UK telecom group BT to provide security service for testing the vulnerability of connected cars to malicious software attacks.
The new “ethical hacking” security service is being offered by British Telecom (BT) to the automotive industry and suppliers of goods associated with vehicle connectivity to enable them to test their products and reduce their vulnerability to malicious attacks by cyber criminals.
Vehicle connectivity is growing at a very high rate with infotainment products, mobile services, Intelligent Transport Systems (ITS) and in-built vehicle navigation and safety technology, all of which introduce a level of vulnerability that needs to be addressed with best practice security techniques.
The various information and communication technology (ICT) elements in a vehicle include connectivity technology such as WiFi, 3G or 4G mobile data links, Bluetooth and wired connectivity for safety and performance systems within the vehicle. The ways in which the vehicles use these methods of connection are referred to as the “attack surfaces” or the ways in which an attacker can gain access to the vehicle’s network. These include such things as the On-Board Diagnostics (OBD) port, a USB port or the WiFi router.
Attackers don’t necessarily need direct access in order to compromise a vehicle, it could be done by exploiting a vulnerability in a system that will be subsequently connected to the vehicle. An attack could be made by targeting technicians’ computers or an Android smartphone with viruses or malicious software which then deploy when these devices are connected to the car.
The attack itself could range from relatively benign objectives such as collecting information about the driver’s habits or behaviour through more serious crimes such as enabling remote unlocking and starting to more sinister purposes such as interfering with vehicle control systems.
With its wide experience of identifying and closing vulnerabilities in industrial control systems and the Internet of Things (IoT), BT is well placed to offer the automotive industry a service to ensure the safe use of connected vehicles. The company has stated its aim of identifying and fixing vulnerabilities before the vehicle is put onto the road in order to ensure its safe operation throughout its lifetime. The company performs this through embarking on end-to-end security testing and verification of all systems that interact with the connected vehicle.
According to Hubertus von Roenne, Vice President Global Industry Practices at BT Global Services, the automotive industry is now confronted with an entirely new world of security challenges associated with vehicle connectivity.
He illustrated this challenge with an example of cars which have been infected with malware while connected to power charging stations because nobody had expected that this would be possible.
“We use the expertise and knowledge of our ethical hacking consultants to identify these vulnerabilities before others do. BT has decades of experience in securing connected devices and embedded systems across various industries and we are very proud to now offer that experience to the automotive industry,” he told us.
European testing and certification body, TÜV SÜD also commented on the vulnerability of connected cars. The organisation’s head of assisted and automated driving, Udo Steininger told us, “In a few years’ time, the majority of vehicles that are produced will be connected to the Internet or other networks, either for navigation, maintenance, cooperative driving or entertainment purposes, and the driver will expect the same usability he is used to from his smartphone. This bears complex challenges for the automotive industry, as cars are equipped with a number of embedded systems that have not been designed to be connected to the outside world. The industry needs to join forces, including with suppliers, IT security specialists and certification bodies, to agree on a common approach to interfaces and security standards for the Connected Car.”
Threat researchers at IT security company Webroot believe that the announcement by BT is an extremely timely one since someone had recently been detained by the FBI in the USA over a tweet concerning an aircraft hack, illustrating the vulnerability of transport systems. The involvement of the FBI indicates the seriousness with which connected transport cyber threats are being taken.
Commenting on the announcement from BT, Webroot’s Roy Tobin told us, “This move from BT highlights a number of security issues and its one reason why some people have reservations about having these systems in their vehicles. Some of the more sophisticated cars can be set to start remotely, pre-heat the cabin and activate the lights all from a smartphone. It doesn’t take much imagination to realise that this could be hijacked by criminals.”
“Any information found by BT needs to be brought to the car manufacturers’ attention and actively used to make car systems more secure. If its brushed under the carpet then this could have serious implications,” he said.
“I just hope that it won’t take a tragic incident for this issue to be taken seriously,” Roy Tobin concluded.