Earlier this year, I gave a talk at the RSA Conference about the privacy and security flaws in many of today’s connected cars. The response was nothing short of astounding. As it turns out, people get very nervous when you talk about finding and controlling their cars from a mobile phone.

While I didn’t initially set out to find vulnerabilities in modern cars, I couldn’t be happier that this project fell into my lap as global head of IBM X-Force Red.

Time flies when you’re breaking toys

This past year since we founded X-Force Red has been a wild ride. I have seen the team come together and grow rapidly. We’ve made amazing hires, done great work in penetration testing and surpassed all expectations. Perhaps most importantly, we are poised to continue to do great things in the future. I could not be prouder to be part of X-Force Red’s development.

X-Force Red is a team made up of some of the world’s best security researchers — folks who grew up breaking their toys and figuring out ways to make computers misbehave. As soon as the team discovered my interest in connected cars, the light bulbs started going off. Soon, we were all working on breaking the biggest toys we could find: our cars.

If you’ve purchased a car made in the last decade, there’s a good chance that hundreds or thousands of electrical components are packed into your ride. Each of these components performs one specific task, but also communicates with many other devices doing the same.

If you stop to think about it, your car is essentially a computer on wheels. Some models have remote connectivity to apps on our phones, while others have satellite radio or infotainment packages. The newest cars are cruising around with Wi-Fi hotspots. The more convenience we pack into our cars, the more complex and vulnerable to attack these systems become. To put it all into perspective, the space shuttle ran on about 4 million lines of code. To run the average modern car, it takes about 100 million lines of code.

It’s safe to say that auto manufacturers aren’t looking to make cars less functional than their competitors, which means the attack surface of our vehicles is only going to expand. So how do we make sure we’re winning this technology race? By testing the components and then testing the complete system.

Sound too simple? At first, yes, but consider the way automotive production works. If we stringently test the hardware, applications, networks and even the human interactions of this year’s model, we’re going to have a pretty solid baseline for next year’s model. The auto industry knows that the most effective way to make cars is to keep what people like about this year’s edition and then make the next model even better. That’s just good business.

In the world of security testing, we’re also about good business. That’s precisely why we’ve made it convenient and transparent for our automotive clients (as well as all our clients) to programmatically test their products and solutions. For a vehicle, we have to test every component that could possibly introduce vulnerabilities into the complete system, and then test the ones that shouldn’t. This all happens before we test the complete system as a whole. Once we establish our baseline, the following year’s model becomes part of a programmatic test.

From a security testing perspective, we’re thorough. Cybercriminals only have to find one way into a system, but we have to find every way to protect that same system. If we’re looking at the same components year-over-year in a given car, with only incremental changes in infotainment, telemetry and various other systems, the programmatic testing process becomes much easier to manage.

Managing the security of multiple models and years of cars can become increasingly complex as new software updates and patches are rolled out — but it doesn’t have to be. Our automotive clients use the Red Portal to schedule security tests, view vulnerability assessments in real time and collaborate with X-Force Red on remediation before cybercriminals even know the updates exist.

[onespot-mobile-content]

X-Force Red spreads the hacker love

At this point you may be saying to yourself, “It seems like this process would work for other industries beyond automotive.” And you’re right! Today we are pleased to launch a collaboration with the Watson IoT Platform to help ensure that Internet of Things (IoT) solutions get X-Force Red’s special brand of hacker love.

From the ideation phase to deployment and throughout the life cycle, X-Force Red can offer our expertise and, most importantly, assign a real human security expert to actively try to make the given product misbehave. We really love doing that, in case it wasn’t clear.

In the end, we want to help our clients move from only testing distinct targets to programmatic testing and solution testing. Since data is so often leveraged in a shared model where devices interoperate seamlessly, the industry can no longer think of technologies in isolation.

Want to hear more from Charles? Listen to this exclusive podcast

More from X-Force

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today