He says car companies are too cavalier about penetration testing. He agreed with Sullivan that this leads to massive recalls because, given the patch cycles for cars, it's often too late when they add a new app or some communication feature in the car and a vulnerability is found.
Enterprise security lessons
You may have noticed already there are many lessons to learn.
Ironically - given their brilliant automotive innovations - one example of good security for phones is Google. Sullivan noted how Google aggressively patches the Nexus line. With Chrome OS and the Chrome browser, the Internet giant puts automakers to shame as well. Google updates its software in the background and patches constantly, but the end-user barely notices. Your typical Ford or Buick has nowhere near that level of sophistication for security.
Another lesson is related to openness. Mónica noted how the automakers do not report on vulnerabilities as thoroughly and tend to hide behind a curtain, which creates a vicious cycle -- ethical hackers do not get any credit if they find a problem so they lose all incentive to help.
"They rely too much on security-through-obscurity," says Mónica.
"They rely on the fact that it is hard to inspect what software is actually running inside of the car to provide security. This has been proven to be the wrong way to do security, and cars are the perfect example of it."
For the enterprise, it's much better to come clean about vulnerabilities when they occur and tap the security community for help, then to be more aggressive about including security experts in penetration testing rather than trying to obscure the process for them.
Mónica has another good example of what's broken. Researchers have been able to consistently break into the key fob used for unlocking cars. Automakers tend to make their own software for this and reinvent the protocols, but Mónica said they do a poor job. If it was a more open process, one that tapped existing expertise, the security would improve. For enterprise managers, this is a lesson in collaboration and involving outside experts.
What should be done
Inaction is not a good approach in this case. Monique Lance, a spokesperson for Argus Cyber Security, a company that works in the connected car field, says best practices in cybersecurity need to be injected into every stage of the manufacturing process, not as an afterthought.
Lance says there is very little regulation when it comes to car security, although that is changing--slowly. The Spy Car Act of 2015 calls for new federal standards for car security. In Michigan, there's a Life Imprisonment Bill that would lock up car hackers for life. The SEA-issued J3601 guideline injects security practices into the manufacturing process.
Sign up for MIS Asia eNewsletters.