The video above was recently shared by Anderson Morgan on LinkedIn and Facebook. It shows a couple of hackers who manage to access the computer system of a Jeep 4×4. Although the video is light-hearted and fun, it shows a worrying side to technology that most would consider impossible. Not only were the hackers able to change electrical settings of the car (including turning the radio on and off, altering the air conditioning etc) they were also able to control the brakes and accelerator whilst the car was in motion.
At the International BlackBerry Security Summit 2017, which was hosted last December in New York City, I was lucky enough to be a keynote speaker alongside numerous other I.T security experts. One of which, Sandeep Chennakeshu, who is the President of BlackBerry Technology Solutions, ran through his ‘future planning recommendations’ with regard to Automobile cybersecurity.
Although i’ve always stressed that cybersecurity is about pre-planning, risk mitigation and constant monitoring – we were all challenged to change our thinking from ‘how do we pre-plan to mitigate the risk of an attack against our current i.t infrastructure?’ to ‘how do we set ourselves up to mitigate current risks but also the risks of the (not so distant) future?’.
Similar to any of our business I.T security audits which we regularly carry out with businesses of differing sizes, Sandeep brought up 4 key trends that can expose cars to attack. These 4 points also apply for almost every device;
- Access. Modern cars (and many household items) have wi-fi, bluetooth, mapping and more. Although wonderful and convenient technology, each ‘access’ point provides a potential entry for attackers.
- Advancements in technology. In this presentation, autonomous driving was mentioned. Again, this is a fantastic piece of technology which can assist and revolutionise what we know driving to be, but it does provide a glaring opportunity for hackers to gain control of software.
- Changing state of software. Software is installed, but then updates, often autonomously over time. So, in other words, the technology which you buy with a device (or car) often updates, improves or changes over time. Unless you monitor this, it is incredibly easy for access rights, software usage policies, security etc to change without you even knowing. Similarly, there is a genuine risk of hackers taking advantage of software updates immediately after they have been released
- Software control. Basically, hackers are getting smarter. You’ve heard of hackers being able to control computer programs, social media accounts, webcams etc, but this has now evolved. As software programs are rolled out for everything from washing machines to coffee machines, computers to cars – if your item has software, it can be hacked! Our challenge is to limit this risk, or at least to provide a strategy to ensure that a hack would have limited damage.
I was delighted to hear that many of BlackBerry’s security policies relating to automobiles were actually practices which Anderson Morgan have offered to clients for years. Our main challenge in 2018 is to continue to educate business owners on risk mitigation strategies which will future proof their businesses systems, rather than just ‘plug a hole’.
Some of the protection policies which we share with BlackBerry;
- Secure the supply chain. We only use trusted, secure software. Software is then scanned regularly to identify and eliminate vulnerabilities. Finally, we run ‘penetration testing’ to constantly stay ahead of risks by trying to ‘break-in’ to software in a controlled environment.
- Defence in depth. We conduct audits to ensure that a clients security aligns with industry best standards. This includes prioritising access to apps – think, what do all staff need access to, and what is only required by management level staff
- Constant monitoring. We work with businesses to pre-define the security metrics which are important. Then we constantly monitor and report on current security threat levels. This – health check for your business I.T security.
- Pro-active alerts. Flowing on from monitoring threats, if a threat is found then it needs to be isolated and removed, quick!
- Hardware and Software lifecycle management. As mentioned above, software changes over time as does the hardware it resides on. Each update needs to be checked and verified. Endpoint (user) policies need to be defined to ensure that best practice is followed. All Hardware must have the most up to date firmware installed and be supported by both the hardware manufacture and the relevant software provider. It is recommended that hardware replacement program is maintained within a 3 to 4 year life cycle window for optimum security and performance.
It’s not all doom and gloom, however. Although software is always updating, so too are cybersecurity practices and software protection programs.
As part of the service which Anderson Morgan provide, we regularly conduct I.T security audits with businesses to calculate and prioritise the potential risks which the business may face. This includes looking at all potential ‘access’ points which the business has as well as its current security policies. From there we work off a similar set of practices as mentioned above to ensure that our clients are protected now and into the future.