While on travel earlier this month, I had the opportunity to attend the 2nd annual Embedded Security in Cars (escar) USA conference. It is an off shoot of the successful escar Germany and escar Asia conferences. The conference was held at the Ann Arbor Marriott Ypsilanti at Eagle Crest in Detroit Michigan. The conference was like many other cyber conferences I have attended over the years accept that life safety is the major concern. For most cyber conferences I attend the focus is on information and computer safety.
I arrived at midnight the morning of the conference and immediately bumped into some of the conference denizens in deep discussions about cyber at where else but the hotel bar. There was conversation about upcoming talks as well as off topic conversations about lock picking competitions. Later that morning the conference kicked off and we were treated to a great presentation on hacking the Controller Area Network (CAN) bus to usurp control of the vehicle. The CAN is a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other within a vehicle without a host computer. In laymen’s terms, it allows the various systems in the vehicle to communicate and coordinate with each other.
We were then provided a detailed and brief recap of the escar Germany and escar Asia presentation topics. The recap made me want more which I think was the intent.
The presentations over the remainder of the day covered applied security, cryptography and a panel on information sharing which is a topic that is very near and dear to me. The second day provided insight into more research initiatives, automotive vulnerabilities, hardware and connected vehicles.
I had the opportunity to meet many researchers, OEM representatives and a few government entities while at the show. They are primarily focused on the CAN bus and its potential vulnerabilities. This is the endgame (or the destination) for cyber-attacks, meaning that if you have access to the CAN bus you can potentially take control of the vehicle. I feel that the attack vectors (or the journey) on how to access the CAN bus remotely through potentially vulnerable wireless systems were lightly touched. To me this is a broader attack surface that hackers can focus their attention on. Wireless systems do not require electronic devices connected to the CAN bus which means the attacker can safely perpetrate their hack without physically accessing the vehicle and putting themselves at risk of being caught by anyone who sees them tinkering with the vehicle. This is the focus of research being performed at eTrans2020 and the focus of our cyber services being offered. I believe this research’s time has come and expect to see an abundant amount of information rolling out soon. There is also an element of standardization that I believe needs to be discussed when it comes to the future security of automobiles.
I cannot wait to see what great new research comes out of escar around the globe. I look forward to participating in new research and assessment initiatives that will help save lives. I plan to share this research at next year’s escar USA.
See you in Detroit.
Manuel Villar
Chief Security Officer
eTrans2020
