“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report (http://www.infosecurity-magazine.com/download/227664/), which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.
The report studied a wide range of flaws, most discovered in IOActive’s work with automakers and suppliers to auto manufacturers, said Corey Thuen, a Senior Security Consultant with IOActive. Thuen and his colleagues considered what kinds of vulnerabilities most commonly affect connect vehicles, what types of attacks are most often used to compromise vehicles and what kinds of vulnerabilities might be mitigated using common security techniques and tactics.
The results, while not dire, are not encouraging. The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation. “These are all great things that the software industry learned as it has progressed in the last 20 years. But (automakers) are not doing them.”