Dedicated Short Range Communications (DSRC) Expose Critical Gaps in Security and Privacy
SecureSet Releases New Report on Known Vulnerabilities and Mitigations
Denver, Colorado – March 29, 2017 – SecureSet, a leading cybersecurity services company, today released a new report, Security Considerations for Connected Vehicles and Dedicated Short Range Communications, that highlights the critical gaps in the existing security architectures of vehicles and the inherent security and privacy concerns associated with the use of Dedicated Short Range Communications (DSRC), also known as IEEE 1609.
“Automotive manufacturers will become primary targets for malicious hackers as connected cars become more common on our roads and integrate with more systems in our world,” said Alex Kreilein, Cofounder and Managing Partner at SecureSet. “Unfortunately, the National Highway Traffic Safety Administration’s mandate to require installation of DSRC units in all new vehicles does not properly take into account the current security limitations of the technology, which could leave drivers vulnerable to cyber-attacks and privacy violations, rather making them more safe and secure.”
By bringing these known vulnerabilities to light and providing recommendations to stakeholders, standards bodies and manufacturers can more thoroughly address these concerns and make the roads as safe as possible for Americans on the road.
Highlights from SecureSet’s report:
- Vulnerabilities discovered by researchers identify the need for continued work in the cybersecurity safety engineering of vehicle systems.
- Poor configuration management, a general lack of supply chain and code security, and the industry standard for the assembly of modern automobiles all enable tampering, privacy violations and security vulnerabilities.
- Without policies and standards to address the impacts of monocultures, where a single unit system vulnerability can quickly infect the entire population of devices, the automotive sector is sure to fall victim to the same common mode failures that plague the general IT market.
- DSRC service commercialization further increases risk. Allowing content like advertising, music, video and gaming to traverse networks designed for life and safety applications knowingly injects risk into the equation, especially when content development is conducted by third parties without meeting universal standards.
- Vehicles enabled with DSRC are vulnerable to at least six specific categories of attacks: deception attacks, denial of service attacks, cryptographic exploitation, malware exploitation, jamming and spoofing, and V2X exploitation.
- Compounding these security issues, DSRC enables privacy-implicating tracking as a logical outgrowth of its core mission. Privacy is lacking in DSRC’s design, as the service does not treat MAC addresses in a manner promoting sufficient privacy requirements.
SecureSet is building an end-to-end community focused on fulfilling the promise of cybersecurity. Today, the security industry is falling short, with critical product and people gaps along this new battlefront of business. That is why SecureSet operates both a cybersecurity Accelerator and Academy.
SecureSet Accelerator offers a unique capability to elevate novel cybersecurity startups addressing some of the top problems in the tech industry. This tested capability brings together customers, resources, support, and structured programming. This enables deep focus on building companies, product, and market traction to build outsized outcomes for entrepreneurs, customers, and investors.
SecureSet Academy offers the first bootcamp-style, comprehensive cybersecurity education programs in the U.S. — and the fastest route to entry-level careers in the field. The Academy was launched in response to the global shortfall of cybersecurity professionals who are needed to meet the rise in sophisticated threats worldwide.