VAN security could be at risk following research which has been able to exploit vulnerabilities in a number of vehicle alarm systems.
Adam Brown, manager of security solutions at Synopsys, said “Software, of course, is ubiquitous and everywhere – from TV’s to web app’s to cars in this case. It’s a bit late in the day to find these flaws and bugs in implementations once they are in production – or in this case screwed into vehicles.
“Finding bugs with pen testing is the least mature approach, flaws are hard to find this way and findings are too late. Fixing issues can be hard, and the firms have done a good job in turning around these fixes quickly.
Preventing these flaws is the best approach, and one that takes deliberate organisational initiatives driven from executive management. Prevention shifts security left in the software development cycle and can both reduce risk and cost by addressing issues early.”
Ofer Maor, director of solutions management at Synopsys, added “The latest car alarm system identified by Pen Test Partners demonstrates in the most apparent way the challenges the automotive industry is facing in its transition to the modern connected world.
“The requirements, as well as risks, of legacy automotive development of those security systems are considerably different than those of connected software.
“For that reason, despite being high end security manufacturers (likely to be proficient with the hardware and radio aspects of the security systems), they have failed where many before them have, and that is securing the software used to interface with their systems.
“Our recent study done together with Ponemon and SAE, shows that 30% of organisations in the automotive industry do not have an established cybersecurity programme, and 63% test less than half of the technology they develop for security.
“It is therefore not surprising to see such vulnerabilities, and we are likely to see many more in the years to come as connected technology (mobile apps, web portals, and more) interacts with our vehicles.
“It is now up to the manufacturers of vehicles and surrounding ecosystems to step up and take the lesson learned from other industries before them. They must establish software security practices, with secure architecture, secure development procedures, and ongoing security testing that will allow them to build secure software to interconnect with the car and its systems.”
Budi Arief from the School of Computing at the University of Kent is an expert on cyber security with a focus on cybercrime, security of computer-based systems, the Internet of Things, and ransomware.
He said: “As technology progresses and devices are becoming more interconnected through the concept of Internet of Things (IoT), there is a growing risk that any additional feature may introduce security vulnerabilities to the overall system.
“This is a case aptly demonstrated by a recent report of security vulnerabilities in three specialist car alarm systems that would have allowed attackers to steal or hijack affected vehicles.
“It is not surprising that third-party car alarm systems that allow their users to control the alarm – or even the car – remotely may contain security vulnerabilities. These third-party systems have likely gone through a less rigorous process of security evaluation compared to those systems developed directly by the official car manufacturer.
“Nevertheless, there is no guarantee that the latter would be 100% secure, as it is pretty much impossible to prove the absence of flaws.
“What is ironic here is that whoever bought these vulnerable car alarm systems did so out of a desire to improve the security of their vehicle. But inadvertently, they introduced security vulnerabilities that would allow attackers to take control of their vehicle.
“In a sense, it would have been better if these car owners did not bother to add a third-party system that may or may not have been approved by the car manufacturer.
“All of these demonstrate the need to carry out a more thorough test on any computer systems (especially those that allow remote connections), instead of rushing them to customers in order to capture a niche market before any competitors did so.
“This is not a unique incident, there are many similar cases of IoT devices such as cameras, home security kits, and even smart locks that have been shown to be vulnerable to attacks. Unfortunately, the IoT market is akin to a gold rush for new features rather than security, and this is a challenge that needs to be addressed urgently.”