Large businesses are used to the idea of hiring pen-testers to try and break their network security. According to BT, the next target is probably sitting in the car park.
The firm has become the first big brand to offer vehicle manufacturers, fleet owners and even insurance firms the chance to let its hackers loose on their vehicle systems, including not only cars but also trucks, buses, and even earth-moving bulldozers.
Called ‘BT Assure Ethical Hacking for Vehicles’, the firm believes there is a growing interest among verticals to spot and remediate possible flaws that might be present in-vehicle software at as early a stage of development as possible.
The main areas of concern are in-vehicle firmware and telemetry but also securing over-the-air (OTA) software upgrades of the sort that manufacturers would like to use but are afraid to implement because of security risks. People that might interact with such software over 3G, 4G or directly would include maintenance engineers and infotainment providers.
The problem is that unlike many other areas of consumer technology such as smartphones, vehicle development cycles run into many years.
“Changing things on cars takes a long time. The design and implementation for a car is much longer. You find a bug on a Samsung phone it can be fixed quickly,” said Martin Hunt, who heads up BT’s automotive practice.
BT was currently working with one large manufacturer on vehicle pen-testing, thus proving that demand exists, he said.
“There is a fear on the market of connected cars and the potential to hack them.”
Hunt predicted that in future software security testing might be included in consumer MOT tests. Even near term, motor manufacturers would be subject to legislation governing the security and hackability of vehicles.
“In a few years’ time, the majority of vehicles that are produced will be connected to the Internet or other networks, either for navigation, maintenance, cooperative driving or entertainment purposes, and the driver will expect the same usability he is used to from his smartphone,” said Udo Steininger of the TÜV SÜD certification group.
“This bears complex challenges for the automotive industry as cars are equipped with a number of embedded systems that have not been designed to be connected to the outside world.
“The industry needs to join forces, including with suppliers, IT security specialists and certification bodies, to agree on a common approach to interfaces and security standards for the Connected Car.”
For the time being, cars infected with malware remains a theoretical problem but there is no question that sooner or later attackers will focus more keenly on them as targets. By that time, anti-malware security systems will probably also be commonplace. BT believes it is blazing a trail for a very different world of cars of the near future.