Automakers and suppliers are urgently seeking “good” hackers to identify and close security gaps in networked vehicles. But qualified candidates are in short supply.
A “remote-controlled” Jeep whose downfall was a weak point in its entertainment system. Or, in an especially treacherous example, electric cars that were infected with malware during charging. That’s just the beginning. Insiders are already warning about ransomware attacks that cripple control units until blackmail is paid.
The so-called “white hats” are the good guys, the ethical hackers. They are supposed to identify automakers’ security gaps before it is too late. But they are a rare, peculiar species, and the industry has a hard time finding them. There is plenty for them to do, as automakers expect virtually every new car sold in coming years to be connected. And, once they are connected, they become as vulnerable as connected devices in the home or office.
“Connectivity produces weak points. Every vehicle, device or component that is linked to the internet is by definition hackable,” said Michael Mueller of the IT firm Argus Cyber Security. “Cars today are essentially computers on wheels,” he added. “The number of lines of code far exceeds 100 million, and hackers can potentially manipulate an internal vehicle network of up to 100 control units.”
Cybersecurity is a top issue for the car industry and automakers and system suppliers are putting more time and money into recruiting the talent to handle it. “We see the main risks for connected cars in assistance systems that intervene more and more often, such as braking assistants on trucks, or steering aids in Tesla vehicles,” said Christoph Peil, a member of the penetration team at Evait Security. The young Marburg, Germany-based company has been specializing in security and penetration testing, offering the auto industry wide-ranging services. But it doesn’t especially like to discuss the matter in public. After several days considering a request for information, a spokeswoman for Audi said that the company preferred “not to comment on the topic at this time.”
There have long been press reports saying that white hats are highly valued in Ingolstadt.
Tesla’s “bug bounty”
Daimler is also keeping a low profile on cyber security, although Benjamin Oberkersch, spokesman for connected car, infotainment & IT, was persuaded to speak briefly to a reporter. “We consider the latest findings and publications on criminal methods and attacks on security systems in our continued development of protective measures.”
In Daimler’s case, an entire team of hackers reportedly put the software architecture of the new S-Class through a wringer for three months. Tesla is more inclined to take the offensive. It is inviting hackers to a competition and paying them a “bug bounty,” up to $10,000 in cash, for each bug discovered. The approach is a common way to attract white hats to software giants such as Microsoft.
On the other hand, the auto industry is too often tied to an antiquated company culture. “Again and again, we see IT security taking a back seat in most companies. We are mostly contacted when they are in trouble,” said Peil of Evait Security. “That’s why we assume there are too few qualified hackers in the auto industry.” But now it’s time for action. “The industry will need a talent pool comparable to what already exists in traditional IT security,” said Mueller of Argus Cyber Security.
Broadly based security service providers such as SySS GmbH are continually looking for new staff with experience in car IT, said Gerhard Klosstermeier, IT security consultant at the Tuebingen, Germany-based company. “But the auto industry is also building up know-how on its own in this field. We are also seeing more companies specializing in car hacking,” he said.
Nabil Alsabah, an IT security expert at Germany’s high-tech association, Bitkom, sees evidence for this in the employment market. “A quick look at the job postings shows the demand. The auto industry would especially like to have its own penetration testers in-house.”
The steadily rising number of attacks being made public is fueling the trend. “The growth in demand will continue to be strong” Alsabah said. The issue is how the demand will be met with experts in such short supply. BMW has confirmed that its representatives mill around hacker events such as the Troopers conferences in Heidelberg and Black Hat Europe in London in an attempt to recruit white hats.
Continuous improvement
Argus takes the usual recruiting approaches, but has a decided advantage because its headquarters is in Tel Aviv. “In Israel, in particular, we have access to many talented potential applicants from the IDF intelligence services department with years of experience in cyber security acquired during their military service,” Mueller said. Bitkom’s Alsabah outlined the profession’s basic skill set. “Besides a well-founded understanding of cryptography as well as system and software security, ethical hackers must especially be able to think creatively so they can identify weak points.” A vehicle is much more complex than a smart refrigerator, he said. “It is crucial to think outside the box.”
Candidates have to be ready to learn new things and continue developing their skills. A university degree in information science or electronics would make sense, but would not be absolutely necessary. Said Alsabah: “Just as programmers get better by programming, hackers get better by hacking.”
