Technology and embedded systems are becoming more advanced and more common in businesses, meaning there is always the risk of hacking and security breaches.
It’s important to remember, not all hackers are criminals. Ethical hacking has become increasingly popular as businesses try to identify their vulnerabilities and protect themselves of future attack.
Consultant and Partner at Pen Test Partners, Ken Munro, has a wealth of knowledge of the cybersecurity industry. Ken spoke to Electronic Specifier about ethical hacking in a recent podcast episode. Within this article, Kiera rounds up the main points from the podcast.
Pen Test Partners is made up of a team of ethical hackers, brought in by organisations to hack them and find vulnerabilities within their systems so they can be fixed. Its real interest is in embedded systems, meaning smart devices and IoT, which have lots of vulnerabilities. Despite lobbying for change and the implementation of some laws, the same mistakes are being made by smart product vendors.
Ken stated that it is a difficult task to help people understand the value of what they have, people don’t understand the value of privacy of their own data. “Helping people take those steps to really lock themselves down and make sure they can’t be trivially compromised is a big thing for Pen Test Partners.”
Changes to the industry
Ken said: “The game changer for me is when the IoT or smart product market starts to open up and the most important thing for every manufacturer is to get to market first. And they probably come from backgrounds, maybe in mobile apps or web apps where they launched their product, and they could fix it the next day. Therefore, it didn’t really matter if it had bugs, because you could roll out an update to solve the problem. With embedded systems you’re going to commit to production, maybe a year ahead.”
“You can’t have the same mentality of shipping out, and fixing it later. It doesn’t work like that unless you’ve set your product up so it can be updated,” he added.
Therefore, Ken said what we have seen in the industry is products being rushed to market without enough security and no ability to fix the problems once they’re in the field.
The importance of security in the automotive sector
It is becoming increasingly more common for hackers to gain access into an automotive system and stopping it from working altogether. Suddenly, a fleet of a certain brand of vehicles just don’t start. This lack of availability is impactful for both the owner and the manufacturer as their reputation is tainted overnight. This makes it important to ensure companies get the security right the first time round. The issue also stretches to the privacy of a consumer’s data.
Pen Test Partners discovered it could use mobile apps and API’s to get access to vehicles. It recently carried out research into smart aftermarket car alarms, discovering it could remotely mobilise about three million vehicles with access to an API.
Ken said that more smart is required of smart chargers for EVs. Of course, someone has made smart chargers for EVs, but not everyone checked to ensure smart chargers are secure. There are problems with the API’s that they use, making it possible to remotely hijack different brands chargers.
“The challenge is because a lot of car chargers consume a lot of power, our grids don’t have huge reserve capacity. If you could turn all the chargers on and off, and on and off, you create big power swings. In some cases, that’s enough to cause blackouts. By asking for smart chargers to help balance the grid, the industry has created a weapon that others can use to destabilise the power grid,” Ken said.
Ken stated that the main problem is that the industry is rushing into new technologies and not giving enough thought to the cybersecurity of products, which is where things go wrong.
Some charge point networks have not got the security right. In the same way that you can roam freely in foreign countries with your mobile phone, you can roam using your charging app and charge cars in some cases. Pen Test Partners discovered that interoperability leads to many problems, meaning a vulnerability in one charging platform could lead to vulnerabilities in other brands of chargers. This issue was fixed quickly when Pen Test Partners reported it, however Ken said: “It worries me that some of the charging protocols that allow you to roam between charges aren’t as secure as they should be.”
How has the cybersecurity landscape been affected by COVID-19?
Ken stated that change is the biggest problem in cybersecurity: “When something changes it creates opportunities for mistakes to be made, to not follow processes properly or go back and double check you did something right. Of course, COVID brought about a huge amount of change.”
Organisations were having to adapt to the fact employees were working from home and make changes to support that. There were a huge number of cases where organisations had done everything they could correctly get people working remotely, but hadn’t been back over their work to check they hadn’t accidentally exposed vulnerable systems.
“Again, it’s the concept of change, something changes fast, there isn’t time to go back and make sure you’ve made that change safely and securely,” concluded Ken.
The future
“What I love about this space is you wake up in the morning and the world’s changed slightly. There’s a new vulnerability which changes everything,” Ken said.
“Everything moves so much more quickly now. if a vulnerability was found 20 years ago, it would take time to be exploited and for worms to be written to go and cause damage. Now you’re seeing a vulnerability be discovered and its being exploited in large organisations before you can even investigate any more detail,” he added.
To listen to the full podcast episode and hear more from Ken, visit here.