The idea of hacking a car seems like the plot from an action movie, but a team of hackers very recently proved that the idea isn’t too far from reality. Working on behalf of the US military, hackers demonstrated the potential ways in which cars could be made vulnerable.
Featured Download: Social media access at work. Do your employees know the rules?
Jacques Louw, Senior Information Security Consultant at MWR InfoSecurity has pointed out that the biggest danger is when cars can be accessed remotely: “With regards to the attacks that have been previously demonstrated, I think the risk has been greatly exaggerated. The risk of an attacker with direct access to the vehicle’s system to disable the brakes is similar to that of an attacker cutting break lines. There is nothing surprising or unexpected about this being possible. The danger comes in when this access can be attained remotely. This type of remote access requires an entry point other than the vehicle’s physical diagnostics port. Cars, for example, with media centres that are attached to the internet do not pose much risk to vehicle safety unless the media systems are connected either directly or indirectly to the vehicle’s management networks. As security has not been a prime objective for vehicle manufacturers in the past, these systems have been tightly integrated, leading to a situation where the security of an in-car media player can affect the car’s brakes.”
“In the same way that oil and gas manufacturers isolate high risk SCADA systems from general employee networks, car manufacturers should concentrate efforts on isolating core vehicle networks from any systems that expose remotely connectible networks (such as internet or Bluetooth connections). Organisations like Auto-ISAC are certainly useful in raising awareness about potential threats to vehicles, but manufacturers also need to start managing this risk by performing in-depth security reviews and testing of these systems. Banks contract security firms to perform regular security tests (known as penetration tests) of high risk systems such as their on-line banking systems, and most cars manufacturers are not yet performing these kinds of assessments against vehicle systems as part of their new vehicle development process.”
By Jacques Louw, Senior Information Security Consultant, MWR InfoSecurity
About MWR InfoSecurity
MWR works with its clients by developing a comprehensive understanding of their needs, challenges and opportunities, and, through that, a deep mutual trust.
Such relationships allow it to deliver valuable services and solutions, and build up an enviable client portfolio and an unsurpassed track record of success.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.