Hacked pacemakers, hijacked cars, tampered thermostats. The Internet of Things promises many advantages, but no one seems to care about the dangers of connecting everyday machines and gadgets to the worldwide computer network.
Never fear — I Am the Cavalry is riding to the rescue. It's a non-profit group of security-minded individuals and experts committed to finding, fixing and preventing the risks found in computerized medical devices, consumer electronics and, perhaps most importantly, motor vehicles.
These experts donate their time and expertise to make cars, refrigerators and other newly connected devices safe from hackers, and may be the only thing standing between cybercriminals and the peace and safety you expect every day.
Because many automotive systems are managed by tiny computers — from engines and brakes to navigation, air conditioning and windshield wipers — it may be only a matter of time before attackers exploit automotive software bugs to harm drivers.
To prevent such nightmare scenarios from happening, members of I Am the Cavalry speak at security and industry conferences throughout the year. They meet and collaborate with manufacturers and government officials. And when Cavalry researchers find software or hardware bugs, they approach the companies involved to get them fixed.
"The goal is to build trust," said Josh Corman, chief technology officer of Fulton, Maryland-based application-security provider Sonatype and one of the founding members of I Am the Cavalry. "We want them [the manufacturers] to look at us as a helping hand."
Making sure connected cars drive safely
The Cavalry's most visible activities have concerned vehicular safety. (They're working in other fields as well, but can't disclose those.) In August 2014, the group releasedan open letter to the CEOs of automobile manufacturers calling for an increased focus on security, urging more cooperation between companies and researchers and presenting what the group calls its "Five Star Automotive Cyber Safety Framework."
Since then, Cavalry members have met with auto-industry groups, automakers, after-market security companies and government agencies. In November 2014, the Cavalry held a workshop at a connected-car-security event hosted by the Department of Homeland Security and the Department of Transportation. The latter agency has adopted the "Five-Star" language outlined in the open letter as part of its executive guidance.
I Am the Cavalry will soon join the monthly meetings of the Society of Automotive Engineers International (SAE), a global association of engineers in the aerospace, automotive and commercial-vehicle industries. That should bring the Cavalry into contact with engineers and senior executives working on automotive electronic systems, said Beau Woods, CEO and founder of Atlanta-area consulting firm Stratigos Security, who has been working with the group.
"If that's not validation they [auto industry] are willing to embrace it [security], I don't know what is," Corman said.
The Cavalry collaborates with Open Garages, a non-profit organization that sets up garage workspaces where researchers and mechanics can work on automotive electronic systems. The brainchild of Car Hacker's Handbook author Craig Smith, these garages offer mechanics a place to share resources and pass along what they've learned.
Previously, Smith said, the only way to really understand automotive electronics, even just to run diagnostics, was to reverse-engineer systems or use shady after-market kits. But when they enter one of the Open Garages, Smith said, "people say, 'Oh, this isn't too bad, I can do this.'"
"People think you have to be super black-hat ninja to work with these systems," Corman said. "But when you see these systems demystified, you can see elements which are similar to enterprise networks." Corman says.
Just who is the Cavalry?
There are more than 400 people on the I Am the Cavalry mailing list, but levels of participation vary. The "high-focus" group is about two or three dozen people, Corman said, and there are about a dozen core leaders whose day jobs are at computer-security firms across the country.
Staffers at auto manufacturers sport I Am the Cavalry stickers on their laptops and ask Corman, "Where is my horse?" They may never join the mailing list, Corman said, but they agree with the Cavalry's goals.
"Auto engineers, researchers — we are all on the same side," Woods said. "We all have a common goal. We will get there a lot faster if we do it together."
The Cavalry has company
Members of I Am the Cavalry aren't alone in trying to make cars safer. Researchers Charlie Miller and Chris Valasek showed how totake over the steering controls of a 2010 Toyota Prius and a 2010 Ford Escape at DEF CON 2013 and issued a list of the world's most hackable cars a year later.
"Right now I'm focused on building our automotive-security service offering at IOActive," which offers full assessments of existing models, Valasek told Tom's Guide. "Charlie and I are working on some research together, but we can't really talk about it now."
Miller and Valasek aren't members of the I Am the Cavalry, because they take a different tack.
"We do research and point out specific vulnerabilities and weaknesses in real systems," Valasek said. "We also communicate this to the public and manufacturers. The Calvary talks about the issue."
Instead of highlighting flaws in existing models, the Cavalry looks ahead, focusing on defensible design, working to improve relations between researchers and private-sector organizations and influencing future strategic choices. But both strategies increase automaker -- and auto customer -- awareness of automotive-security issues.
"We can meet in the middle," Corman said of the different approaches.
Working with automobiles requires a long view, Corman said. Automakers are already producing parts for the 2018, 2019 and 2020 model years. Design changes arising from today's security discussions won't likely appear until after then.
"We are stuck with Band-Aids until 2021," he said.
The name "I Am the Cavalry" may seem a little strange, as well as a bit of a mouthful. It was originally conceived as a personal affirmation, Corman says — an acceptance that you can't wait around for someone else to come save the day.
The name evokes the sense that anyone, regardless of his or her skill set, can get involved in connected-device security and help make the Internet of Things safer.
"What we meant to say was, 'You are the cavalry," Corman said.
- 10 Easy-to-Use Security and Privacy Tools
- How to Hack the Internet of Things
- 7 Scariest Security Threats Headed Your Way