If you're looking for a good lesson in enterprise security, there might be a few sitting in the parking lot. The automotive field is a glaring example of "worst practices" in security, say several automotive experts. And, the problem is only getting worse, not better.
Over the past few years, the cars have come under fire for many things -- constant recalls, safety hazards, and diesel-engine tricks to name a few-- but security experts have noticed a disturbing trend.
While it might be hard to break into a BMW unless you have a rock handy, there hasn't been as much effort in protecting wireless signals, establishing standards, creating new regulations and laws, and patching much more aggressively.
Experts tell CSO that the automotive field needs to address some of these issues, especially as cars become more high-tech and start connecting to the infrastructure around us, road signs, and to each other. It also shows how security has to keep pace with innovation.
Most importantly, those who work in enterprise security should start paying attention to see how the problem is resolved, because changes will be coming soon.
The problem is getting worse
It's easy to see how far car technology has advanced. Google has been able to let a car drive on its own in traffic. In Michigan, there's a test underway where cars can communicate with each other. Tesla has built a massive electric car charging infrastructure.
Yet, as Dave Sullivan with the automotive analyst firm AutoPacific points out, there are constant signs of trouble. Nissan made an app for their Leaf electric car but then found it was easily hackable and promptly removed it. "This is a whole new world for automakers," says Sullivan.
"They are venturing into an area that is still very new and very fresh with the inability to update security vulnerabilities quickly. This can easily be patched on say a smartphone."
[Automakers] are venturing into an area that is still very new and very fresh with the inability to update security vulnerabilities quickly.
Dave Sullivan, automotive analyst, AutoPacific
Instead of aggressive patch schedules, automakers tend to test longer and adhere to rigid safety standards, but don't follow the smartphone model. Sullivan says this needs to change, that automakers should be paying ethical hackers a bounty to try and break the wireless security in a car and then issue patches. This is far less expensive, he says, than a recall.
Diogo Mónica, a security researcher and chair of the Institute of Electrical and Electronics Engineers Public Visibility Committee, told CSO there's hasn't been much progress.
Sign up for MIS Asia eNewsletters.