Earlier this year, I gave a talk at the RSA Conference about the privacy and security flaws in many of today’s connected cars. The response was nothing short of astounding. As it turns out, people get very nervous when you talk about finding and controlling their cars from a mobile phone.

While I didn’t initially set out to find vulnerabilities in modern cars, I couldn’t be happier that this project fell into my lap as global head of IBM X-Force Red.

Time Flies When You’re Breaking Toys

This past year since we founded X-Force Red has been a wild ride. I have seen the team come together and grow rapidly. We’ve made amazing hires, done great work in penetration testing and surpassed all expectations. Perhaps most importantly, we are poised to continue to do great things in the future. I could not be prouder to be part of X-Force Red’s development.

X-Force Red is a team made up of some of the world’s best security researchers — folks who grew up breaking their toys and figuring out ways to make computers misbehave. As soon as the team discovered my interest in connected cars, the light bulbs started going off. Soon, we were all working on breaking the biggest toys we could find: our cars.

If you’ve purchased a car made in the last decade, there’s a good chance that hundreds or thousands of electrical components are packed into your ride. Each of these components performs one specific task, but also communicates with many other devices doing the same.

If you stop to think about it, your car is essentially a computer on wheels. Some models have remote connectivity to apps on our phones, while others have satellite radio or infotainment packages. The newest cars are cruising around with Wi-Fi hotspots. The more convenience we pack into our cars, the more complex and vulnerable to attack these systems become. To put it all into perspective, the space shuttle ran on about 4 million lines of code. To run the average modern car, it takes about 100 million lines of code.

It’s safe to say that auto manufacturers aren’t looking to make cars less functional than their competitors, which means the attack surface of our vehicles is only going to expand. So how do we make sure we’re winning this technology race? By testing the components and then testing the complete system.

Sound too simple? At first, yes, but consider the way automotive production works. If we stringently test the hardware, applications, networks and even the human interactions of this year’s model, we’re going to have a pretty solid baseline for next year’s model. The auto industry knows that the most effective way to make cars is to keep what people like about this year’s edition and then make the next model even better. That’s just good business.

In the world of security testing, we’re also about good business. That’s precisely why we’ve made it convenient and transparent for our automotive clients (as well as all our clients) to programmatically test their products and solutions. For a vehicle, we have to test every component that could possibly introduce vulnerabilities into the complete system, and then test the ones that shouldn’t. This all happens before we test the complete system as a whole. Once we establish our baseline, the following year’s model becomes part of a programmatic test.

From a security testing perspective, we’re thorough. Cybercriminals only have to find one way into a system, but we have to find every way to protect that same system. If we’re looking at the same components year-over-year in a given car, with only incremental changes in infotainment, telemetry and various other systems, the programmatic testing process becomes much easier to manage.

Managing the security of multiple models and years of cars can become increasingly complex as new software updates and patches are rolled out — but it doesn’t have to be. Our automotive clients use the Red Portal to schedule security tests, view vulnerability assessments in real time and collaborate with X-Force Red on remediation before cybercriminals even know the updates exist.

[onespot-mobile-content]

X-Force Red Spreads the Hacker Love

At this point you may be saying to yourself, “It seems like this process would work for other industries beyond automotive.” And you’re right! Today we are pleased to launch a collaboration with the Watson IoT Platform to help ensure that Internet of Things (IoT) solutions get X-Force Red’s special brand of hacker love.

From the ideation phase to deployment and throughout the life cycle, X-Force Red can offer our expertise and, most importantly, assign a real human security expert to actively try to make the given product misbehave. We really love doing that, in case it wasn’t clear.

In the end, we want to help our clients move from only testing distinct targets to programmatic testing and solution testing. Since data is so often leveraged in a shared model where devices interoperate seamlessly, the industry can no longer think of technologies in isolation.

Want to hear more from Charles? Listen to this exclusive podcast

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today