Threat Management, Vulnerability Management

White hat hackers called to poke holes in open source connected car security platform

Connected car researchers are calling all white hats to find the flaws in their open source automotive software updater designed to make vehicles software updates more secure.

The New York University Tandon School of Engineering, University of Michigan Transportation Research Institute and the Southwest Research Institute developed a cybersecurity framework called Uptane, for the automotive industry to protect wireless software updates in connected vehicles.

Many automakers have already implemented Software Over-The-Air (SOTA) update capabilities which allow manufactures to patch software in ECU's without having to take vehicles to drivers having to visit a service depot however, these update mechanisms are vulnerable to malicious updates, malware and even ransomware.

Researchers designed the Uptane platform to better secure this process by separating duties that different computers within the vehicle perform, creating a threshold of signatures that need to be signed before updates go through, creating explicit and implicit revocation of keys in the event of compromise, and by minimizing the impact of frequently used keys in the event of a compromise.

“Although widespread attacks are still difficult and expensive, they lie within the capabilities of nation-state cyber warriors, and it is time to begin securing the infrastructure, particularly as automotive electronics increase,” NYU Assistant Professor Justin Cappos said at a Jan. 13 press event.

The platform is able to work with several existing components that automakers are already using however, Cappos said it may force some manufactures to update certain components which could cost more money but said the costs should be able to scale across the cost of production. 

He said the researchers are offering Uptane for free and as an open source platform because they want the best researchers in the world to scrutinize the design to ensure the safety of everyone

 “We don't feel the security of update should be a competitive thing where one OEM should have more secure updates that another because they spend a little for their design,” Cappos said. “I don't want to see billboards that say ‘we only had 500 people die last year due to flaws in updates where as our competitors had X number, we want to solve the problem for everybody.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.