IBM security team tackles IoT and automotive
July 27, 2017
IBM Security has launched two security testing practice areas focused on automotive security and the IoT. The services will be delivered via a team of IBM X-Force Red researchers focused on testing backend processes, apps and physical hardware used to control access and management of smart systems.
The IoT services will be delivered alongside the Watson IoT platform to provide security services by design to organisations developing IoT products for all industries. With 58% of organisations testing their IoT applications only during the production phase, the potential for introducing vulnerabilities into existing systems remains high. The Watson platform provides configuration and management of IoT environments, and the IBM X-Force Red services bring an added layer of security and penetration testing.
IBM X-Force Red marked its first-year anniversary with the addition of security specialists Cris Thomas (aka Space Rogue) and Dustin Heywood (aka Evil_Mog with Team Hashcat). The team has also built a password cracker called Cracken designed to help clients improve password hygiene. It was unveiled at this week's Black Hat conference in Las Vegas.
"Over the past year, we've seen security testing further emerge as a key component in clients' security programmes," said Charles Henderson, global head of IBM X-Force Red. "Finding issues in your products and services upfront is a far better investment than the expense of letting cyber criminals find and exploit vulnerabilities. Our own investments in people, tools and expertise have more than tripled our security testing capabilities in the first year of IBM X-Force Red, making our offence our clients' best defence."
Gartner estimates that the production of new automobiles equipped with data connectivity, either through a built-in communications module or by a tether to a mobile device, is forecast to reach to 61 million in 2020. With the current and future challenges in mind, IBM X-Force Red created an automotive practice dedicated to helping clients secure hardware, networks, applications and human interactions.
The team worked with more than a dozen automotive manufacturers and third-party automotive suppliers to build expertise and programmatic penetration testing and consulting services. The formation of the automotive practice aims to help shape and share industry best practices and standardise security protocols.
The automotive practice is also applying some of the findings from research disclosed by IBM X-Force Red early this year that notified consumers and the automotive industry of security pitfalls inherent in connected cars. The research looked at the insecure transfer of ownership between owners of some connected cars, which may create an opportunity for a malicious takeover of the functions of the vehicle, such as locking and unlocking doors, remote start, light and horn control, and the ability to geo-locate the current owner through a mobile app.
When these findings were revealed at RSA 2017 in California in February, Henderson and IBM X-Force Red disclosed that these security loopholes were also identified across four major car makers.
The interconnected components and systems in a modern vehicle can number in the hundreds or thousands, each with their own security controls and vulnerabilities. As these components are combined and connected to mobile applications and external servers, the total amount of potential vulnerabilities for the vehicle climbs above the sum vulnerabilities of its parts. With this in mind, IBM X-Force Red performs discrete security testing of the components and security testing for the complete system of the vehicle.
Gartner forecasts that 8.4bn connected things will be in use worldwide in 2017, up 31 per cent from 2016, and will reach 20.4bn by 2020. While the insights gained from IoT data help drive revenue streams and forge lasting customer relationships, demand and shortened production cycles often lead to rushed or non-existent security testing for these products and services.
IBM X-Force Red has changed the delivery of security testing due to the perceived gaps in security of emerging technologies such as the IoT and connected cars. Programmatic and on-demand security testing through the entire lifecycle of the products is emerging as the best way to find vulnerabilities in a proactive fashion. Watson IoT platform users will now be able to leverage the security expertise of IBM X-Force Red to assist throughout development and deployment.
"It's not just about the technology, it is also about the global reach, investment and collaborative approach which make IBM a trusted IoT partner for enterprise IoT," said James Murphy, offering manager for the IBM Watson IoT platform. "With IoT technologies permeating the farthest corners of industry, IBM is bringing our Watson IoT platform and X-Force Red security talent together to address present and future concerns."
The Watson platform approach is security by design, with security controls built-in, delivered as a cloud-based service with ISO27001 compliance. The platform also has advanced security IoT service capabilities that extend the platform with threat intelligence for the IoT. These features help users visualise critical risks in the IoT landscape and create policy-driven automations to help prioritise operational responses for IoT incidents.
In February, IBM X-Force launched the Red Portal, a cloud-based collaboration platform for clients and security professionals that presents an end-to-end view of security testing programmes. Clients can view real-time testing project milestones, vulnerabilities across all assets, reports of findings, and the overall status of their managed testing programme. The Red Portal centralises and streamlines all communications with X-Force Red and provides a way to begin remediation immediately on the most critical items.