Automakers again at odds with cyber-security researchers

OEMs Raise Concerns About Independent Researchers With Congress

Arguments over whether cyber-security researchers should have the right to experiment on cars may not end when the US Copyright Office issues a key ruling expected later this month.

A proposed exemption in copyright law would permit third-party researchers to continue tinkering with vehicle software. Automakers oppose that exemption request. But if federal officials grant it, manufacturers could take their opposition to Congress.

That strategy was made clear in a letter the Auto Alliance, the industry's leading trade group, recently sent to members of a US House of Representatives subcommittee, which is investigating the manufacturers' ability to fend off cyber attacks on increasingly connected vehicles. Among their chief concerns, the OEMs noted these independent researchers.

"Automakers are facing pressure from the organized efforts of technology pirates and anti-copyright groups to allow the circumvention of protected onboard networks, and to provide hackers with the right to attack vehicles carte blanche under the auspices of research," reads a summary of the letter provided to Autoblog.

"Automakers are facing pressure ... to provide hackers with the right to attack vehicles carte blanche under the auspices of research."

The Auto Alliance sent the letter earlier this month in response to questions from the Energy and Commerce committee, which is investigating the industry's readiness to fend off cyber attackers. Language in the letter echoes the same arguments industry lawyers made in May, when the Copyright Office held hearings on the proposed copyright exemptions in Los Angeles.

Industry leaders are hoping to show Congress that their internal efforts and partnerships with sanctioned third-party researchers are sufficient in thwarting vehicular data theft and other cyber crimes. Along those lines, automotive leaders announced Tuesday a partnership between automakers that will share and evaluate security threats is expected to begin operations later this year.

Previously, they had announced the creation of the Information Sharing and Analysis Center, but not the timetable for kicking off the partnership. They added new details on the scope of the center's responsibilities, saying although OEMs aren't obligated to report cyber concerns to the group, they hope it will serve as a central hub of automotive intelligence gathering.

During Tuesday's ISAC announcement, Paul Scullion, safety manager with the Association of Global Automakers, said that partners in the ISAC believe in "responsible disclosure," that is, not publicly divulging the details of their security testing. The industry prefers to work with third parties willing to adhere to that policy, such as Battelle, which kicks off its fourth annual cyber-security challenge this week in collaboration with industry leaders. "Protecting this confidential information is necessary," the Auto Alliance wrote to Congress. "Publicizing these details would be like publishing a hacking instruction manual for bad actors."


But the ability to publish their findings is key for independent researchers not favored by the industry. They say having the ability to access vehicle software and the right to publish detailed conclusions are essential in pointing out the industry's blind spots and ensuring that security holes get fixed.

"I want as many researchers as possible looking at this code." – Charlie Miller

Indeed, in the past, their findings have spurred slow-to-adapt automakers to take cyber concerns in vehicles more seriously. Two landmark studies conducted by University of California San Diego and University of Washington researchers in 2010 and 2011 were the first to show critical vehicle functions could be commandeered. In 2013, researchers Charlie Miller, pictured above, and Chris Valasek demonstrated how brakes, throttle inputs and steering could be further exploited.

Miller testified before the Copyright Office panel in May about the necessity of preserving researchers' rights to access vehicle software. Without that right, he said researchers would either operate in a fraught legal environment or choose to not conduct research at all – which ultimately could leave motorists more exposed by vulnerabilities.

"I don't expect automakers to produce perfect cars," Miller told the panel. "I want as many researchers as possible looking at this code. I want to trust the safety of this vehicle."

Trust is also a key component in the relationship between ISAC partners. Given that the companies involved are otherwise competitors, there must "be a tight level of trust within the participants," said Robert Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers. Amid the broader efforts to stop car hackers, perhaps the one thing independent researchers and automakers might all agree on is that determining who to trust is a decision that remains in the eye of the beholder.

Related Video:

Car Hacking With CarKnow: TRANSLOGIC 135

Share This Photo X