The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

Point of View: Potential security issues with vehicle to vehicle connected cars


The fundamental problem is that the industry hasn’t created a thorough (and openly available) threat model that adequately considers what hackers might do. The analysis of V2V communications I’ve read focuses on safety issues — what happens under normal circumstances and even when crazy things happen on the road.  There are numerous engineering challenges here, but the analysis doesn’t include malicious actors.

These safety considerations are nothing compared to the circumstances when a hacker gets involved.  Consider the attacker jailbreaks a V2V communication system.  Now he can send arbitrary messages to any other vehicle at any time, tricking the device into issuing alerts to drivers.

What if the attacker can send a message that contains an exploit for the system in your car?  This provides the attacker the ability to do anything that is within the physical capability of the V2V system.  Even start to attack other reachable systems within the car.   To my knowledge, current V2V isn’t intended to allow access to brakes, steering, etc…  However, manufacturers are motivated to consolidate computer systems. Why deploy two when one will do?  The history of security isn’t good in these situations.  Attackers have been incredibly adept at bridging from one system to another.


On balance, though, I think V2V will be good for overall safety.  There will certainly be vulnerabilities, which we will fix. And there may be attacks, which may be disastrous. But I believe this will be a huge net positive for driver safety.  I just wish we didn’t have to always field technologies with massive security holes and then spend decades patching them up. Relying on unpaid security researchers seeking BlackHat fame just doesn’t seem like the right model when people’s lives are on the line.

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.