31 . August 2017
Posts nach Autoren: Martin Hunt, Senior Business Development Director, Automotive Global Industry, BT
Hacking and vulnerabilities through connectivity are here to stay. And, the sooner we use ethical hacking to adjust to this new normal, the better.
Connected cars — and vulnerabilities — are here to stay.
It’s estimated that 36 million new cars with embedded telematics will be in service globally by 2018. And the autonomous vehicle trend also continues to grow. Google has been working on its self-driving cars since 2009 and aims to have its technology fully optimised by 2020. Large manufacturers like Nissan, Ford, and Toyota are also exploring this track, and Tesla is ahead of the curve; it unveiled its basic self-driving functions in 2015.
Hacks are a part of this new normal, acting as a constant reminder to the whole industry that we must be vigilant. And, as new technology develops, we need to see it as a double-edged sword — exciting opportunities open up, but fresh vulnerabilities will also be exposed, increasing the risks of being on the road. Smart manufacturers are already adjusting to this new operating scenario, using ethical hacking to reduce the risk.
Wake up to the world of hacking.
Experiments increasingly show the relatively easy and wide range of ways cars can be compromised, through remote or physical access or, in some cases, through the vehicle’s supporting applications. Only in August last year, video surveillance emerged of two individuals using a laptop to hijack 100 Dodge and Jeep cars, revealing just how easy it was for the men to take control and get into the vehicle.
And at the 2016 Black Hat conference, two researchers presented a new technique for hacking into the Jeep Cherokee via the vehicle’s Controller Area Network (CAN) bus which handles communication between the different car systems. This (physical, not remote) hack was even more powerful than previous ones, allowing them to accelerate the car, turn the steering wheel, and engage the brakes.
As connectivity increases, there’s a danger that it will outpace security. For example, the Nissan Leaf’s climate control, batteries and trip data, were all accessed via a flaw in a companion app that only needed the car’s Vehicle Identity Number to take control.
Creating the services to protect connected cars.
The good news is that smart manufacturers are beginning to overhaul their enterprise structure by adding cyber-security experts in the mix to address security flaws much faster. And manufacturers, such as GM, have also established a vulnerability submission programme that allows researchers to submit security discoveries directly to the company.
BT’s automotive practice has been created to support the automotive industry in protecting the promise of connected cars, incorporating ethical hacking into its services to tackle the issue of security head on.
At BT, we approach security with two goals in mind: firstly, we strive to protect our customers from cyber crime, and secondly, we use security measures as an enabler for innovation and technological progress.
For example, while it is technically possible to pull and push data to a car, most car manufacturers do not exploit that opportunity due to security concerns. One of the biggest opportunities in this regard is to enable remote software updates. Let’s look at Tesla: it may have been hacked, but it can distribute a patch to fix the problem almost immediately. Other manufacturers have to recall millions of cars or send a software update by mailing a USB stick to their customers, which is hardly a secure measure. These are the types of issues we want to address.
Ethical automotive hacking with BT.
Our ethical hacking practice has been running since 2015. It looks at the full spectrum of the car’s connectivity, including 3G, 4G, Bluetooth, wi-fi, and even infrared connectivity (which is sometimes used to communicate tyre pressure).
We look for vulnerabilities in the way different systems of the car connect to each other. And we look at the wider ecosystem of the car. For example, when a car is being serviced the technicians will plug into the car’s diagnostic port — but what if their laptop is compromised? Or what will happen when an infected mobile phone is connected to the car via Bluetooth? Cars without their own SIM-card will use the driver’s mobile phone for connectivity, but our hackers have managed to get into the back-end system of a car through a connected mobile phone.
Our role is to look ahead, to pre-empt any additional vulnerabilities. Some insurance companies, for example, are keen to track their customers’ driving behaviour through a dongle the driver plugs into the car. This means they can offer more personalised plans, provide models whereby you only pay for the time that you use the car, or even set speed restrictions for young drivers. Dongles will probably also be used in car-sharing schemes to track usage and personalise settings. The trouble is, dongles are highly insecure.
And this brings us full circle, back to the double-edged sword of technology analogy — as new, exciting possibilities open up, we need to be ready to deal with the fresh security issues that’ll emerge at the same time. We’re ready: are you?