With multiple proven attacks on modern vehicles, the biggest car makers in the world are asking the question: How best to protect fleets from hackers?
Cloudflare, the San Francisco company that provides security and content delivery for 6 million websites, thinks it has the answer. It’s planning to make waves in the burgeoning vehicular cybersecurity market in the coming years, says CEO Matthew Prince, speaking to Forbes earlier this week from the company’s London HQ.
Though he declined to name any customers, he revealed the plans started to coalesce shortly after Cloudflare head of information security, Marc Rogers, hacked a Tesla for a talk at the famous DEF CON conference in August 2015. Rogers, who’s spent much of the last week fixing the CloudBleed bug caused by a CloudFlare error, could well lead the motor industry drive.
Since that Tesla hack, enquiries about the potential to expand Cloudflare’s made it apparent that the firm could apply everything it’d learned from helping a vast number of websites and other connected devices stay on the web to the automotive industry. Prince claimed Cloudflare already funnels a lot of Internet of Things devices through its systems, and foresaw last year’s massive web outage caused by huge botnets of connected devices. And it knows it can handle critical infrastructure systems, so why not cars too?
Explaining the protection Cloudflare might provide, Prince said: “Cars that have an internet connection will have to pass through us… if there’s some sort of vulnerability or DDoS [distributed denial of service] attacks, we’ll be the first contact [and block malicious traffic].” Software updates to vehicles may also be made swifter and more secure if passed through extra checks on Cloudflare servers.
But will car makers buy into Cloudflare’s new business? There are two potential customers with whom Prince’s firm has already done business. First is Tesla, thanks to Rogers research that made Elon Musk’s electrics that little bit safer. Second is Uber, whose websites and apps already take advantage of Cloudflare’s services.
Sources close to Tesla and Uber security teams said there were no known plans to invest in Cloudflare’s offering, however. One said there was very little chance of Uber ever investing. The sources, who asked to remain anonymous, couldn’t say whether Tesla might be compelled to invest in the future, though.
Another vehicular security expert, Rapid7’s Craig Smith, said he was dubious such a product would help provide cars with more protection. “I have seen proposals, mainly from academia that are similar. The concept being that vehicles use small embedded systems that can’t handle deep learning AI, so let’s put that decision making in the cloud. I’m not a fan of that for several reasons but the big one being that the decision making is not local,” said Smith, who co-authored the Car Hacker’s Handbook.
“There maybe a way to compromise where only extra data is decided or used for future calculations but when it comes to actual thinking or real time security protections… Saying I’m ‘skeptical’ would be an understatement. However, I’m always willing to evaluate someones solution. You never know.”
Though such skepticism is understandable, given Cloudflare’s rapid rise in the anti-DDoS and web networking spheres, it wouldn’t be a total shock to see it disrupt another market, albeit a burgeoning one where the lay of the land is uncertain. It may also have bigger ideas than it’s currently revealing. Prince says to expect full details on Cloudflare’s car security plans in the near future.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.
Source: SANS ISC SecNewsFeed @ March 4, 2017 at 09:21AM