"That's a basic principle for security."
Andrew McLennan, a former Visa executive and now president of embedded security vendor Inside Secure's mobile division, agreed with Juliussen, and said carmakers must first add cryptography to ensure that communications between software inside a device and between devices are authenticated. Car makers must also ensure that software is only allowed to run in the manner designed by the coder.
"Add in remote security monitoring to alert if there is a software or network breach," McLennan said. "This means you do not have to rely on trying to create white-list/black-lists for known attacks, the bad guys are always a step or two ahead of developers, and it's an arms race that has never yet been won in antivirus markets."
In their letter to the NHTSA, Markey and Blumenthal said modern vehicles are continuously expanding and advancing their connectivity for incorporating advanced systems for navigation, vehicle-to-vehicle communications and infotainment. With additional wireless connectivity, the number of potential avenues for cyberattacks will only increase, "and we are only just beginning to understand the nature of the emerging threat posed by car-hacking," they wrote.
"Until we can identify all vulnerable systems and vehicles, car-hacking will continue to present a critical threat to the safety of drivers, passengers, and road users," the letter stated. "The NHTSA must rapidly determine whether other vehicle models are affected by this particular vulnerability, and how remedial actions can be deployed by manufacturers and regulators to secure all vehicles on our roads."
Earlier this month, Markey and Blumenthal filed legislation that would require the federal government to establish standards to ensure that automakers secure a driver against vehicle cyber attacks.
Among other things, the Security and Privacy in Your Car (SPY Car) Act calls for vehicles to be equipped with technology that can detect, report and stop hacking attempts in real time.
Sign up for CIO Asia eNewsletters.