Feeds

US government wants security research on car-to-car nets

Car crashed? Have you topped up its anti-virus or turned it off and on again?

SANS - Survey on application security programs

David Strickland, Administrator of the USA's National Highway Traffic Safety Administration (NHTSA), has told that nation's Senate Committee on Commerce, Science, and Transportation that he plans to research the security requirements of automated cars and vehicle-to-vehicle (V2V) networks.

Strickland appeared before the committee this week and gaped with appropriate metaphorical awe at the likes of Google's self-driving vehicles and V2V network proposals that would see one car radio another to tell it when heavy braking is required. Such systems, Strickland said, could “potentially address about 80 percent of crashes involving non-impaired drivers once the entire vehicle fleet is equipped with V2V technology.”

He's also worried about what he called “vehicle cybersecurity”, because he believes more technology in cars creates ”growing potential for remotely compromising vehicle security through software and the increased onboard communications services”

NHTSA has asked for an extra $US2m to research the problem, with the aim of “of developing a preliminary baseline set of threats and how those threats could be addressed in the vehicle environment”. Standards for car-makers are also on the agenda.

Strickland detailed other objectives as follows:

For the V2V program, our research is evaluating a layered approach to cybersecurity. Such an approach, if deployed, would provide defense-in-depth, managing threats to ensure that the driver cannot lose control and that the overall system cannot be corrupted to send faulty data. In partnership with the auto companies and other stakeholders we have developed a conceptual framework for V2V security. We are also developing countermeasures to prevent these security credentials from being stolen or duplicated. Additionally, we are developing protocols to support a V2V security system that is designed to share data about nefarious behavior and take appropriate action.”

Just what that last sentence means is anyone's guess. Here in Vulture South we imagine privacy groups might imagine liberty-challenging driver tracking, or at the very least cars letting it be known when someone's tickling their digital innards in suspicious ways.

Strickland's testimony (PDF) also signalled his agency has started work on a policy framework to allow self-driving cars. He offered the Committee an interesting hierarchy of vehicle automation:

  • Level 0—No Automation. At the initial Level 0, the driver is in complete control of the primary vehicle controls (steering, brake, and throttle) at all times, and is solely responsible for monitoring the roadway and for safe operation of all vehicle controls.
  • Level 1—Function Specific Automation. Level 1 automation involves one specific control function that is automated. The driver still maintains overall control, and is solely responsible for safe operation, but can choose to cede limited authority over a primary control.
  • Level 2—Combined Function Automation. Level 2 automation means that under some circumstances “the driver can disengage from physically operating the vehicle by taking hands off the steering wheel and feet off the pedals at the same time.”
  • Level 3—Limited Self-Driving Automation. Level 3 automation enables the driver to cede full control of all steering, brake, and throttle functions to the vehicle while remaining “available for occasional control, but with a comfortable transition time that will enable the driver to regain situational awareness.”
  • Level 4—Full Self-Driving Automation. The vehicle is designed to perform all safety-critical driving functions and monitor roadway conditions for an entire trip.

Strickland also said the agency is looking into whether guidelines are needed for how voice-activated in-car technology is designed, with an eye to possible future guidelines. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.