Hacking group wants to play nice with automakers

A group of cars for sale is pictured at a car dealership in Los Angeles, California April 1, 2014.

A group of well-known hackers and security professionals are trying to build better ties with the auto industry in an effort to enlist their help in improving vehicle security, one of the hottest areas of cyber research.
The non-profit group, known as "I am the Cavalry," is asking attendees at this weekend's Def Con hacking conference in Las Vegas to sign an open letter to "Automotive CEOs" to ask them to implement basic guidelines to defend cars from cyber attacks. (bit.ly/1pG7F31)
    "The once distinct worlds of automobiles and cyber security have collided," said the letter. "Now is the time for the automotive industry and the security community to connect and collaborate."
Vehicles rely on tiny computers to manage everything form engines and brakes to navigation, air conditioning and windshield wipers. Security experts say it is only a matter of time before malicious hackers are able to exploit software glitches and other vulnerabilities to try to harm drivers.
The Cavalry group is scheduled to make a presentation at Def Con on Saturday about efforts to improve auto security. They will not disclose any specific problems that might embarrass carmakers, said Josh Corman, a security industry professional who co-founded the group a year ago.
    That sensitivity contrasts with much of the hacking research presented these days at Def Con, which attracts more than 10,000 attendees. For instance, one high-profile paper being released this year reviewed 20 vehicle models to find the three "most hackable" cars.
The Cavalry group has been trying to smooth relations between researchers and industry by promoting responsible disclosure. That means they approach carmakers to discuss bugs before going public, giving them time to fix them.
"The goal is build trust," said Corman, chief technology officer of software firm Sonatype. "In the past, these hacking talks were 'Look at me. Look at what I did.' There wasn't much care for what happens next and how it affects the industries."
Leaders of the Cavalry - which has several hundred active members who also study medical devices, consumer electronics and critical infrastructure - have spent the past year meeting with other security experts, manufacturers, regulators and lawmakers.

On Tuesday, the group talked about hacking cars and medical devices with industry representatives in a private meeting in Las Vegas. They agreed not to publicly discuss those sessions.
Katie Moussouris, a Cavalry leader who is an executive at a startup known as HackerOne, said she encourages hackers to show empathy when approaching companies.

"It is important to show that you are not just trying to show their weakness and make them look stupid, but that you are trying to help," said Moussouris, who until recently ran outreach to security researchers for Microsoft Corp.
Wade Newton, a spokesman for the Auto Alliance, which represents 12 car makers, declined to comment on Cavalry's efforts to reach out to the industry. "Our record shows that we typically welcome the opportunity to work with a broad array of stakeholders when we have a common goal," he said.
The U.S. National Highway Traffic Safety Administration said in a statement that it is not aware of any incidents of consumer vehicle control systems that have been hacked.
Not all researchers believe in Cavalry's conciliatory approach. Charlie Miller, who co-authored the study on "most hackable" cars, said he does not think automakers will take serious action to improve security until they are shamed into doing so by someone who demonstrates code capable of remotely attacking a car and causing it to crash.
"They say they know what they are doing. But all the evidence points to the contrary," said Miller.
Jeff Moss, who founded Def Con 22 years ago and is now an advisor to the U.S. Department of Homeland Security, said there are merits to both approaches.
"Either side has a valid argument," Moss said. "It's almost like a carrot and stick approach."
(Corrects spelling of Cavalry in paragraphs 2 and 5)