Five years ago, if you wanted to publicly demonstrate a car hack it usually meant you would (at the very least) get a series of cease and desist letters. Of course this made it very hard for researchers to report problems. If a security researcher found something that they were concerned about and wanted to see it addressed, they would turn to the vendor to try and get it fixed. Unfortunately, automaker's websites didn't have a place to report security findings. You could try contacting support or talking to a dealership but that would almost never get to corporate, and when it did, it just meant you were about to be threatened with a lawsuit.
What's a researcher to do if they reach out to a vendor and they vendor never gets back to them? Researchers tend to get concerned that an issue is being ignored, so they often would go to the press or give a talk at a conference -- effectively trying to raise awareness or shame the vendor into taking action. Of course when that happens, you are bound to get the hate from the auto industry. This creates a viscous cycle that is hard to break from.
To make matters worse, hacking cars is sexy! It must be, the media loves covering car hacking. The good thing about this attention is that it gets more researchers interested into looking at automotives through a security lens. The auto-industry tends to still hate this kind of press but it's mainly because of the tone of many of these articles take. And honestly, I hate fear mongering articles just as much as they do.
In the last two years we have seen many automotive companies participating in security events and even participating in the Car Hacking Village at Defcon. A few have security specific contact pages and even bug bounty programs. This has created a great feedback cycle.
Let's take a recent security finding by Keen Security Labs. Keen had done excellent research recently by successfully remotely exploiting a Tesla and gaining low level CAN bus controls. For those not familiar with CAN bus, it's a bus network that grants low level controls to a car. What those controls are vary on the vehicle and bus you have control over. The full details of the attack are not public at the time of this writing, however here is their demonstration video:
It appears Keen did some thorough research but what is the most exciting thing about this is what they did with the finding. They contacted Tesla through Tesla's collaborative disclosure methods. Tesla assessed the probability of exploitation to the customer base and determined it was relatively low due to the specific conditions necessary to perform the attack. However, they still pushed out a patch to their customers in under two weeks of being notified of the vulnerability. Keen worked with Tesla and once the issue was address they released their demo.
THIS is the news story. While the hack is cool and all (and sexy!) the real proof is that a significant finding was received and quickly addressed by the auto industry. When I first started in automotive security five years ago, I thought this day would never come. Hopefully the media will soon start to showcase the handling of findings so we can showcase to those industries still catching up that, this is how the system is suppose to work. All software has bugs, cars are software, the question is: What do you do about it once one is discovered?