problems in the automotive industry is manufacturers have to prepare for adversaries that haven’t surfaced yet.
Whether it be hacktivist attempting to make a statement by exploiting vulnerabilities or cybercriminals looking to steal driver information, Savage said automakers have to now look inside the mind of an attacker and consider the ways an exploit could be conducted in the near future.
However, while some estimate that connected cars won’t be secure for another one to three years, Savage said the industry is on the right track to put in place better cybersecurity hygiene adding the Chrysler-Fiat recall helped accelerate the adoption of features like remote updates to help save cost and improve overall safety.
He said it is important to realize that just as with PCs, there will most likely always be vulnerabilities to be found and patched in connected automobiles and what matters is the capability of manufactures to deal with these issues in a reasonable manner.
“It’s also satisfying to see my community recognize the value of the kind of work we did (i.e., looking at more than just the technical components of the security problem) which was definitely not a mainstream research direction when we started it,” he added.