Mitsubishi Outlander hack: Industry reaction

Following today's news that security researchers successfully hacked into the anti-theft system of a Mitsubishi Outlander, various industry professionals have offered their thoughts and analysis.

French Caldwell, former Gartner fellow and chief evangelist at MetricStream:

“IT compliance and cybersecurity have become integral to the overall safety and compliance of modern cars. Often focused on health and safety, the environment, and quality controls, product compliance has traditionally been the province of engineers. However, as more and more car manufacturers embark on digital business strategies, it’s vital that they ensure product engineers are working closely with IT and security professionals to ensure the integrity and security of their products.

“It’s not just fines and penalties at stake, but also the life and limb of passengers. Imagine if shortcuts were taken on the IT systems associated with navigation on driverless cars. Much more needs to be done to ensure compliance isn’t just seen as a ‘checklist’ test which simply needs to be passed. The stakes are far too high for that.”

Simon Moffatt, Director Advanced Customer Engineering at ForgeRock:

“The Mitsubishi Outlander vulnerability is another example of why an identity-centric approach to connected device management is essential in reducing risk and enhancing user experience. As more and more objects join the Internet of Things, high-end items such as connected cars will become increasingly attractive targets for hackers. Whilst manufacturers focus on end user experience and device connectivity, there needs to be a more joined-up approach to security, including a strong focus on device, service and user identity management.

"It is important that devices, such as a car or a mobile phone application, have individual identity profiles, with validated authenticated and authorised services, that can restrict the operations or data made available. Doing so allows Internet connected devices to confirm that the digital identity of the user and device is in fact fully aligned, and the right people are accessing the right services at the right time - making malicious activities more difficult."

Matthias Maier, Security Evangelist at Splunk:

“More and more car manufacturers are taking a ‘connected-first’ approach. For example, increasingly updates can be installed ‘over-air’, providing the customer with the opportunity to regularly improve their car’s performance and software, as well as monitoring the operation of those vehicles. If those networks aren’t totally secure or isolated, an opportunity exists that hackers could exploit.

"It’s vital that car manufacturers monitor Engine Control Units, infotainment systems and on-board wi-fi networks to detect and mitigate any compromise. This allows the manufacturer to detect potential threats early and act quickly to ensure that customer security and safety is maintained."

John Smith Principal Solution Architect, Veracode:

“This bug is the latest in a growing line of connected car vulnerabilities that puts the safety and security of the car - and its owners and passengers - at risk. Recent Veracode research, conducted by IDC, found that there could be a three year lag before in-car technology and automotive applications are developed with security in mind.

"With this in mind, it is critical that car manufacturers learn from these examples, ensuring that all driving applications are developed with robust cybersecurity methods from the outset.”

Image source: Shutterstock/FotograFFF