By Sean Martin & Marco Ciappelli
During InfoSec Europe Conference coverage, we connected with conference keynote speakers, presenters, panelists, organizers, and the InfoSec community to keep the conversation going. This is one of those chats.
ITSPmagazine coverage, podcasts, webcasts, articles, and all our happenings during InfoSec Europe 2019 is made possible by the generosity of our sponsors. We are ever so grateful for your support.
Have a story to share and want to join us for the journey? We invite you to discover the benefit of the full coverage sponsorship and let us know if you are interested in joining us for our adventures. We look forward to another exciting conference.
Gone are the days of manually-tuned carburetors and old-school gearboxes with stick-shifts poking through the floorboard. Today’s vehicles are now computer software and computer hardware comprised of all sorts of components sitting on a set of wheels. Take the 2016 Ford F150, for example; there are 130 million lines of code in this vehicle alone. The Android operating system, in comparison, runs between 12-15 million lines of code.
The challenge with these “smartphones (on steroids) on wheels” is that they are generating, collecting, analyzing, storing, and sharing tons of information about the car, what it’s doing — and by virtue of the types of data it has access to - information about us and what we’re doing as we sit behind the wheel [or soon, behind the driverless dashboard].
As an industry, DevSecOps has matured to a point where we generally recognize the risks we face from a web application perspective. The OWASP Top 10 has taken hold to a point where it’s fairly common knowledge where the risks lie in our web applications. There’s even some movement in the IoT security assessment arena, also driven by OWASP.
Vehicles are a different story. These “devices” are expensive. They are hard to acquire for testing purposes. And, during testing, things can fail, rendering the “application(s)” inoperable — and placing the vehicle outside of the manufacturers warranty.
The biggest computer we own? Our 🚘
— Tiffani Bova (@Tiffani_Bova) May 22, 2019
They Track:
—How fast we drive,
—Where we live,
—Who we text,
—Even, If we’ve gained weight 😳
Who gets the #Data? Not you.… It’s delivered to carmakers, and any 3rd parties willing to pay for it. @nytimes #Trust https://t.co/QCtz5dPbdV pic.twitter.com/EZapAvNx6m
“I built a ‘car-in-a-box’ that I take to Car Hacking Villages in the UK where I show people how to hack a car. I have the entire electronics from a Peugeot 208 in a box that fits exactly in the boot of my car. You can hack a car and it’s safe to do so.”
This was a fantastic conversation. Stay tuned on @ITSPmagazine for the podcast.
— Marco Ciappelli (@MarcoCiappelli) June 8, 2019
Ian (@mintynet), it was a great pleasure chatting with you and David Baker from @Bugcrowd about___ what was that 🤔___ yes, hacking smartphones on wheels.🚙💨🚗💨😬
See you at @defcon!#infosec19 pic.twitter.com/HkxeKROOId
To highlight these points, Marco and I connected with Ian Tabor, car enthusiast and car hacker along with David Baker from Bugcrowd, to discuss the roles of ethical hacking and crowdsourced security analysis in ensuring the safety of drivers all around the world.
Ian, a core member of the Car Hacking Village — a group of professional and hobbyist car hackers who work together to provide hands-on, interactive car hacking learning, talks, hardware, and interactive contests — takes us through the trials and tribulations of the research he performs, including the challenges with sourcing the vehicles, finding the flaws, reporting the flaws, and protecting himself from potential legal action in the process.
“I want to get more people involved so people can see what they can break.”
“If manufacturers could expose the connection details for their proprietary CAN bus, Ian and many others could build more ‘cars-in-a-box’.”
Listen in to hear more from Ian and David as they describe the value of testing vehicles to find the flaws that could put drivers, passengers, and pedestrians at risk.
