Earlier this month, the Auto-ISAC (Information Sharing and Analysis Center) Summit took place at The Henry, an aptly named hotel sitting in Dearborn, MI right down the road from Motor City. The Summit is an annual conference that is held to bring together automotive cybersecurity leaders, and proves to be an excellent opportunity for those willing to make the trip. Concerns, ideas for the future, and new technologies are all on display here for the industry experts to examine. The presentations are but a small part of the overall punch the conference packs. These are some of the biggest takeaways from the largest auto cybersecurity conference.
Conferences aren't cheap. Why go?
The conference consisted of a slew of presentations focused on everything from new technological and encryption developments in the space to the importance of training the next generation of workers to take the reigns. Many of those there voiced concerns for automated vehicles and their security threats, and others continued to tout the importance of ISAC's in general. To be honest most of the content within the presentations went well over my head, so I will focus on the big ideas.
Automotive is not the only industry to have an ISAC, in fact many of the critical industries in the United States have one because they have proven to be so useful for spreading the word and knowledge regarding product vulnerabilities and successful breaches/attacks in the cybersecurity field. One gentleman that was there worked for the Healthcare industry ISAC, and they essentially do the same thing but in a different field. Hospitals, not car companies. Seems pretty important right?
Speakers primarily came from the private sector, but there were people who had a different background. Turns out, our government is very concerned about the future of automotive cybersecurity. With the trend towards autonomous and connected cars, the threat from groups in China, Iran, or Russia becomes a reality. Imagine driving whenever all of a sudden your car dies and refuses to restart. This hasn't happened at scale yet (it has happened to individual cars), but in the future it could be possible. If all of the cars talk to this one hub computer, and someone gains access to that controller... game over.
A new method of encryption for in-vehicle data was on display as well, shown to the public for the first time here at this event. It was funny, because the speaker got on stage and said something to the effect of, "yes please listen, because this is for sale." Honesty works! Sandia National Laboratories, a government funded research lab that historically has done nuclear bomb development, had been tasked by the US government to look into making connected cars more secure, as it is such a large national threat.
An agent from the state department (who would not provide her name) said that she was there due in part to the threat of terrorism via an autonomous vehicle. If this were the case, the terrorist group would not even have to send someone to America physically. They could just set someone up over in another country, hook them to the internet, and it's that easy. Imagine an autonomous vehicle with a biological weapon inside.... the CIA, NSA, DoD, and private companies are all working to ensure this won't happen. Interesting food for thought.
Your New Ride is (possibly) Compromised
After the second day of the presentations, the attendees were all invited out for a dinner and sort of social hour downtown. This event was sponsored by a company called BlockHarbor, and they were kind enough to both put on a car show and demonstrate in real time how to hack into a 2022 Ford Mustang Mach E. They had all sorts of equipment hooked up and inside the car sat a man on a laptop with all sorts of stuff I did not understand lighting up the screen.
The interesting thing is that the way they got access was through a fake cell tower. What? Let me explain. They had a rack of what looked like standard computers, but apparently it ran them about 500k dollars and functioned as a commercial grade cell tower. The new cars on sale today connect to the internet via cell service, so the Mustang connected to this one thinking it was safe and had the strongest signal. Wrong. The BlockHarbor reps got access through this connection and were able to look at all sorts of data that the car was collecting and transmitting. However, they could not actually control any of the systems. They could not steer the wheel, or start the battery... yet. They could just look at the data, snooping around but not touching. Hacking cars is a big thing now.
Overall, the conference was incredible, and the motivation of all of the attendees to continue their fight to protect our transportation systems was inspiring. The cybersecurity field is interesting, but I have a feeling the automotive cybersecurity field in particular will soon be one of the best and most important parts of it. GM, Ford, Toyota, and the rest all have their work cut out for them. It'll work out.
“There are no solutions, there are only trade-offs" - economist Thomas Sowell
Feel free to subscribe for more global automotive stories. Share this story with a buddy while you're at it. - JWK