NYU Tandon prof unveils Homeland Security–funded framework for software security in cars

Here’s the scenario: You’re cruising in your electric car and you hear your doors lock all around you. A message pops up on your central console demanding you wire $10,000 in Bitcoin to a Russian hacker or else he’ll cut off your brakes and send you zooming, out of control down the highway.

That’s the nightmare scenario that a group of researchers, led by NYU Tandon professor Justin Cappos, wants to avoid. Cappos, along with collaborators from the University of Michigan Transportation Research Institute and the Southwest Research Institute, created a software security update framework for automobiles called Uptane, unveiled last week to reporters at an event at NYU Tandon.

NYU Tandon professor Justin Cappos. (Photo by Tyler Woods)

As our cars become more and more like computers with wheels, they will fall vulnerable to the same cybersecurity threats experienced by everything online now. Cappos said today’s cars have between 50 and 100 mini computers in them already.

“A car is still a mechanical thing but you can think of it as a bunch of computers that control mechanical aspects,” he said at a recent press conference at the engineering school. “They talk together and the networks inside of the car don’t have the necessary security to protect from a malicious hack. What security experts have shown is that they can go and exploit a problem in one part of the car to get into other parts that can disable the brakes, lock you in your car or turn on the A/C.”

Uptane, which has gotten funding from the U.S. Department of Homeland Security, is not a piece of antivirus software, but rather a way of thinking about software security in vehicles that Cappos hopes will become the industry standard. It suggests a separation of duties for different parts of the car’s software system doing different tasks, and a threshold of signatures, where for important software functions more than one actor will have to sign off on making changes.

“There’s Bluetooth, WiFi, cellular [communication],” said Sam Lauzon, of the University of Michigan. “Soon we’ll have vehicle to vehicle, so at any time there could be three or four devices communicating with your vehicle. Ten years ago this was all inside a car, they didn’t have WiFi or Bluetooth. Now all these systems are interconnected and hackers are finding ways of making them interact with each other in ways that weren’t intended.”

The researchers noted that we are still in the infancy of cybersecurity for cars. But in the years that come, particularly as cars become autonomous to varying degrees, this issue will come to the fore. These researchers are trying to get out in front of that problem.