Press Release

Cars are now a genuine target for cyber criminals who could remotely control a vehicle

News

Volkswagen shouldn’t sue University researchers - it should employ them

Cars are now a genuine target for cyber criminals and it is possible for attackers to gain control of a vehicle while it is in motion, with disastrous consequences.

Alex Fidgen, Director at IT security company MWR InfoSecurity, said: “It is feasible that an exploitation of any number of embedded devices within a car might allow an attacker to gain control. For instance, this would have serious consequences if the brakes were applied at high speed.”

The comment was made after Volkswagen allegedly sued the University of Birmingham to stop it from publishing how it had hacked anti-theft systems on luxury cars such as Lamborghinis and Porsches.

“Vendors should not try to block security research, they should work together with the researchers to understand the nature and potential consequences of the threats they are facing,” said Fidgen.

“Resorting to legal action to block such details from being published is the wrong approach. Manufacturers should instead incorporate strong security research in the design process.”

He added: “There are real concerns about the attitude of VW given they appear to be trying to suppress this information rather than working to rectify it.”

Fidgen said: “Manufacturers do not seem to have considered the security threat when using embedded computer systems. Cars are becoming increasingly more computerised, particularly supercars which sell for hundreds of thousands of pounds. But not enough thought appears to have gone into securing the systems which leaves the cars wide open to theft and the misuse of computer information.”

Fidgen indicated that such IT vulnerabilities could potentially have very serious impacts, both from security and financial perspectives, as cyber criminals target companies on a daily basis.

Fidgen said: “Volkswagen have only highlighted to the criminals out there that the problems are likely to be genuine and important, so the damage has already been done.”

He added: “There is a long track record of companies using legal action to try to prevent vulnerability information from being understood. This has probed to be highly ineffective as in most cases the security community was able to obtain the information through different research teams.”

Fidgen said: “Car manufacturers continually try to upstage each other with the latest computer ‘Gizmo’s’ for vehicles. They are on a never-ending treadmill to try and keep ahead and offer their customers the latest technology. However, they now need to take a step back and look at how security should be embedded.”

He added: “From a customer point of view, it’s not just about the car being stolen, it’s about the owners personal information being stolen from mobile phones and other mobile devices that are linked to the cars on board computer systems. From the manufacturers’ perspective, it’s about the latest ‘gizmo’ being stolen by competitors.”

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.