When dealing with hackers you need as much shared intelligence as possible, for example if we see something new, we will pick up the phone to talk with our counterparts at AT&T, Verizon, etc, and they do the same.
Andy Rowland, Head of Customer Innovation-Automotive & Energy | BT
Cars like many other of the Internet of Things were never designed to be widely connected, consequently they are inherently insecure. When CANBus networks that can support up to 100 processors were designed the only external interface was the diagnostic port used by the dealer. Now cars have embedded SIM cards, synced smart phone interfaces, and multiple WiFihot spots. In addition the lifecycle of an automobile is sufficiently long that if hackers don’t have the upper hand now, they will do in the future. Even if a car is well protected in 2015, in 5 years’time, its finite computing resources will make it increasingly vulnerable.
The starting point for a hacker is likely to be the infotainment system, for two reasons: a) it interfaces directly to the cars internal networks that communicate with safety systems b) there is a lot of published information available on the operating systems, firmware updates, and the backup paths all of which can be exploited by a determined individual. This information has to be published by OEMs to allow independent garages to work on their cars, often by law.
A well informed hacker, with some persistence can do everything from taking over the infotainment system, increasing radio volume to maximum, changing the SATNAV destination, or more seriously interfere with the cars electronic systems and cause it to drive erratically. Car networks send packets of instructions with IDs that tell the receiving system what to do. The system will always respond to the packet with the lowest ID, if you inject data packets set to zero, you could effect a DDOS type attack, what we call an Arbitration Hijack.
To secure a car you need to consider 3 things. Firstly the attack surfaces and there are many, e.g. the various internal/external interfaces to the vehicle, the dealership and the systems that communicate with the car over the air. You then need to carry out both code reviews, and penetration testing to cover web applications, mobile and wireless interfaces, the vehicle itself and even social engineering. You also need a platform that can analyse vehicles CANBus data quickly to spot for outliers indicative of an emerging threat. And finally you need some sort of secure gateway in the car to harden the CANBus networks, and identify and pass potential exceptions to the platform for analysis.
In terms of who is best placed to secure the connected car, you need somebody who is independent and has extensive experience in more mature security markets like financial services. Currently automotive OEMs are working largely in security silos, they don’t want to discuss what they are doing and certainly not with other OEMs. We feel this approach is intrinsically flawed. When dealing with hackers you need as much shared intelligence as possible, for example if we see something new, we will pick up the phone to talk with our counterparts at AT&T, Verizon, OBS etc, and they do the same. This approach is key to keeping one step ahead, if you let commercial rivalries get in the way you’ve failed.
BT has been involved in Ethical Hacking for over 20 years, with 60 professionals spread around the globe, support by 2000 full time security consultants. BT recently launched “BT Assure Ethical Hacking for Vehicles”, a new security service developed to test the exposure of connected vehicles to cyber-attacks and help all market players develop security solutions. As innovation in technology accelerates, so must innovation and investment in the security controls that protect sensitive corporate assets from cyber-attack. Helping organisations master that changing cyber threat landscape is at the core of the BT Assure Cyber proposition. It is all about rethinking the risk. Weuse everything at our disposal, including specialist tools, partnerships with the most innovative start-up companies, and the employment of a wide mix of people often with a background in law enforcement and intelligence, rather than just IT. And with our 14 security operations centres around the globe we can provide the follow the sun coverage global automotive companies now need.
About the author