The non-profit group, known as "I am the Cavalry," is asking
attendees at this weekend's Def Con hacking conference in Las Vegas
to sign an open letter to "Automotive CEOs" to ask them to implement
basic guidelines to defend cars from cyber attacks.
"The once distinct worlds of automobiles and cyber security have
collided," said the letter. "Now is the time for the automotive
industry and the security community to connect and collaborate."
Vehicles rely on tiny computers to manage everything form engines
and brakes to navigation, air conditioning and windshield wipers.
Security experts say it is only a matter of time before malicious
hackers are able to exploit software glitches and other
vulnerabilities to try to harm drivers.
The Cavalry group is scheduled to make a presentation at Def Con on
Saturday about efforts to improve auto security. They will not
disclose any specific problems that might embarrass carmakers, said
Josh Corman, a security industry professional who co-founded the
group a year ago.
That sensitivity contrasts with much of the hacking research
presented these days at Def Con, which attracts more than 10,000
attendees. For instance, one high-profile paper being released this
year reviewed 20 vehicle models to find the three "most hackable"
The Cavalry group has been trying to smooth relations between
researchers and industry by promoting responsible disclosure. That
means they approach carmakers to discuss bugs before going public,
giving them time to fix them.
"The goal is build trust," said Corman, chief technology officer of
software firm Sonatype. "In the past, these hacking talks were 'Look
at me. Look at what I did.' There wasn't much care for what happens
next and how it affects the industries."
Leaders of the Cavalry - which has several hundred active members
who also study medical devices, consumer electronics and critical
infrastructure - have spent the past year meeting with other
security experts, manufacturers, regulators and lawmakers.
On Tuesday, the group talked about hacking cars and medical devices
with industry representatives in a private meeting in Las Vegas.
They agreed not to publicly discuss those sessions.
Katie Moussouris, a Cavalry leader who is an executive at a startup
known as HackerOne, said she encourages hackers to show empathy when
[to top of second column]
"It is important to show that you are not just trying to show their
weakness and make them look stupid, but that you are trying to
help," said Moussouris, who until recently ran outreach to security
researchers for Microsoft Corp.
Wade Newton, a spokesman for the Auto Alliance, which represents 12
car makers, declined to comment on Cavalry's efforts to reach out to
the industry. "Our record shows that we typically welcome the
opportunity to work with a broad array of stakeholders when we have
a common goal," he said.
The U.S. National Highway Traffic Safety Administration said in a
statement that it is not aware of any incidents of consumer vehicle
control systems that have been hacked.
Not all researchers believe in Cavalry's conciliatory approach.
Charlie Miller, who co-authored the study on "most hackable" cars,
said he does not think automakers will take serious action to
improve security until they are shamed into doing so by someone who
demonstrates code capable of remotely attacking a car and causing it
"They say they know what they are doing. But all the evidence points
to the contrary," said Miller.
Jeff Moss, who founded Def Con 22 years ago and is now an advisor to
the U.S. Department of Homeland Security, said there are merits to
"Either side has a valid argument," Moss said. "It's almost like a
carrot and stick approach."
(Corrects spelling of Cavalry in paragraphs 2 and 5)
(Reporting by Jim Finkle in Las Vegas; Additional reporting by Eric
Auchard in Las Vegas and Michael Leibel in New York; Editing by
[© 2014 Thomson Reuters. All rights
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.