Ethical hacking can help keep connected vehicles safe from exploitation by malicious hackers. Martin Hunt, Senior Business Development Director, Automotive Global Industry at BT, explains the process.
Driving automotive security.
After developing a brand new, state-of-the-art car, you’d think a top-of-the-range alarm system would be the highest level of protection it needs. Actually, in today’s world of connected cars, you’d be better off investing in the services of an ethical hacker.
By identifying and blocking off potential hack routes, ethical hacking is the best option manufacturers have to ensure passenger safety. It’s also a smart move in terms of protecting the manufacturer from the large compensation payouts likely to be triggered by a successful, malicious connected car hack.
When it comes to safety systems, ethical hacking is a relative newcomer to the automotive industry, but our extensive work with cyber security means we’re well-placed to assist in this area. With experience in government, banking and health, we’ve spent years gaining the know-how companies need to operate effectively on the bleeding edge of cyber security. And we’re all aware of how necessary it is for the automotive industry to take steps to combat the myriad cyber threats that loom over the connected car.
Unlocking important driving data.
Manufacturers and insurers alike are eager to unlock and use the data contained in the connected car to make savings. The information scope is enormous, ranging from telematics, to how the car and its parts are performing, to when parts need to be renewed.
Plus, there’s accident data too — the speed at the time of the incident, the location, who was driving and how well they were driving. These possibilities only scratch the surface. The two-way nature of data transmission also means manufacturers can deliver software upgrades into the car remotely, reducing the need for costly recalls to dealerships.
An ethical hacking service is the best way for the automotive industry to protect this relatively open channel of access to the connected car, by identifying vulnerabilities that can then be addressed.
Ethical car hacking 101.
I’ve broken down the ethical hacking process below to give you a little more insight:
The first stage is diagnostic testing of the vulnerabilities or attack surfaces, to assess any problems and to work out how serious they are. There will be vulnerabilities — and this is a risk-mitigation situation rather than an absolute fix. Ethical hacking provides a technical evaluation of embedded systems in vehicles, both wired and wireless network infrastructures, applications, systems and employees, processes and procedures.
The second stage is penetration testing where an ethical hacker attempts to exploit the highlighted vulnerabilities to see exactly what could be achieved by a malicious hacker.
The starting point is likely to be the infotainment system, for two reasons. Firstly, in many cases it interfaces directly to the car’s internal networks that communicate with safety systems. And secondly, there’s a lot of published information available about the operating systems, firmware updates, and the backup paths — all of which can be exploited by a determined individual. This information has to be published (often specified by law) by the original equipment manufacturer to allow independent garages to work on their cars.
By taking over the infotainment system, a well-informed hacker, with some persistence, can increase the radio volume to maximum, change the Sat Nav destination or, more seriously, interfere with the car’s electronic systems causing it to drive erratically.
It’s once an ethical hacker has a greater insight into these weaknesses that they can provide strategic recommendations as to how to mitigate the risk of hacking. Their ultimate goal, unlike criminal hackers, is to prevent life-threatening situations and protect against data theft or fraud that might negatively impact a company’s reputation or finances.
A connection to the future.
Connected cars are here to stay. It’s now up to manufacturers to both ensure safety and unlock the financial value the connected car holds. It’s game on — the next move is up to you.