Monthly Archives: February 2019

Securing the modern vehicle: a study of automotive industry cybersecurity practices

Larry Ponemon

Today’s vehicle is a connected, mobile computer, which has introduced an issue the automotive industry has little experience dealing with: cybersecurity risk. Automotive manufacturers have become as much software as transportation companies, facing all the challenges inherent to software security.

Synopsys and SAE International partnered to commission this independent survey of the current cybersecurity practices in the automotive industry to fill a gap that has existed far too long—the lack of data needed to understand the automotive industry’s cybersecurity posture and its capability to address software security risks inherent in connected, software-enabled vehicles. Ponemon Institute was selected to conduct the study. Researchers surveyed 593 professionals responsible for contributing to or assessing the security of automotive components.

Software Security Is Not Keeping Pace with Technology in the Auto Industry

When automotive safety is a function of software, the issue of software security becomes paramount—particularly when it comes to new areas such as connected vehicles and autonomous vehicles. Yet, as this report demonstrates, both automobile OEMs and their suppliers are struggling to secure the technologies used in their products. Eighty four percent of the respondents to our survey have concerns that cybersecurity practices are not keeping pace with the ever-evolving security landscape.

Automotive companies are still building up needed cybersecurity skills and resources. The security professionals surveyed for our report indicated that the typical automotive organization has only nine full-time employees in its product cybersecurity management program. Thirty percent of respondents said their organizations do not have an established product cybersecurity program or team. Sixty-three percent of respondents stated that they test less than half of hardware, software, and other technologies for vulnerabilities. Pressure to meet product deadlines, accidental coding errors, lack of education on secure coding practices, and vulnerability testing occurring too late in production are some of the most common factors that render software vulnerabilities. Our report illustrates the need for more focus on cybersecurity; secure coding training; automated tools to find defects and security vulnerabilities in source code; and software composition analysis tools to identify third-party components that may have been introduced by suppliers.

Software in the Automotive Supply Chain Presents a Major Risk

While most automotive manufacturers still produce some original equipment, their true strength is in research and development, designing and marketing vehicles, managing the parts supply chain, and assembling the final product. OEMs rely on hundreds of independent vendors to supply hardware and software components to deliver the latest in vehicle technology and design. Seventy-three percent of respondents surveyed in our report say they are very concerned about the cybersecurity posture of automotive technologies supplied by third parties. However, only 44 percent of respondents say their organizations impose cybersecurity requirements for products provided by upstream suppliers.

Connected Vehicles Offer Unique Security Issues

Automakers and their suppliers also need to consider what the connected vehicle means for consumer privacy and security. As more connected vehicles hit the roads, software vulnerabilities are becoming accessible to malicious hackers using cellular networks, Wi-Fi, and physical connections to exploit them. Failure to address these risks might be a costly mistake, including the impact they may have on consumer confidence, personal privacy, and brand reputation. Respondents to our survey viewed the technologies with the greatest risk to be RF technologies (such as Wi-Fi and Bluetooth), telematics, and self-driving (autonomous) vehicles. This suggests non-critical systems and connectivity are low-hanging fruit for attacks and should be the main focus of cybersecurity efforts.

As will be clear in the following paragraphs, survey respondents in a myriad of sectors of the industry show a significant awareness of the cybersecurity problem and have a strong desire to make improvements. Of concern is the 69 percent of respondents who do not feel empowered to raise their concerns up their corporate ladder, but efforts such as this report may help to bring the needed visibility of the problem to the executive and boardroom level. Just as lean manufacturing and ISO 9000 practices both brought greater quality to the automotive industry, a rigorous approach to cybersecurity is vital to achieve the full range of benefits of new automotive technologies while preserving quality, safety, and rapid time to market.

Sixty-two percent of those surveyed say a malicious or proof-of-concept attack against automotive technologies is likely or very likely in the next 12 months, but 69 percent reveal that they do not feel empowered to raise their concerns up their chain of command. More than half (52 percent) of respondents are aware of potential harm to drivers of vehicles because of insecure automotive technologies, whether developed by third parties or by their organizations. However, only 31 percent say they feel empowered to raise security concerns within their organizations.

Thirty percent of respondents overall say their organizations do not have an established product cybersecurity program or team. Only 10 percent say their organizations have a centralized product cybersecurity team that guides and supports multiple product development teams.

When these data are broken down by OEM or supplier, 41 percent of respondents in suppliers do not have an established product cybersecurity program or team of any kind. In contrast, only 18 percent of OEMs do not have a product security program or team.

A significant percentage of suppliers are overlooking a well-established best practice: to employ a team of experts to conduct security testing throughout the product development process, from the design phase through decommissioning.

The majority of the industry respondents believe they do not have appropriate levels of resources to combat the cybersecurity threats in the automotive space. On average, companies have only nine full-time employees in their product cybersecurity management programs. Sixty-two percent of respondents say their organizations do not have the necessary cybersecurity skills. More than half (51 percent) say they do not have enough budget and human capital to address cybersecurity risks.

Vehicles are now essentially a mobile IT enterprise that includes control systems, rich data, infotainment, and wireless mesh communications through multiple protocols. That connectivity can extend to the driver’s personal electronic devices, to other vehicles and infrastructure, and through the Internet to OEM and aftermarket applications, making them targets for cyberattacks. Unauthorized remote access to the vehicle network and the potential for attackers to pivot to safety-critical systems puts at risk not just drivers’ personal information but their physical safety as well.

Automotive engineers, product developers, and IT professionals highlighted several major security concern areas as well as security controls they use to mitigate risks.

Technologies viewed as causing the greatest risk are RF technologies, telematics, and self-driving vehicles. Of the technological advances making their way into vehicles, these three are seen to pose the greatest cybersecurity risks. Organizations should be allocating a larger portion of their resources to reducing the risk in these technologies.

Respondents say that pressure to meet product deadlines (71 percent), lack of understanding/training on secure coding practices (60 percent), and accidental coding errors (55 percent) are the most common factors that lead to vulnerabilities in their technologies. Engaging in secure coding training for key staff will target two of the main causes of software vulnerabilities in vehicles.

Download the rest of this report from the Synopsis Webs site (PDF).

Target used location-based data to change prices on consumer app

Click to read KARE-TV’s investigation.

Bob Sullivan

Ever see a price for an item online, then look again and see a different price, and think you were going crazy? Probably not. You were probably encountering some form of dynamic pricing, which retailers have quietly dabbled in for many years.  Quietly, because every time consumers find out about it, there’s an uproar and they have to back off – as Target did this week, when a Minnesota TV station exposed the store for charging very different prices on its app and in its physical stores.  A shopper who claimed to have paid $99 for a razor in-store, then spotted the same thing online for $69, had tipped them off.

The stations reproduced this pattern, with some striking results:

“For instance, Target’s app price for a particular Samsung 55-inch Smart TV was $499.99, but when we pulled into the parking lot of the Minnetonka store that price suddenly increased to $599.99 on the app,” the station said. (Give ’em a click, read the whole report).

KARE shopped for more items, and found an even more intriguing pattern: Basically, the closer shoppers were to the store, the more the item cost.   If you are near the store, you don’t need a price enticement, the logic goes.   It also means Target is following you around, virtually, and knows where you are.  And it’s looking over your shoulder to decide what price you deserve on an item.  Spooky.

Target has changed its policies, according to KARE, in response to the story.

The firm sent me a full statement, included at the bottom of this story. It reads, in part, “We’ve made a number of changes within our app to make it easier to understand pricing and our price match policy.”  In essence, the firm has added language to its app that makes clear a price is valid in a store, or online — see the screenshot below, provided by Target.

I saw something vaguely similar recently when I priced rental cars for a trip to Seattle. When I was logged in using my “discount code” and membership, I got higher prices than when I shopped as an anonymous user.

There’s nothing illegal about dynamic pricing, probably,  even though it might seem unsavory, or downright deceptive. It’s definitely a Gotcha.  Why?  Because the rules of this game are not transparent to you.  And it takes advantage of people who might be too busy or distracted to play the “open another browser on another computer just to check” game when they are buying things.

But I’m here to tell you: This is the only way to buy things in the 21st Century. Shopping around used to mean driving around and getting different prices from different stores. Today, it means clicking around to make sure you aren’t being followed when you buy things.  Every. Single. Time.  Never make a hotel reservation without shopping both at an aggregator like Expedia and direct from the hotel. If you have time, call the hotel, too, and ask about the online price. When you are in a store, always pull out your smartphone and do a quick price comparison — not just at THAT retailer, but at Amazon, and at other shops.  And now you know, it’s best to price the item *before* you get to the store, just in case you are being followed.

Christopher Elliot, travel deal expert at Elliot.org — a site you should be reading — makes the point that software can help keep you from being followed by companies and dynamic pricing.

“You definitely have to log in and out and search for prices,” Elliot says. “Also, consider using your browser’s incognito mode. Companies are trying to track you and may change prices based on who you are, or who they think you are.”

You don’t always have to buy where the price is lowest; in fact, I’m against chasing every last dollar as a shopper.  It’s ok to pay a little more if you want to support local businesses, and often, people waste money and gas trying to save every last penny. That’s not the point here. You just want to make sure you aren’t getting ripped off. It’s a pain, I know.  Sorry. That’s Gotchaland.  And until some regulator forbids the practice, you have to live with it.

—STATEMENT FROM TARGET —

Image provided by Target. Note the phrases near the price indicating where it’s valid — in a store, or online.

“We appreciate the feedback we recently received on our approach to pricing within the Target app.

“The app is designed to help guests plan, shop and save whether they are shopping in store or on the go. We are constantly making updates and enhancements to offer the best experience for guests shopping at Target.

“We’ve made a number of changes within our app to make it easier to understand pricing and our price match policy. Each product will now include a tag that indicates if the price is valid in store or at Target.com. In addition, every page that features a product and price will also directly link to our price match policy.

“We’re committed to providing value to our guests and that includes being priced competitively online and in our stores, and as a result, pricing and promotions may vary. Target’s price match policy allows guests to match the price of any item they see at Target or from a competitor, assuring they can always get the lowest price on any item.”

Guests will receive the latest version of the app in the next few days.