Car hacking: vehicle manufacturers finally join forces to improve cybersecurity

carThere seems to have been a glut of news stories about cars’ vulnerability to cyber attacks lately – from the Car Hacking Village at last month’s DEF CON cybersecurity conference to research demonstrating how to hack the Jeep Cherokee and the Tesla Model S, via news of security vulnerabilities in Audis, Hondas, Volkswagens, Volvos, and Fiats. (For a particularly interesting examination of auto-hacking trends, I recommend this article by Sean Gallagher.)

As Google and, according to rumors, Apple continue to work on self-driving cars, the safety implications for us all are obvious – and now the automotive industry has finally decided that it’s time to act.

According to, members of the Alliance of Automobile Manufacturers and the Association of Global Automakers are “working to establish an Information Sharing and Analysis Center to act as a secure, industrywide clearinghouse for intelligence about cyberthreats to vehicles and their networks”.

Scheduled to be operational by 2016, the auto industry ISAC will allow member companies “to share information about vulnerabilities and attacks anonymously”.

As Denise Anderson, chair of the National Council of ISACs, told AutoNews: “You don’t want to be caught unprepared.”

Wider lessons learned from automotive security failures

This warning doesn’t just apply to vehicle manufacturers: there are important lessons to be learned by all other industries.

First, don’t be caught on the back foot. Cyber attacks are increasing dramatically, and the only way to address them is to make security an integral part of the way you do business. If it’s just treated as an afterthought, and not kept up to date, you are putting your business at risk.

Secondly, the only way you can really tell if your systems are secure is to test them. Vulnerabilities common to off-the-shelf software, CMS platforms, applications, and plugins are constantly being discovered – and exploited – by opportunistic criminal hackers who use automated scans to identify targets. According to Trustwave’s 2015 Global Security Report, 98% of tested web applications were found to be vulnerable.

Closing the security gap

Verizon’s 2015 Data Breach Investigations Report found that over 90% of attacks exploited known vulnerabilities for which patches were already available: “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007 — a gap of almost eight years.”

Making sure you close your security gaps and fix vulnerabilities as soon as they are known is essential to keeping your networks secure and your corporate information safe.

IT Governance is a CREST-accredited penetration testing service and a PCI QSA (Qualified Security Assessor), and is qualified to conduct vulnerability scans and penetration tests to ensure your compliance with standards including the PCI DSS and ISO 27001.

For more free information on penetration testing, click here >>