State of Automotive Cyber Safety

all right so I'll turn it over to Josh okay um just to P to close off a little bit of that so you're not waiting all all night saying they didn't answer my question um the cyber security task force the HHS is doing that Michael mcneel from Phillips is on um we're about halfway through and that is the most pressing issue is the Legacy so I'll just give you a teaser if you're from the healthcare world are you from the healthcare world no

okay so so one of the things I put on the table early is uh when they were trying to go to electronic health records from paper records They attached reimbursement to this Clause called meaningful use and if you're in the industry you know you just got a Pang of pain in your body when I said that but from a security perspective I basically said guys uh maybe meaningful use was our original sin maybe this is why we're so hackable and essentially what you did is you took devices that were never designed engineered threat modeled to ever be connected to anything and you forced them to connect to everything and you couldn't just go back to the drawing board so we're going to

pay down that technical debt and security debt for a very long time and that's why we're going to have some very uncomfortable brainstorming tomorrow can I can I tie it off for now okay all right so um for the camera and the streaming um I'm going to do the auto talk a little differently than we had intended I I had a few auto makers that we're going to try to pull up on stage much like Bo did given a few things that are happening some of them aren't allowed to speak in public yet um but if you're willing to reveal yourself and I won't put you on the camera or anything but who from here

Works in or with the automotive industry okay good good good so last year we had the privilege of having I think it was 11 people from Tesla that self-identify in the room uh we had several people from GM from Ford from Honda um and we're starting to cross our tribes in a very positive way so I'm going to change a little bit in part because I want to leave some room for more discussion but I'm going to show you a talk I give them so this is not going to give you OD day you're not going to get new uh mindblowing stuff but this is going to be the level this is a good indicator of the level of

dialogue that we need to have and one of the reasons I changed my mind is Mary barah the CEO and chairman of of GM uh 10 days ago in in Detroit she gave a keynote at a cyber security conference and she is essentially channeling most of these talking points and every and uh I was very pleased to see that because that shows how well we've infected that industry that usually was afraid of us to start to like realize how vital uh a team uh how vital resource we are if we if if we properly team together so I'm just going to show you a very brief version of what we kind of acclimate them to and I'm going to leave a little

bit of room for some of the things that are happening if I see Frank as well we also had Frank from Nitsa uh National Highway Transportation safety administration so the regulator in this space spoke earlier today and if you missed that just catch the video um I'm sad to say that they were about to release um their guidance on connected Vehicle Safety um and it's all done but they they have to wait a few more weeks for government approve because government's moved slow as he reminded us this morning uh so again I'm Josh Corman I'm one of the founders V the Cavalry and if you weren't here from this morning session we turn three years

old yesterday so if you've been helping give yourself a round of applause anybody come on no nobody's been helping okay all right all right so um there's plenty of work to do and there's plenty of room to help and I'm just going to show a little bit of that right now um motivations have turned out and I actually had a much more detailed version of this morning the motivations have turned out to be the biggest obstacle for us working together they don't understand why anybody would ever hack their vehicles why would you do that um and and I'm not making fun of them but they have had some bad experiences um it's almost it's more of

an urban legend that white hats go to companies they say we found a bug and they extort them right I've been working I don't know if you saw Leonard Bailey from a Department of Justice uh he was on a panel earlier today with Jen Ellis they have had almost no extortion cas cases almost none um the ones they have had have mostly been misunderstandings like someone said hey I found a bug for you and before they took a pause in a breath they said and if you pay me I will gladly fix it for you it wasn't really extortion it was just really terrible communication skills but I often have to speak to motivations and

this is where I basically point out that you know just like uh every car company's not the same and not everyone who works at your car company is the same um white hats have very different motivations as well so I have a table that I showed this morning they're all keys and this is a gross oversimplification but white hats or the people who find bugs that aren't criminals um they do it for one or more of the following five reasons they're protectors that want to make the world a safer place they're puzzlers who do it for challenge for curiosity for for the you know they like to solve hard things take it apart and put it back together

they do it for Prestige because they want to win the white jacket or they want to be on CNN or in Wired Magazine they do it for profit because this is a way to make a Liv um or they do it for protest they're for or against something and when we kind of explain that you know hacking is Magic and there's bad Wizards and there's good wizards like gandf thank goodness we had gandf they demystifies it a little bit for them and when they understand that they're not all outed to drop oday on stage at Defcon or they're not all out to make money um and that some of these folks especially these folks are here

because they want to make the world a safer place it helps them better understand and better structure their coordinated vulnerability disclosure program so one of the things I want to leave a little bit of time for is have a really honest discussion about where the safety critical Industries are at on their coordinated disclosure programs and some of the guidance we've been giving them that you might not agree with at face value but there's really good reasons we're giving them that guidance but the point here is that everybody's motivated differently and for me I just want to make the world a safer place um but when you know how they're motivated you know what they're trying to accomplish it's also a good

hacking trick because the people you're going to speak with at these various companies if it's the general counsil of a company versus the security team at a car company versus the third- party supply chain part uh part of a security car company they have different wants needs and fears and instead of doing the same thing over and over and over and pointing a finger at something they did wrong I'm not excusing them but I know I try to start with what motivates them and then tailor the message to that person so one of the the warm-ups I do is you know the a lot of the people have heard this mark andreon quote that software is eating the world and what he

means is that every company regard of what you do is now becoming a software company John Deere does not call themselves a tractor company they call themselves a software delivery platform and that's how they self-identify GE is re re reconstructing its entire company to be the industrial internet um you know Cisco is talking about the internet of everything now what they mean is this is a business opportunity and if you aren't good at software you better get good at software because if you want to please your shareholders software is the last mile of differentiation when I hear it I hear something different I hear software is infecting the world right we're putting software and weakness and Bluetooth and

internet connectivity into every single aspect of our lives and the number devices in your home that weren't hackable before that are now hackable is growing right it's like a plague none of us look at it that way we kind of think the internet of everything's awesome um but we're not going to feel that way forever and at some point um we'll come to like a happy middle ground and we'll realize okay some times it makes sense to put software and connectivity onto something and some case use cases it's wildly inappropriate to put bluetooth why do you need Bluetooth on your insulin pump that can kill you I mean Jay radliff just talked it's how he kind

of got into this area is he could do unauthenticated um communication with his BL with his insulin pump and give himself a lethal dose I mean that's kind of what barnab Jack was doing when he did his famous uh hacks on stage right why would you do that and if if you're going to do it you better be willing to do it in a safe in Secure way you really got to do the threat modeling you really have to be held to a higher standard so I couldn't come up with a good metaphor and I would still prefer a better one from somebody here because you guys are all smart but I was fixing my deck my

patio right I got my gas grill out there and I had to buy new nails and I bought galvanized nails do you you know why we buy galvanized nails anybody rust they don't rust do you know what the problem is with galvanizing metal anybody it makes them brittle so I bought 10 nails cuz I needed 10 and I had to go back and buy more because I bent half of them right so I'd rather we look at software and connectivity like that that when the use case is appropriate when we need the rust proofing you know we make that choice and when we can't afford the brittleness we we make a different choice but we're

not there yet and I've often called this I know you guys hate the word cyber but guess what when you talk to the outside world you better get used to it um so I call it cyber asbest because we used asbest everywhere it it was lightweight it was fire retardant it was such a miracle um material for Builders we put it in schools and hospitals and Manufacturing facilities we put that stuff everywhere for years and then we found out it gave you cancer and we had to condemn some of those buildings and there's billions of dollars of class action lawsuits over that thing now people still use aestus but they use it in less um prominent less um they don't use

it everywhere they use it where it makes sense and where it's safe to use so I want to find that happy ground right now we all groan about things like heart bed because it affected most people I mean it had a logo it had a pretty you know marketing campaign but one of the things that you know when you're done your groaning is that open SSL is pretty much everywhere there are certain open source libraries that make its way into lots and lots and lots of embedded systems and the stories to me weren't so much you know that there was a bug in open source and it wasn't so much that there was you know how long it

had been there it's more stories like when Rob Graham um looked at the internet on day one he found 600,000 systems nakedly exposed affected by heart bed and he would do a monthly scan with mass scan and six months later it was about half of the actually the first three weeks I think it was half of them got patched but he kept scanning year month after month after month and the last half never got patched and when people looked into why aren't these things getting patched they were in industrial Control Systems they were in embedded systems they were in places that needed the the software but couldn't be updated they were essentially forever day bugs and some of these places they

landed are mission critical life critical safety critical systems so when you're going to depend on things like open source which everything does whether it's bash bug or or whether it's open SSL or whether it's the one that's hitting hospitals right now which is a flaw in uh it's basically the fox gloves law but it's a sterilizer deserializer problem that was in J boss used by tons and tons and tons of people in this particular case it was a massen device so when we depend upon these things everywhere we've now invited weakness in a way that yeah we get the benefits of this stuff but if we can't also patch it we're in big big trouble and that's

exactly what's been happening right we're finding op SSL and HTP client and Bash in medical devices in our homes in industrial control systems in fact one of the more um responsive vendors on op SSL was Seamans Seaman Industrial controllers Seamans as in the one that got hit by stuck snet so to their credit they admitted how many of their very very expensive IND distal control systems were affected and they could patch themselves many of their direct competitors were also affected and could not patch themselves so I still had arguments with car companies early on as to well yeah we use all that software but we don't have to patchable patchable adds an attack surface right and then

the shell shock Etc so when I try to bring this home I I saw I showed this this morning but it Bears repeating we know we're going to get hacked we know that cars are going to get hacked often the question is how much damage does it do and everybody knows about the Haitian earthquake because it was on the news every single day and Bano was asking for money and the American Red Cross was asking for money and the all the living presidents were asking for money and it was a terrible terrible terrible tragedy 235,000 people I think it was uh 230,000 deaths it was a seveno oror skill flattened many of the buildings they

crushed everybody inside now nobody heard of very few people heard of a much much stronger earthquake in Chile 6 weeks later it was 8.8 RoR scale and if you know math it's logarithmic it's a lot worse 7.0 8.8 it only killed 279 people that's why we didn't hear about it it was nowhere near as attention grabbing and when all the scientists looked at all the different factors like population density and proximity to the epicenter and all these other things why did an 8.8 only kill 279 people and a 7.0 killed uh 230,000 people and it was building codes that was the number one contributor Chile had building codes Haiti did not what shook buildings in

Chile flattened buildings in Haiti so it wasn't the presence of earthquakes and it wasn't the magnitude of earthquakes it was do you have building codes and we really don't have building codes for building software code we don't and honestly we probably threw up a little bit in our mouth when I said that right because but the thing is we're taking this software that we can't defend anything if you really challenge yourself a 100 of the Fortune 100 companies have had a loss of intellectual property every single PCI Compliant Merchant has lost credit cards our failure rate is about 100% so everything we do on a long enough timeline fails us right we've given up entirely on prevention right now it's

all now detect and respond how quickly can we detect and respond but what's the response after somebody's been killed you can't unkill them you can Reiss a credit card you can do credit monitoring you can't unkill somebody and the reason it's been acceptable is those failures were not consequential failures right nothing has really triggered the motivation to start to look at a need for a higher level of assurance of of safety critical it and what's worse though is when we have our our high consequence failure it's going to look a lot like this if you remember you know the whole Auto industry knows someone somebody's going to have the first car fatality everybody knows and they've

also to their credit they know that it doesn't matter which one gets hit first it's going to hurt all of them because when there's a crisis of confidence and that's the key phrase when there's a crisis of confidence in the public to trust connected Vehicles they my motherinlaw will be terrified right so when she saw the Jeep pack Last Summer she stopped buying Jeeps I'm not kidding every every from the day I started dating my wife till now they've been a Jeep family but after last summer they had to get a new car they didn't get a Jeep anymore and it's not that jeep isn't able to secure themselves it's that the confidence was shattered someone doesn't want a car

that might do something unexpected in fact I see uh one of the guys from Nitsa one of the quotes that this is a little off script here one of the quotes that really sunk in for me is we were so the Cavalry was so so focused on getting them to have a culture change and a recognition of the existence of talented and persistent adversaries the the actual threat models that what we we tried to do it in a nonsens way because we didn't want to scare my mother-in-law not theoretically my mother-in actually my mother-in-law we didn't want to scare her because the truth is whenever you talk about car hacking some somebody in the crowd says oh that's why I'm keeping

my 1997 Civic and that's bothers me for two reasons um one is um you know a a newer car is so much safer than a 1997 chassis I mean so much saf there's so many uh safety and crash survival ratings improvements that have happened I don't want people to be afraid of new cars I want them on new cars right and the second thing is and this is why I need to do the quote from the administrator from Nitsa nit is the national highway Transportation safety administration basically the the last year we have stats for was 2014 and it was uh 32,670 deaths in the US due to car accidents and 94% of those were human

error we know the year-over-year went up about 8% so if you do a little quick math I'll do it for you about 100 people every day die in a car about 100 people and 94% of them are human error so therefore if we can get to autonomous and semi-autonomous vehicles we're going to save a lot of lives while we've been here today we've lost 50 60 70 people to avoidable vehicular accidents so we're not Lites saying we shouldn't have modern connected cars The Challenge and this is very nuanced is we need to compel the right motivation and and corrective action on the part of the automakers so that we can make our cars safer to preserve the trust that hasn't

been shattered yet because the moment we shatter that trust the moment people are afraid to trust these semi-autonomous vehicles or the connected Vehicles it we're just postponing the life-saving advances that we could have I know that seems a little unintuitive right I'm not going to say I trust all technology but the truth is my peripheral vision is only this good but a car can see 36 5 I can be distracted or angry or tired but the software won't be so we're never going to take the human out of loop entirely but we have to help preserve that trust so the what the issue is not so much and this is really what got through to them it's not so much that

they're going to have a failure they know they're going to have a failure the issue is the response time at the moment for the current Fleet of vehicles is so poor that it's going to look more like this they won't if you can't patch your vehicles or if the patch is really manual and error prone you're going to that's what's going to shatter the confidence of the public so I've started shifting them less away from kakar be hacked to are we ready for failure now one way we did that is on our first birthday two years ago at Defcon we uh we issued a five-star Automotive sa cyber safety framework we released it through Reuters we did an open letter to

all the car CEOs and we essentially said paraphrasing look you guys are masters of your domain you've been making cars safer and safer year every year for the last 100 years we're masters of our domain in cyber security and now that cars are computers on Wheels our domains have collided and we will be safer sooner if we work together here's a framework to work together and the basic idea was since all systems fail you need to be prepared for failure and I'm going to walk you through some of that um in a bit but uh basic principles like safety by Design third party collaboration exper evidence capture security updates segmentation isolation this is not meant

to be a PCI checklist this is not meant to be prescriptive controls this is not meant to be the Finish Line it was meant to be the starting line so you must be this tall to ride the internet of cars that that basic idea and sadly two years later um we're still many many years from satisfying all these and one of the one of the really tough Ur emerging issues that I've been talking to Nito and the auto ice act and Congress about is number three is going to be a doozy the evidence capture thing nobody wants to touch it um which we're going to talk about a little bit tomorrow maybe a little bit today but let me just show

you the basic engineering principles I Shar with them so all systems fail yes all of them um there are no exceptions and physical Engineers know this so back to speaking their language this is a engineer electrical and physical engineering discipline so when you know all systems fail we know cars crash that's why we put so many crash survival features into them so it's about can you fail in a predictable and graceful way so what do we know about computer science very very little but we know that the more code you have the more problems you have I mean a Big E small as graphic I wish I had thought to put it in here but there's a certain

unavoidable defect rate per thousand lines of code we don't measure it per million lines of code we measure it per thousand lines of code because there's defects in every single thousand lines of code now really mature programs they'll measure it by 10,000 lines of code but there's a flaw rate per 10,000 lines now Windows XP or Windows 7 had about 10 million lines of code in it so think of all the problems you've personally experienced and the patch frequency and Cadence for your Windows system about 10 million but a car has over a hundred million so they should be patching 10 times more frequently when was the last time your car got patched for a security issue

anybody a year ago about a year ago for your Chrysler right was it a seamless patch like Windows update I know and I'm not and you know what to their credit they they updated it some of these some of the ones we've told cars about they cannot be fixed uh and I'm not beating on GM GM is doing a fantastic job on number fronts but what no one saw after all the uh the the um discussion over the the the patch you had to go through is GM also patched a bug about a month later and it took five years to fix they did it and it was over the air but it took five years to do

because it was a really hard problem to fix on really old Legacy technology so all right I I don't want to lose the Rhythm okay so 10 times the lines of code means 10 times the number of security flaws it's just a fact right software isn't the problem right software's been in cars a very long time the problem is that we've been given remote access of varying lengths and ranges over more and more and more over time so the original sin if the original sin in healthcare was meaningful use the original sin this room will actually get my joke uh the original sin in cars was the government mandatory back door known as OBD2 so for emissions testing we had to

add a a direct direct Port onto the can bus to allow for Diagnostics and emissions testing Etc from State of California so that was one of the early ones the second one also came from California it was um without requiring physical access to the car was the tire pressure monitors the tire pressure sensors were there to very very short range but they were there to make sure we had high fuel economy to cut down environmental impact because tires that are running a little low have poor gas mileage but think about all the things you've added you have Bluetooth your smartphone cannect and you have nearfield communications and you have 4G LTE Wi-Fi standard in all GM vehicles 4G LTE Wi-Fi hotspots

standard whether you want it or not you get one and I I I flipped out when I first did it and before I was even friendly with Jeff Mill GM I said I have a 4G LTE Wi-Fi hotspot in my phone in my car right now my kids can use this to play on their iPads but uh this one can't kill the brakes and your is Ken so um you know level or activity and for those of you who don't yet know how to manipulate can bus and haven't gone to the car hacking Village which is Awesome by the way um don't worry you do know web browsers and we've added third party app stores to a lot of these things and

a lot of them are running on really really familiar and really really vulnerable web browsers so the stack is becoming more familiar to us which means it's becoming more familiar to adversaries so it's it's not the presence of software per se it's the number and variety of remote attack surfaces and that's why Chris and Charlie were able to do this over the Sprint network because cuz you know Dan gear has this uh line well I'll get to that in a second so it's the number and variety of remote attack surfaces that are changing and as you guys know you know Bluetooth isn't very large range but you can you can amplify that significantly with a scope um and

whatnot so then usually we get to the part where someone says yeah yeah yeah of course they could kill you but there's no money in it right which and I've even heard Chris and Charlie say there's no money in it first of all that's wildly uncreative I can think of lots of ways to monetize car hacking um Bitcoins to start your car you know just just a couple right um so when they say that no one would hurt you um we're not thinking and we're conditioned most of our careers if you've been you know in corporate security or pen testing or payment card industry most of what we've done our best practices which suck by

the way um when was the last time you did a pen test and didn't get in anybody okay so most of it's focus on the confidentiality aspect of the CIA Trinity and of regulated data replaceable regulated data we're not really well suited for people that want to do physical harm or that want to hurt the availability of mission critical systems you know most of our advice is still about confidentiality and breaches so um Bo likes to remind me that it's not just uh adversaries it's accidents and adversaries and if you've ever done a threat modeling exercise even if you have you you think you have no natural Predators you still have one threat actor Murphy Murphy's Law right so um

also Al malicious intent is not a prerequisite to harm software have glitches and no matter how much testing you do there was this long protracted set of court cases over the unintended acceleration case where they brought in NASA scientists to look at the software complexity of the Toyota Lexus you know braking system to see did a glitch lead to unintended harm and without even trying to relitigate that here we don't have to have the boogeyman to have concerns over cyber safety in vehicles it's the software and the remote connectivity of that that's a big issue in fact the hospital in hwood Presbyterian Hospital in Southern California got hit by the Sam Sam ransomware which took advantage of that

J boss flaw in that McKesson device that could have been patched and it locked up systems so badly they had to divert patients to other hospitals so that piece of ransomware wasn't targeting Hollywood Presbyterian it had no intention of hitting a hospital it just happened to accidentally cause harm and the same can be true in our automobiles but you have to think a little more creatively not to script kitties or not to um States who are equally vulnerable to this although they could do assassinations but think about other adversaries like an Isis or an ISO it's not that hard and as we make these things more U as we lower the barrier to entry for these and as we make them more

connected uh this is yet another way to scare people or to hurt people you know we wrote a piece um for a government agency on a on an attack scenario for New York City kill all the Lincoln in the Lincoln Tunnel was the opening sentence so if you do a kill bit on the the wildly vulnerable unpatchable thing in a lot of some these different makes and models of vehicles um you could disable any Ingress or egress out of Manhattan by hitting a few Bridges and a few tunnels you don't have to hit every car you just got to hit a sufficiently representative number of them so it would take days to tow them out so how'd you like to cut

off food and water and throw up you know some sort of attack credit for that I'd like to combine that with a Hollywood Presbyterian style attack so we don't want to scare people and use Scare Tactics but one thing that shocked me this morning so I'm going to repeat it again when Jericho and I researched Anonymous for two years we two and a half years you wrote the building a better Anonymous series we said that we're less concerned with what Anonymous is doing and more concerned with what comes next and I meant that someone was going to pick up and perfect the blueprint of the use of social media and asymmetric Warfare and all the things

they were doing right but this is not even you know a theoretical anymore there were very very very few hackers and Anonymous most of us know that one of the hacking Crews was team poison one of the members of Team poison janad Hussein the guy who who attacked Tony Blair's website through team poison he left the UK he moved to raqqa he started the Cyber caliphate he was training and recruiting people to use showan to use metas really low hanging fruit you don't have to be a super Elite hacker to use some of these freely available tools and shortly after Defcon last year he was killed with a drone strike and I'm shocked at how few of our friends here

in Vegas this week even though that happened but think about what you could do if you wanted to hurt people and the answer is you could do a lot but anyhow to quote Dan gear you know um on the internet every socio path is your next door neighbor so you're kind of hoping that zero people out of 7 billion have the means motive and opportunity to hurt you that's not good math not only is there what 1% of the global population is a sociopath uh and some of them more likely be hackers we actually know a few of them and we go drinking with them this week um so I don't want to be in a

situation where I hope they wouldn't hurt me I want to know they couldn't hurt me so back to this five star if we know failures will happen can we put some Scaffolding in place to make sure that when failures occur we're prepared for failure so I like the names that we put in our original document but I so much wish I had just said it this way how do you avoid failure how do you take help avoiding failure without suing the helper how do you capture study and learn from failure how do you have a prompt agile response to failure and how do you contain an isolate failure so I'm going to put some names and faces on

this and again this is more for the outside audience than for you guys and even if you do these things you will still be hacked but the question is how much damage can that do you know the Chris and Charlie thing let them put their tracksuit image on your your center console for the UK connect but don't let them shut off the brakes why are critical systems directly connected to non-critical systems right and there's historical reasons why they are and some of them are good reasons and some of them are not good reasons so safety by Design do you have a published datest station of your security life cycle you can just say we do nothing you

can say nothing but allow the free market to be able to assess yours from somebody else's so Microsoft kind of does this with their sdl their sdla and this just created a way for us to talk to them about do they do threat modeling and for the first six months we said which threat modeling system do you use and after six months of asking that question and every single response was what's threat modeling um we stopped asking that question but if became a way to not say do you have a security program but rather let's look at how strong your maturity is on different aspects of your security development life cycle third party collaboration do you

have a public attestation uh or do you have a published coordinated disclosure policy involving uh assistance of third party researchers acting good faith and of many of our victories between what Jen Ellis has been working on and Katy mourus has been working on and the NTI process this is where we've had the most success um but basically let's put it in really simple terms do you have a beware dog sign implicitly there that you're going to send cease assist letters and lawyers at someone who brings you a bug or do you have a welcome mat and that was one of my favorite parts of Mary Bar's keynote was she actually used the firm welcome mat uh on the vital

importance of working with third party researchers evidence capture is the one that's going to be really really hard for a bunch of reasons uh that aren't obvious um but do your vehicle systems provide tamper evident forensically sound logging and evidence capture to facilitate safety investigations everybody knows what one of these are and aside from the fact that it record the conversations in the cockpit which we were never asking for um the first thing that happens when a plane crashes is we call the NTSB National Traffic Safety review board or whatever something like that I can't remember the name the very first thing to look for is the black box so whenever something's you know lost at sea we'll

only have so much time before we can recover that vital black box if it's so vital to preserve the safety of the industry and to preserve trust in the industry why isn't anybody freaking out there's zero cars that have one zero so we aren't tamper evident it took 6 months I believe trist and Charlie said of failed attempts before they successfully got their payload to work so we would have had six months of tampering reconnaissance and and failure to notice and maybe shut down ports right um we keep claiming there's no one's ever been killed in a car crash due to hacking but we have no evidence collection to ever prove otherwise it's very circular so this one's a fairly

important one and turns out the largest opponent in the entire ecosystem is actually the Privacy guys it's not the industry industry actually wants these um so we have some very strange fights to have and discussions on can this be done in a privacy neutral way and when we wrote the standard we we actually said this can be done in a completely privacy neutral way and the irony is the most what's the most I'm not going to name it yet what's the most privacy conscious country on the planet anybody Germany guess who just announced last Monday that they're going to require black boxes in all their cars Germany so if Germany can figure out how to do this

and we're going we are direct Bo and I just had a call with the embassy um we're going to directly work to help sure it's a good one but the US is so afraid to get you know get in fights with the Privacy Advocates but somehow Germany's going to find a way through um so this one's a really really really important one um just like in in you know the hospital environment you do a morbidity and mortality you do a postmortem you do an autopsy you want to study and learn from what happened what went wrong how do we improve ourselves and that's not going to be possible until we start capturing evidence in a

consistent way security updates um can your vehicles be securely updated in a prompt and agile manner um initially they fought us like tooth and nail on this one they said ah it's going to add an attack surface it adds it adds complexity and although we don't know how to secure web browser we do kind of know how to do a secure update process like it's you know it's it's a tractable problem and yes it may add an attack surfaces over the air but it also gives you the ability to have a prompt and agile response so you're not the deep water Horizon oil spill for week weeks and weeks and weeks so you know this is something like

every single day your your phone apps are updating Microsoft's updating etc etc so it's a similar kind of idea you know what if they want to do it the more expensive way through the dealer physically sending USB Keys whatever fine let them but iron what blew my mind is one of the companies that screened at me said they would never do it on a subsequent meeting I said how much does it cost to do a recall like a physical recall and we went through the math and I said you know how much brand damage you get when you ever you have a recall in the news and they said oh yeah we know exactly how to calculate it it's

this much this much and this much I said wouldn't a software update have less stigma than an you know just a routine software update and wouldn't it cost a lot less on labor and Shop time and like the next month they announced that they were going to head to uh remote over the air updates not because they made the car safer but because it saved a ton of money so I really don't care why they do it I just care that they do it and then segmentation isolation this is the idea of do you um do you describe how you separate your physical and logical system to keep um excuse me physical and logical isolation measures to separate

critical systems from non-critical systems some of these guys use the equivalent of a VLAN uh some of them do nothing some of them have a security Gateway but it just lets everything through some of them use uh virtualization and process isolation um I don't really care what they do per se but I want to I think we should be taking steps in fact the one I've seen that's done the best is Tesla um the ab absolutely intentional different uh communication mechanisms for infotainment versus um physical safety uh and the idea here is a submarine has floods can flood compartments without sinking the whole ship uh the problem with the can bus isn't the can bus uh

controller controller area network it's the fact that once you're on it you pretty much have unfettered access to everything else pretty much there's things that they do to try to prevent abuse and all of them are defeatable uh if you don't know know that talk to Craig Smith the guy who started open garages or go to the car hacking Village he'll just show you almost um so one of the issues there back to that Civic I told you there were two reasons I hated the idea of keeping your Civic now that we have these wonderful things like Progressive dongles from your insurance companies or Verizon's hum or all these deevy of uh little Indiegogo Kickstarter size projects that

plug into that OBD2 port you just took an unhackable 1997 Civic and you just made it hackable so um because once you're on that bus you're in big trouble and I just shared a long train ride with the CEO of a car company in the in the trucking industry tractor trailer trucks and his technology Works through OBD and and they're very very very concerned about those massive amounts of Steel um you know being hackable through a lot of that stuff because they almost all depend on lots of aftermarket OBD2 Technologies so even if you don't think those tractor trailers are hackable they they've just become hackable um for those reasons and when you kind of put this into context many of us

are like but Josh this stuff's really really basic yes it's really really basic but you have to understand where they are on their Journey they just woke up about a year ago and realized they were software companies and it's not excusing their behavior but they have no idea what they're doing here and I think back to Microsoft 17 years ago sending cease and assist letters to our buddies maybe you even have one on your wall but then you had Katie missouris you know issuing a six figure cash prize through Microsoft's blue hat program and some people here bides have received that six figure cash prize so how do you go from cease and assist to six figure

cash prizes so I call that the meantime to Enlightenment and for Microsoft it was 15 years right but how do we compress that meantime to Enlightenment to three to two because we're not going to snap our fingers and have these very old very large very tough uh Market um participants all of a sudden wake up enlightened but what we can do is be patient enough to get them to crawl to walk to run to give them a pathway there and not be a pointing finger but instead be a helping hand and not focus on past failures but focus on future success and not tell them all the things are doing right but ALS all the all things are

doing wrong but also tell them the things are doing right and even if they do all these five star things they're still going to be Hackle but at least I think they we're maybe better prepared to to contain and respond to and notice those failures and I just want to end before I go to questions on a couple of the successes right Tesla does not have 100 Years of baggage and Legacy to worry about so that's in their favor and they've been they've been freaking awesome right they have a bunch of security and software Engineers they hired day one they did threat modeling they hired security people on staff and they were the world's first automaker to

have a coordinated vulnerability disclosure program and for that they need a round of applause right

they they also set the model of crawl walk run without even knowing they were doing it they had money to issue bounties day one but they didn't go right for that they wanted to see how many bugs they wanted to see uh what kind of bugs what kind of variety are we going to get flooded is this going to be noise so six months into the program they realized okay we have more capacity and they offered a cash prize I think it was up to 1,000 bucks and then 6 months later they upped it to 10,000 so they showed that you don't have to go from zero to six figure cash prizes from Microsoft there is a way to ramp up now

I don't have a screenshot for it but let's also give a round of applause the GM GM this January was the first traditional manufacturer and it was much harder for them to get through their red tape and they offer a coordinated vulnerability disclosure program uh so let's give a round of applause applause to

GM and I'm going to postpone it for now but you know I I was one of voes discouraging them from offering cash prizes initially um there's a lot of good reasons I discouraged it and they will be and they have budget and they are doing private hackathons uh with prizes um but that's a different discussion and then third uh in the last month um Fiat Chrysler FCA offered through bug crowd their first uh bug Bounty they went straight for a bug Bounty so they do have a small cash prize um but they also saying we will not Sue third party researchers acting in good faith who follow our policy so let's give a round of applause for viat

Chrysler now if you were in the medical sessions the one of the reasons it was so powerful to hear Suzanne Schwarz from the FDA is when we tackle Automotive first it's because there's only about 20 oems so we knew that one at a time we could wear them down and finally make it a tracable problem but when it comes to medical advice there are thousands and thousands of device manufacturers so we had to take a more Central approach um and more recently um nit has been very helpful here and the guidance that was about to come out and is soon to come out you know they they've been very Pro coordinated vulnerability disclosure and I think that's really the

gateway drug in the festar is once people start receiving bugs and they start seeing researchers as an asset as a teammate instead of a threat uh they might find more bugs find them sooner get them fixed start to realize the need for more containment and isolation start to realize the need for agile updates etc etc so back to that festar the failures are going to happen but are you prepared to avoid failure take help avoiding failure learn from failure respond to failure and isolate failure and the way I put this finally to them is the kayoga river in Ohio I said this this morning so it's a repeat for a few of you Andrea matsan who's speaking here she's a law

professor when we did our constitutional Congress for the cavalary at Derby con almost you know a little after almost three years ago so it was after deathcon um she kind of said hey guys um nothing's going to change until people die you're going to need your Burning River on fire moment if you don't know the history the the river in Ohio uh the kai hog river near Cleveland caught on fire and stayed on fire many times and ultimately somebody got a picture for time I think it was Time Magazine and it finally triggered correct corrective action like the Clean Water Act and things like the EPA but it it it took really bad things like how bad does

pollution you have to get before you have a burning River on fire how do you even put that out but they did and this was not even the worst to the fires it's just the one they got on on picture um so we may have to have that high consequence failure but the problem is the 2019 models are already done for some of these manufacturers and the supply chain that goes into them are done even further out so unless they anticipated perfectly without our help all the kind of smart uh security defensive things they need to do the the response times are going to very very slow so I don't want to wait for a

burning River on fire moment I don't want to wait for my mother-in-law to have a crisis of confidence and connected vehicles I want to preserve that trust so that we can more quickly save the hundred people per day that die to due to human error um and if you think individual cars are bad just look at vehicle to vehicle and vehicle to infrastructure stuff which is a mess um and again nit has taken a leadership position there and they've done a lot to have a privacy by Design protocol that's been worked on for 12 years but the the where this whole system breaks down is for there's there's one security principle we do know which is that

security is not composable which says if you take secure thing a and secure thing B and you put them together you might not have a secure AB but what the inverse correl are of that is you could never take an insecure car a and any other car and have a secure network of cars right and if you've talked to Cesar surudo who talks about smart cities and hackable infrastructure most of the roadside equipment that would be participating in this vehicle infrastructure is passing stuff in the clear on Purpose By Design um so I'm very very worried about the system of car the internet of cars and there have been some Congressional hearings on this and there

has been some good work but more is needed and we're going to need more help from more people when we get to that stage but we focus very very deliberately on individual cars and individual car companies because the system will never be secure if we don't have secure participants within that system so the road ahead just a few nods to some new some existing and new uh initiatives individual bugs scare and polarize the Auto industry so I know we like to think that if we drop OD day or if we do a high-profile attack it'll trigger corrective action but it tends to trigger an immune response and it tends to hurt trust if it's not done

carefully um but there are some people who have had projects for a while now that have been building trusts and building up a a community of interest and talent so one of them is one of the the most Talent ented but least extroverted is Craig Smith who founded open garages a while back when he still lived in Ohio and now he's in uh I think Seattle so open garage is is something that you could start in your own town it's basically a platform to teach students and mechanics and anybody that wants to tank on cars how to hack and how the cars electronic systems work and he's one of the guys who helped found the car hacking Village at Defcon

later this week so definitely check that out and one of the nice things about him and his tribe and his extended friends is they create lots and lots of free and open source tools um so to truly build up a a community you need to teach other people how to do this stuff and they're very good on sharing because their focus is on safety and protecting uh less so on on the the public stuff there's also a new initiative that was originally in Intel um but people thought it was an Intel scheme but it wasn't at all uh it's called now it's a 501 C6 nonprofit called asrb Automotive uh safety review board and their idea is they want to have uh

self-healing networks of cars by 2025 right or 20 2030 or whatever it was like this big audacious goal but they want to think past Individual Car Protection and think about which Technologies are missing that will allow us to notice failures or attacks in one area and dynamically heal fleets of vehicles and things like that so um in full disclosure I'm the I'm the chair of the tech steering committee but what we did is we took a mixture of Breakers and fixers so I'm more on The Blue Team type side and they have people like Mar Mark Rogers who was one of the the Tesla hackers um uh they have people like Craig Smith they have some folks from

Academia that do uh car hacking so we have about an equal mix of people that know how to break cars and are really experienced at breaking cars but also people who think that instead of just breaking cars over and over maybe we should look at alternative reference architectures and alternative designs so the idea of the Spiral here is we want to always have a fusion of a old priest and a young priest or a blue teamer and a red teamer um to look at Future stuff so the deployed Fleet is sunk cost and it's really hard to fix the deploying Fleet is a stuff that's coming off the factory line right now and you might not

be able to change the supply chain but you can leaste Harden stuff and the the future developing Fleet is really where we want to focus um so if people are in Academia or are focused on future Technologies to make cars safer and less hackable um please look me up for that and um I don't have a slide for them but the auto ISAC didn't exist really other than a name until pretty much January and the auto ISAC just like the other isacs are information sharing analysis centers um they too are a nonprofit versus the government sponsored version and it's right now mostly just the automakers but they're creating participation levels for the tier one suppliers and they're going to create a

third tier participation for folks like I in the Cavalry and uh Civil Society non nonprofit groups to help and that's less about you know maybe making cars less hackable and more about when cars are being attacked threat information sharing kind of like the fs IAC and other isacs currently do uh and then I can't put a slide up but I hear that the NIT guidelines are done and just going through approval and Frank can't talk about it yet but um we believe based on previous writings they've done that it matches quite a few of the principles of the cavalry's festar already as well things like the value of coordinated vulner disclosure and working with third

party research communities um so that's kind of an update on where the things are with cars and again everybody in this ecosystem is motivated differently but my goal with conversations like this is hopefully that you are now more motivated to get involved so that is the end of the prepared remarks thank you