60 second guide
Ethical hacking of connected vehicles
By Martin Hunt, Automotive Industry Practice Lead, BT Global Services
What is ethical hacking?
Ethical hacking is a proactive form of information security and is also known as penetration testing, intrusion testing and 'red teaming'. It involves a trusted party (the ethical hacker) identifying and evaluating vulnerabilities or weak points in an organisation’s IT systems. As a result of the ethical hack, security can be improved to mitigate the risk of malicious attacks. An ethical hacker is sometimes called a legal or 'white hat' hacker, a term that comes from old western movies, where the 'good guy' wore a white hat and the 'bad guy' wore a black hat. So the legal hacker's illegal counterpart is known as a ‘black hat’ hacker.
Why is the hacking of connected vehicles of concern?
Because vehicles, like many other items joining the Internet of Things, were not designed to be widely connected, and as a result are inherently insecure. Until relatively recently, the only external interface was the diagnostic port used by the dealer. Nowadays, cars have embedded SIM cards, synced smartphone interfaces, a variety of other interfaces and even built-in wi-fi hot spot functionality. They have effectively become 'computers on wheels'. These interfaces provide new access points which must be secured to guarantee a vehicle's safety. The situation is complicated further by the fact that the lifecycle of a vehicle is sufficiently long that even if it is well protected in 2015, in five years' time its computing resources will make it increasingly vulnerable. Connected vehicles will increasingly have parallels with computer operating systems, which continuously need patching during their lifetime to mitigate security issues.
What harm could a hacker potentially do to a connected vehicle?
A well-informed hacker could, with some persistence, do everything from taking control of the radio to increase the volume, to changing the SatNav destination, to more serious interference such as altering the vehicle’s electronic systems to cause it to drive erratically and even to take control of the car. So the key issue is that with connected vehicles, remote attacks could cause life-threatening situations. It’s therefore crucial that vehicles are thoroughly analysed for vulnerabilities and tested to make sure that they are as future-proof and secure as possible.
What expertise does BT have in ethical hacking?
BT has been involved in ethical hacking for over 20 years, across industries including finance, manufacturing and retail. We have 2,000 full time security consultants globally, including 60 ethical hackers. Over this period, we have examined smart grids and industrial control systems, and even tested embedded systems such as MRI scanners in hospitals. Our experience has enabled us to take a creative approach to providing security solutions, including specialist tools, partnerships with the most innovative start-up companies, and employing a wide range of people with backgrounds not just in IT but also law enforcement and intelligence agencies.
In the automotive sector, we have engaged a number of independent ethical hackers to gain their insights and enhance our own expertise. And with 14 security operations centres around the world we can provide the ‘follow-the-sun’ coverage global automotive companies need.
So how can the 'good guys' stay ahead of the 'bad guys'?
By sharing as much intelligence as possible with other 'good guys'. For example, if we see new threats or trends emerging, we'll talk with our counterparts in other telcos, and they do the same. This co-operation is key to keeping one step ahead because if commercial rivalries take precedence over sharing this kind of data, then security will inevitably be compromised.
Read more here