In-brief: One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.

One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.

“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report, which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.

The report studied a wide range of flaws, most discovered in IOActive’s work with automakers and suppliers to auto manufacturers, said Corey Thuen, a Senior Security Consultant with IOActive. Thuen and his colleagues considered what kinds of vulnerabilities most commonly affect connect vehicles, what types of attacks are most often used to compromise vehicles and what kinds of vulnerabilities might be mitigated using common security techniques and tactics.

[See also: “The era of automobile hacking has just begun.”]

The results, while not dire, are not encouraging. The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation. “These are all great things that the software industry learned as it has progressed in the last 20 years. But (automakers) are not doing them.”

The result is that vehicle cybersecurity vulnerabilities are not solvable using “bolt-on” solutions, IOActive concluded. That is because they are caused by flawed engineering assumptions or insecure development best practices. “The most effective cybersecurity work occurs during the planning, design and early implementation phases of products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” IOActive’s report notes.

In an interview with The Security Ledger, Thuen said that the automotive industry is coming up to speed on cyber security in the wake of high-profile incidents like the 2015 wireless hack of a Jeep Grand Cherokee by researchers Charlie Miller and Chris Valasek. Both now work for Uber, though Valasek conducted much of the vehicle research as an IOActive employee.

Still, auto firms remain wary of information security firms and wedded to the notion that keeping the details of their systems secret will ensure security (aka “security through obscurity”).

“Their general attitude is that they don’t want to engage researchers or share their ‘secret sauce,'” Thuen said. “The attitude is anti-security in general. It’s the Ostrich approach – we’re going to stick our head in the sand and say that we can’t hear you, or that everthing you’re saying isn’t important.”

That can make conducting security research on vehicles painstakingly slow – but also fruitful, said Thuen. Miller and Valasek’s research is a great example. Much of the work the two did was not devoted to analyzing the Fiat Chrysler system for security holes, but merely in figuring out how the specifics of the company’s implementation of standard components, like the CAN (Controller Area Netowrk) BUS.

“A lot of what the public considers ‘vehicle hacking’ was just ‘how to use the vehicle’.” The two needed to be able to decipher traffic from the vehicle – figuring out what command causes the steering wheel to turn or the brakes to be applied. Once that work was done, finding security holes and figuring out how to exploit them was a more simple matter, given that the underlying components were not designed with security in mind, he said.

Resistance to the attentions of security researchers is rooted in an engineering culture that looks on software vulnerabilities as shameful – far different from software-based engineering that generally accepts vulnerabilities as an inevitable byproduct of writing code. “It’s not shameful to have vulnerabilities. What is shameful is to have them and not move forward to fixing them,” he said.

The industry has made progress. Last month, an auto industry information sharing and analysis center (ISAC) released a set of cyber security best practices. And Thuen said that more and more automakers and suppliers are seeking out IOActive’s help. “Our auto related business has doubled every year for the last few years,” he said.

Still, a Government Accountability Office (GAO) report last year( PDF) emphasized that help – in the form of more secure vehicles from Detroit or new regulations and standards from Washington D.C. – is likely years from being realized. Automakers are working to design more secure in-vehicle systems and regulators, like that National Highway Traffic Safety Administration (NHTSA), are still trying to determine their role and the scope of possible regulations, the report noted. Still, car companies that are investing more and more in software driven features and services will need to be adept at changing their internal culture and processes to deal with the security and privacy risks that result, Thuen said. “(Automakers) need to recognize that their industry is undergoing a major pivot that will require personnel changes and policy changes,” he said. “They need to realize that there’s a lot (they) don’t know, and that’s OK.”