Why BT's hacking connected cars - before criminals do


Imagine you're in a smart car when it's taken over by hackers - giving you no control over the steering, brakes or even the seatbelt.

That's the situation BT is trying to avoid with a new security testing service for connected vehicles.

BT Assure Ethical Hacking for Vehicles is targeted at companies developing connected cars as well as those using them.

Connected cars aren't only about driverless vehicles, they also include ones where a driver is still at the wheel but assisted by connected devices that show traffic updates and track routes.

Because such systems are linked via standard connectivity networks like Wi-Fi, 3G/4G or Bluetooth, they're as at risk of being hacked as any mobile device.

"Vehicles are now connected devices, confronting manufacturers and suppliers with a whole new world of security challenges," said Hubertus von Roenne, VP of global industry practices at BT Global Services.

"For example, we have seen cars infected with malware while connected to a power charging station because nobody had expected this would be possible."

BT's ethical hacking service will cover a wide range of vulnerabilities inside a car or other vehicles, including lorries, buses and even bulldozers.

The BT team will look at everything from Bluetooth links, USB ports and DVD drives, as well as external connections such as mobile networks and power plugs.

"The ultimate objective is to identify vulnerabilities that would allow unauthorised alteration of configuration settings or that would introduce malware into the car," BT said in a statement. "These remote systems can include the laptops of maintenance engineers, infotainment providers, and other supporting systems."

Hacking cars

As cars become more connected, the threat of hacking increases.

While there's few widely publicised instances of hackers successfully targeting smart cars, plenty of security researchers have achieved it - and that means it's only a matter of time before criminals find a financial motivation and the means to do the same.

Last year, researchers Charlie Miller and Chris Valasek hacked a Prius, taking control of the brakes, gas gauge, steering wheel, horn and seatbelts, all from a laptop in the backseat of the car.

You can watch their gleeful video here. The duo also hacked a 2010 Ford Escape, taking control of the engine and lights, and followed that work up with a report ranking the most hackable cars, with the 2014 Jeep Cherokee topping the list.

A 2010 report from the University of Washington and UC San Diego revealed there was essentially nothing electronic in a car that couldn't be hacked.

Researchers managed to pop the trunk, disable windshield wipers and fiddle with the accelerator, brakes and engine of a car - all while it was travelling at 40 miles per hour, according to one report.

More recently, BMW rolled out a patch to 2.2 million of its cars in February this year to fix a flaw that could have let hackers open the doors via its ConnectedDrive system.

"It appears the vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS," noted security analyst Graham Cluley at the time. "Something you would probably have hoped that BMW's engineers would have thought about in the first place."

Security standards

And that's the problem: not enough security is being built into conencted systems - whether they're smart cars, smart homes or other devices making up the Internet of Things (IoT) - and that's worrying experts, who are calling for researchers and car makers to work together on a security standard for smart cars.

Udo Steininger is Head of Assisted and Automated Driving at TV SD, one of BT's partners for the ethical hacking project. He pointed out that increasing connectivity in cars means drivers "will expect the same usability he is used to from his smartphone".

"This bears complex challenges for the automotive industry, as cars are equipped with a number of embedded systems that have not been designed to be connected to the outside world," he added.

"The industry needs to join forces, including with suppliers, IT security specialists and certification bodies, to agree on a common approach to interfaces and security standards for the connected car."

In the meantime, expect more reports of security experts making connected cars bend to their will - and hope hackers don't follow suit before we're ready.