Request for Comments "Connected Cars - Workshop, Project No. P175403"
As I presented at the Automotive National Cyber Security conference in 2015, So much focus is being placed on privacy but little on security in the entire ecosystem. OEM's and Tier 1 providers are collaborating together to improve security within the supply chain. However, little or no attention is being paid to the security of everyone who can plug a device into the CAN bus. In the US alone there are over 23K franchise dealerships that employ over 1 million employees with a 36% turnover rate. That means on an annualized basis there are 360K employees moving from Dealership to Dealership, with few controls to prevent malicious activity. Dealer service approximately 2200 cars a month, with over 50% of warranty repairs being nothing more than "software updates." That means 2200 time a month a mechanic plugs his laptop into a consumer's car to update software or diagnose the car, with little of few security controls. Not to mention the 100s of other vendors, applications, and/or devices all competing to do the same. Each interaction is an opportunity to introduce a digital exploit into a car, fleet or brand. With an estimated 1.7B connected cards on the road by 2035 and every car communicating with every other car in a 300M radius it would not be difficult for one car to impact every other it's communicating with my transmitting false data, effectively flooding (DDoS) the other cars sensors. What would be the impact to the economy of brand (GM, Ford, Toyota), city, state or country if consumers were afraid to get into their car and go to the store to buy a carton of milk? Or to the 500K first responder vehicles if they couldn't get to their destinations because they inadvertently break, crash or speed out of control? I believe the FTC and NTSB can be a unifying force to begin these dialogs with the OEM's, Tier 1 providers, NADA, and the retail dealers to better secure the entire ecosystem. I've attached a presentation I did while I was Chief Security Officer of CDK Global. I have since left CDK but would be more than happy to provide my professional experience and expertise if needed.