> might be an unwritten rule
that's not a source, or even anything close to it. Purely hearsay.
> They just hire a bunch of hackers and make sure it stands up to 15 minutes.
Stands up to 15 minutes of what? Smashing the side window with a crowbar? Angle grinders through the driver side door? Who hires them? What sources do you have that say this? You seem very authorative in this thread, yet have nothing to support your claims.
"You seem very authorative in this thread, yet have nothing to support your claims." - Unfortunately, I can't back my credentials because of the stuff I've work/ed on. I can say it was a US company involved in automotive parts.
"Stands up to 15 minutes of what? Smashing the side window with a crowbar? Angle grinders through the driver side door?" - Exactly the point I was making. They just hire a random number of hackers (not random obviously, but probably not much research into what is truly sufficient either) and leave them alone with the system for a few days to see if they can do anything to it. If nothing happens they get a pass. It was literally a case of getting a tick in the right box.
"Who hires them? What sources do you have that say this?" - The place I work/ed.
I need to see if the specification are public. I checked with an old colleague and they weren't sure if they published them - so they are now checking themselves. They agree that it was Government defined, but now I'm interested in finding out who else had to adhere to that.
How long do you set? How much do you test? At some point, you just have to say "enough is enough".
It was a few years back, but I think (not entirely sure) the requirement time aligned with the time it took to hack bluetooth or something. I think there was a case about hacking car wheels that reported their tire pressure via bluetooth and that was used as a time to be better than. Perhaps this story [1]. I think they were using it to get people to pull over and hijack their vehicle.
But that could be wrong, I just remember there was some discussion about that around the time we were talking about the security requirements. That's the best I can do.
I don't think 15 minutes is the limit of vulnerability discovery, I think it's the limit for the exploitation. I think it was weeks instead on months, time was really tight. I honestly can't remember whether they get the source code to work with.
If I remember rightly they test the CAN and all wireless signals. I think one of the things they were worried about is an owner re-flashing the on-board software and selling on the car as it might still be under warranty.
But of course now that the vehicles are both online and moving towards self-driving, the threat space is completely changing. I think we're approaching the days where a computer virus actually takes lives.
"from 10 years as a security consultant..." Out of interest what area do you consult in?
Here's the thing, when software goes into a car it will likely have to last 10 years until it's outside of manufacturers warranty (I think that's in the Ford spec). So sure, 128 bit encryption (not sure what protocol they use) is tough to crack today, but in the next 10 years when the car is still on the road, will it still be tough to crack?
