This might not be the best title, but I like the alliteration for a the problems we have when governments seek to prevent security researchers from releasing information about software vulnerabilities. This is nothing new, as vendors have tried to prevent this for years, arguing that criminals will exploit the information and target users before a patch can be built. The other side of the argument is that many software companies don’t bother building patches if the issues are kept secret.
What might be different in this case is that we aren’t talking about database software, devices, or banking websites. Certainly those systems may need secure software, but here we have the US Department of Transportation arguing that security details about automobile software shouldn’t be released. There is some leeway in that potentially limiting details might satisfy the government, but apart from that, how do you feel?
Many of us use vehicles every day. We might use private cars, but we might use public buses, trains, and airplanes, all of which are making more and more use of software over time. I don’t know, but I suspect, that much of this software is being developed with an eye towards ensuring it works as intended much more than with a view towards how malicious users might take advantage of vulnerabilities. Far too often it seems that we have new systems where control data is allowed to transit the same networks and computing structures as less secure data, with minimal security across the entire system.
I certainly think that some researchers might not appreciate the dangers of random people experimenting with the issues they disclose, but I also truly believe that the pressures of getting software released overwhelm the concerns and dangers that exist overall. There are no shortage of people with time to spare, abundant computing resources, and substantial intelligence devoted to finding flaws in software. They work at “hacking” the system to change behaviors. While it’s a game to many, there are very real consequences to the world if strong security isn’t built into vehicle software.
I don’t know that I expect much to change, but I suspect that we will see more and more issues over time, more lawsuits and more highly technical and forensic analysis performed when we a system is attacked. I can only hope that we actually disclose poor security practices so that vendors do learn that their embedded systems need better, and more secure, software engineering practices implemented.