Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges
<p>Approach of ISO/ICE 29147 and modification proposal for application in the automotive field indicated by bold arrows.</p> "> Figure 2
<p>Overview of the phases of automotive vulnerability disclosure from a process and technical perspective.</p> ">
Abstract
:1. Introduction
2. Vulnerability Disclosure
2.1. The Protection of the User as the Main Objective of Standardized Processes
2.2. The Implementation—Learning from Classical IT
2.2.1. Appropriate Grace Periods for Patching
2.2.2. Exact Specifications for Valid Vulnerability Reports Are Important
2.3. In the Mind of a Hacker
2.4. Facing Legal Challenges
3. Current Practice within the Automotive Environment
4. Disclosure and Usage of Automotive Vulnerability Information
4.1. Joint Schemes for Description and Sharing of Vulnerabilities and Their Information
4.2. Conditions for a Beneficial Disclosure Culture
4.3. Multiplying Benefits Through Sharing of Informaton
4.4. The Automotive Strategy for Vulnerability Disclosure
4.5. Process Description, Requirements and Responsibilities
4.5.1. Manufacturer
4.5.2. Finder
4.5.3. Coordinator
4.5.4. Public and Users
4.5.5. Governmental Organizations
4.5.6. Testing Organizations and Independent Workshops
5. Conclusions
6. Related Discussion
7. Further Work
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
Abbreviations
VD | Vulnerability Disclosure |
CPE | Common Platform Enumeration |
CVE | Common Vulnerability Enumeration |
CVSS | Common Vulnerability Scoring System |
CERT | Computer Emergency Response Team |
CSIRT | Computer Security Incident Response Team |
CSMS | Cyber Security Management System |
NVD | National Vulnerability Database |
MB | Mercedes-Benz |
OTA | Over-the-Air |
TCU | Telematic Control Unit |
References
- Telang, R.; Wattal, S. An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price. IEEE Trans. Softw. Eng. 2007, 33, 544–557. [Google Scholar] [CrossRef] [Green Version]
- NIST, NVD—National Vulnerability Database. Available online: https://nvd.nist.gov/vuln/full-listing (accessed on 20 April 2020).
- Hackerone, General Motors Celebrates Second Anniversary with Hackers Customer Stories. 2018. Available online: https://www.hackerone.com/blog/General-Motors-Celebrates-Second-Anniversary-Hackers (accessed on 20 April 2020).
- Statista GmbH. Lebensdauer von Autos in Deutschland Nach Automarken. Available online: https://de.statista.com/statistik/daten/studie/316498/umfrage/lebensdauer-von-autos-deutschland/ (accessed on 10 April 2020).
- Krempl, F. Security by Design im Auto: Neue UN-Vorgaben Für Cybersicherheit von Fahrzeugen. Available online: https://www.heise.de/news/Security-by-Design-Neue-UN-Vorgaben-fuer-Cybersicherheit-im-Auto-4767180.html?seite=all (accessed on 28 May 2020).
- McKinsey & Company, GSA. Cybersecurity in Automotive—Mastering the Challenge. Available online: https://www.gsaglobal.org/resources/cybersecurity-in-automotive-mastering-the-challenge/ (accessed on 10 April 2020).
- UNECE/TRANS/WP.29/GRVA. Proposal for a New UN Regulation on Uniform Provisions Concerning the Approval of Vehicles with Regards to Cyber Security and Cyber Security Management System. Available online: https://unece.org/DAM/trans/doc/2020/wp29grva/ECE-TRANS-WP29-2020-079-Revised.pdf (accessed on 23 July 2020).
- UNECE/TRANS/WP.29/GRVA. Proposal for a New UN Regulation on Uniform Provisions Concerning the Approval of Vehicles with Regards to Software Update and Software Updates Management System. Available online: https://undocs.org/ECE/TRANS/WP.29/2020/80 (accessed on 25 March 2021).
- UNECE Press Releases. UN Regulations on Cybersecurity and Software Updates to Pave the Way for Mass Roll Out of Connected Vehicles. Available online: https://unece.org/press/un-regulations-cybersecurity-and-software-updates-pave-way-mass-roll-out-connected-vehicles (accessed on 23 March 2021).
- ISO/SAE FDIS 21434, Road vehicles—Cybersecurity Engineering. 2020. Available online: https://www.iso.org/standard/70918.html (accessed on 29 April 2020).
- Upstream Security. Global Automotive Cybersecurity Report. Available online: https://www.upstream.auto/research/automotive-cybersecurity/?id=null (accessed on 5 April 2020).
- Euro NCAP Crashtest. Available online: https://www.euroncap.com/en/ratings-rewards/latest-safety-ratings/ (accessed on 10 April 2020).
- ADAC Pannenstatistik. Available online: https://www.adac.de/rund-ums-fahrzeug/unfall-schaden-panne/adac-pannenstatistik/ (accessed on 5 April 2020).
- CERT/CC Computer Emergency Response Team/Coordination Center. What is Vulnerability Coordination? Available online: https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642 (accessed on 28 May 2020).
- ISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability Disclosure. 2014. Available online: https://www.iso.org/standard/45170.html (accessed on 29 April 2021).
- ISO/IEC 30111:2019, Information technology—Security techniques—Vulnerability Handling, amended in 2019. Available online: https://www.iso.org/standard/69725.html (accessed on 29 April 2021).
- Google Security Team. Rebooting Responsible Disclosure: A focus on Protecting End Users. Available online: https://security.googleblog.com/2010/07/rebooting-responsible-disclosure-focus.html (accessed on 28 May 2020).
- Jan Neutze (Microsoft), Coordinated Vulnerability Disclosure (CVD), CEPS Event: Software Vulnerabilities Disclosure: The European Landscape, Brussels. 23 June 2017. Available online: https://www.ceps.eu/wp-content/uploads/2017/05/Jan%20Neutze%20Microfsoft%20-%20CVD.pdf (accessed on 29 April 2021).
- About the Zero Day Initiative. Available online: https://www.zerodayinitiative.com/about/ (accessed on 20 April 2020).
- CERT/CC Computer Emergency Response Team/Coordination Center. Vulnerability Reporting Form. Available online: https://www.kb.cert.org/vuls/vulcoordrequest/ (accessed on 28 May 2020).
- Zero Day Initiative. The Zero Day Initiative Disclosure Policy. Available online: https://www.zerodayinitiative.com/advisories/disclosure_policy/ (accessed on 20 April 2020).
- Rapid7. The Rapid7 Disclosure Policy. Available online: https://www.rapid7.com/security/disclosure/ (accessed on 20 April 2020).
- Project Zero. Policy and Disclosure: 2020 Edition. Available online: https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html (accessed on 8 March 2020).
- CERT/CC. The CERT/CC Disclosure Policy. Available online: https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy (accessed on 20 April 2020).
- McQueen, M.; Wright, J.; Wellman, L. Are Vulnerability Disclosure Deadlines Justified? In Proceedings of the Third International Workshop on Security Measurements and Metrics, Banff, AB, Canada, 21 September 2011. [Google Scholar] [CrossRef] [Green Version]
- Arora, A.; Telang, R.; Xu, H. Optimal Policy for Software Vulnerability Disclosure. Manag. Sci. 2008, 54, 642–656. [Google Scholar] [CrossRef] [Green Version]
- Zhao, M.; Laszka, A.; Grossklags, J. Devising effective policies for bug-bounty platforms and security vulnerability discovery. J. Inf. Policy 2017, 7, 372–418. [Google Scholar] [CrossRef] [Green Version]
- Hackerone. The 2020 Hacker Report. Available online: https://www.hackerone.com/resources/reporting/the-2020-hacker-report (accessed on 5 May 2020).
- CEPS Working Group. Vulnerability Disclosure in Europe-Technology, Policies, Legal Challenges. Available online: https://www.ceps.eu/download/publication/?id=10636&pdf=CEPS%20TFRonSVD%20with%20cover_0.pdf. (accessed on 5 May 2020).
- AUTO-ISAC. Best Practices-Incident Response v1.3, July 2019. Available online: https://automotiveisac.com/best-practices/.
- Bolz, R.; Rumez, M.; Sommer, F.; Dürrwang, J.; Kriesten, R. Enhancement of Cyber Security for Cyber Physical Systems in the Automotive Field Through Attack Analysis. In Proceedings of the Embedded World Conference 2020, Nuremberg, Germany, 25–27 February 2020; Available online: https://www.researchgate.net/publication/339643941_Enhancement_of_Cyber_Security_for_Cyber_Physical_Systems_in_the_Automotive_Field_Through_Attack_Analysis (accessed on 29 April 2021).
- Kurachi, R.; Takada, H. Improving secure coding rules for automotive software by using a vulnerability database. In Proceedings of the International Conference on Vehicular Electronics and Safety, Madrid, Spain, 12–14 September 2018. [Google Scholar] [CrossRef]
- Verdult, R.; Garcia, F.; Ege, B. Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer. In Proceedings of the 22nd USENIX Security Symposium, Wahington, DC, USA, 14–16 August 2013. [Google Scholar]
- The Guardian. Security Flaw Affecting More Than 100 Car Models Exposed by Scientists. Available online: https://www.theguardian.com/technology/2015/aug/18/security-flaw-100-car-models-exposed-scientists-volkswagen-suppressed-paper (accessed on 27 June 2020).
- Pentest Partners Block-Automotive Security, Hacking the Mitsubishi Outlander PHEV Hybrid. Available online: https://www.pentestpartners.com/blog/hacking-the-mitsubishi-outlander-phev-hybrid-suv/ (accessed on 27 June 2020).
- Keen Security Lab. Experimental Security Assessment of BMW Cars: A Summary Report. Available online: https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/ (accessed on 27 June 2020).
- MITRE Corporation. Common Vulnerabilities and Exposures (CVE) List. Available online: https://cve.mitre.org/ (accessed on 23 July 2020).
- Mahaffey, K. Hacking a Tesla Model S: What We Found and What We Learned, Lookout Blog. Available online: https://blog.lookout.com/hacking-a-tesla (accessed on 12 November 2020).
- The Sky-Go Team (360). Security Research Report on Mercedes-Benz Cars. Available online: https://skygo.360.cn/archive/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf (accessed on 12 October 2020).
- National Institute for Standards and Technology (NIST), National Vulnerability Database; CVE-20155611. Available online: https://nvd.nist.gov/vuln/detail/CVE-2015-5611#VulnChangeHistorySection (accessed on 15 July 2020).
- Sommer, F.; Duerrwang, J.; Kriesten, R. Survey and Classification of Automotive Security Attacks. Information 2019, 10, 148. [Google Scholar] [CrossRef] [Green Version]
- Automotive Attack Database (AAD). Institute of Energy Efficient Mobility at Karlsruhe University of Applied Sciences. Available online: https://github.com/IEEM-HsKA/AAD (accessed on 7 October 2020).
- Malware Information Sharing Platform (MISP). Available online: https://www.misp-project.org/ (accessed on 7 October 2020).
- OASIS CTI, STIX/TAXII Threat Intelligence Sharing. Available online: https://oasis-open.github.io/cti-documentation/ (accessed on 7 October 2020).
- FIRST, Traffic Light Protocol (TLP). Available online: https://www.first.org/tlp/ (accessed on 7 October 2020).
- FIRST, Information Exchange Policy. Available online: https://www.first.org/iep/ (accessed on 7 October 2020).
- ICASI, Common Vulnerability Reporting Framework (CVRF). Available online: https://www.icasi.org/cvrf/ (accessed on 7 October 2020).
- VDA-ISA, TISAX 1–Model. Available online: https://www.vda.de/dam/vda/publications/Empfehlung%20Informationsschutz%202005/Beschreibung%20TISAX%20und%20VDA-ISA%20f%C3%BCr%20VDA%20Webseite-DE.PDF (accessed on 7 October 2020).
- Terms of Reference for the ENISA Cars and Roads Security (CarSEC) Experts Group. Available online: https://www.enisa.europa.eu/media/news-items/terms-of-reference-for-the-enisa-cars-and-roads-security-carsec-experts-group (accessed on 23 July 2020).
- Dürrwang, J.; Beckers, K.; Kriesten, R. A Lightweight Threat Analysis Approach Intertwining Safety and Security for the Automotive Domain. In Proceedings of the International Conference on Computer Safety, Reliability and Security, Trento, Italy, 13–15 September 2017. [Google Scholar]
- FIRST Vulnerability Coordination SIG & NTIA. The Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure. Available online: https://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.1 (accessed on 23 July 2020).
- EU Directive 2016/1148 Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union, July 2016. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148 (accessed on 29 April 2021).
- Security Insider. Was Cyberkriminelle 2020 Bewegt. Available online: https://www.security-insider.de/was-cyberkriminelle-2020-bewegt-a-899804/?cmp=nl-4&uuid=93A2AF8C-BEE5-44A8-A609-ADCC489E9CF3 (accessed on 17 December 2020).
- Upstream Security. Global Automotive Cybersecurity Report. Available online: https://upstream.auto/2021report/ (accessed on 17 December 2020).
- EU Directive 2008/114/EG, Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve Their Protection, December 2008. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008L0114&from=DE (accessed on 29 April 2021).
- Bajpai, P.; Enbody, R. Towards Effective Identification and Rating of Automotive Vulnerabilities. In Proceedings of the Second ACM Workshop on Automotive and Aerial Vehicle Security—AutoSec’20, New Orleans, LA, USA, 18 March 2020. [Google Scholar]
- NIST-CSRC. Common Platform Enumeration (CPE) Method. Available online: https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe (accessed on 23 July 2020).
- The FIRST CVSS-SIG. Common Vulnerability Scoring Systems (CVSS). Available online: https://www.first.org/cvss/ (accessed on 2 October 2020).
- FFRI Inc. Latest Security Reports of Automobile and Vulnerability Assessment by CVSSv3. Available online: https://de.slideshare.net/ffri/latest-security-reports-of-automobile-and-vulnerability-assessment-by-cvss-v3-ffri-monthly-research-20159 (accessed on 2 October 2020).
- Ando, E.; Kayashima, M.; Komoda, N. A Proposal of Security Requirements Definition Methodology in Connected Car Systems by CVSS v3. In Proceedings of the 5th IIAI International Congress on Advanced Applied Informatics, Kumamoto, Japan, 10–14 July 2016. [Google Scholar]
- Cyberscoop. Automotive Companies Are Warming up to Vulnerability Disclosure Programs. Available online: www.cyberscoop.com/vulnerability-disclosure-programs-automotive-companies-general-motors-hackerone/ (accessed on 4 October 2020).
- Volkswagen Press Release. Volkswagen Strives for Digital Leadership—the ID. Family Will Be Launched with Regular “Over-the-Air” Updates in 2021. Available online: https://www.volkswagenag.com/en/news/2021/03/volkswagen-strives-for-digital-leadership.html, (accessed on 23 March 2020).
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Bolz, R.; Kriesten, R. Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges. J. Cybersecur. Priv. 2021, 1, 274-288. https://doi.org/10.3390/jcp1020015
Bolz R, Kriesten R. Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges. Journal of Cybersecurity and Privacy. 2021; 1(2):274-288. https://doi.org/10.3390/jcp1020015
Chicago/Turabian StyleBolz, Robin, and Reiner Kriesten. 2021. "Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges" Journal of Cybersecurity and Privacy 1, no. 2: 274-288. https://doi.org/10.3390/jcp1020015
APA StyleBolz, R., & Kriesten, R. (2021). Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges. Journal of Cybersecurity and Privacy, 1(2), 274-288. https://doi.org/10.3390/jcp1020015