Not all hackers set out to cause disruption. AUTOCRYPT’s resident white hat hacker, Dr. Jonghyuk Song, explains the roles of red teams and blue teams and why the entire automotive ecosystem needs to be secured
This article is partner content provided by AUTOCRYPT
Hear the word “hacker” and your mind may immediately jump to a dark room with a nameless, faceless figure hunched over keyboards and screens. But in the 2020s hackers are actually some of a company’s most important and sought-after employees. They are known as “the white hat hackers” — the 007s of the Internet — and their job is to test the defenses of corporate cybersecurity.
Now, with connectivity expanding at a stunning pace to include all mobility options, professional hackers are not a luxury hire in niche markets, but an essential member of any company in the 21st century planning to offer their customers safety and security.
Afterall, the best defense is a good offense.
We sat down with AUTOCRYPT’s resident white hat hacker, Dr. Jonghyuk Song, to discuss what exactly is white hat hacking, and how he sees the world of hacking changing with the evolution of mobility.
Q: Dr. Song, can you tell us a little bit about yourself and what you do?
A: Hello, my name is Jonghyuk Song, and I’m a white hat hacker at AUTOCRYPT — a mobility security solutions provider — as a red team engineer. My role is to ensure that products and solutions are secure. My team and I test security systems through penetration tests and fuzzing to see where not just our company, but others can improve their security management systems.
Q: What exactly is “a red team”?
In cybersecurity, red teams are security experts (aka white hat hackers) who specialize in attacking systems and breaking defenses. Blue teams, on the other hand, are experts responsible for maintaining security defenses against cyberattacks. In a nutshell the red teams play the blue teams in a constant hacking game. By working together, we provide a comprehensive security solution against the evolving threat landscape.
Q: Have you always wanted to be a white hat hacker? What led you to this?
A: I grew up in an era where computers and technology were much more accessible to the general public. I remember seeing news headlines on the Internet or on TV where hackers would infiltrate certain networks, sometimes collapsing a whole system or network. I was fascinated. My curiosity led me to major in computer engineering in college, and part of my studies involved hacking. Around this time, it was very evident to me that cybersecurity needed to be prioritized as more and more companies were moving to digital platforms and some of the world’s most sensitive information was now sitting on servers. I decided to pursue becoming a white hat hacker to be able to contribute to that need.
Q: So, what is the process to become a white hat hacker like? Are there any standards or accreditations that indicate the rank or a level of a hacker?
A: As far as I know, there are no objective figures or ranks in being a white hat hacker. Many, if not most, hackers are black hat (criminal) hackers. There’s not a standard system that would actually encourage people to join a professional, accredited body. Even if there were a standard, it’s difficult to rank hackers because, just like an engineer, hackers have different fields of expertise or industry targets. A hacker might be an expert in hacking a network server, but when it comes to automotive systems, they might be completely at a loss.
Q: You mentioned that your team currently does penetration testing and fuzzing. Can you explain what those are and why that’s important in automotive cybersecurity?
A: Penetration testing is basically hacking from the attacker’s viewpoint. We look at what tactics or methods a hacker may attempt, and through that we can see what vulnerabilities exist and need to be addressed. We are always trying to stay a step ahead of the threat. Fuzz testing or “fuzzing” is when we provide the fuzz or invalid, random data to input into an application or software. Then we can monitor it for crashes or leaks. Many of the attacks these days aren’t done by a hacker just typing away on their keyboard – a lot of attacks are orchestrated by hackers utilizing sophisticated, automatic programs. This helps us add an element of testing that cannot necessarily be generated by a human being.
Q: As you mentioned earlier, hackers have different industries they focus on. Why is car hacking on the rise? Is it easy to hack a car?
You’re right. More and more hackers are looking to vehicles as hacking targets. This is because software and connected technologies are being implemented into mobility vehicles ranging from a regular passenger car to a micro-mobility option like electric scooters. All vehicles have come a long way from the Ford Model T — they’re now basically supercomputers on wheels. And as the number of external communication functions like Bluetooth, Wi-Fi, and LTE increases, the possibility of a hacking attempt from a remote location is increasing. The features we love are a gateway for hackers.
Again, it’s not possible to say whether it’s “easy” to hack a car. For some hackers it is, and for others it isn’t. But compared to hacking a web server, hacking an automobile is pretty different — it’s more like hacking into a smartphone because they have similar external communication points: Bluetooth, Wi-Fi, LTE, GPS and so on. These are all vulnerabilities that can be taken advantage of by hackers.
Another similarity is that cars today hold a lot of personal information, much like our smartphones do. The computer in your car holds your driving history, call history, contacts, photos, dashcam videos and even financial information. It makes sense why cars are becoming more attractive targets for hackers.
Q: What kinds of data are most attractive for hackers? What can we do as drivers/passengers to protect them?
There are many different types of car data that can be used by hackers. As drivers, we’re conditioned to think that data on our devices pertain to just us as the individual. However, think of data as a network. It’s never just one piece of data, but the web that the data leads to. For example, access to your car’s GPS could give hackers access to your infotainment system, and if they were to get other personal information like your license and registration numbers, they could also hack into your insurance information as well as your insurance provider’s network. There are a multitude of ways that a hacker could take one piece of information and go down the proverbial rabbit hole.
This isn’t to say that data is bad. In fact, data is what is going to help self-driving and connected vehicle technology. However, we have to make sure that the right entities are using the data and holding it in a secure way. This means using encryption for critical information and protecting data in a security module.
As an individual, how can you be cyber secure? It starts with understanding your rights to your data. Data protection legislation, though dependent on the country, ensures that you can decide who you share your data with who you see fit. Manufacturers can only use your data if you’ve consented (usually from your vehicle purchase contract) or for legal obligations.
When purchasing a car, make sure that your manufacturer takes data protection seriously, and see what kinds of security management systems are in place to make sure that your data is being used appropriately. Be careful when downloading any new software, application, or upgrade, especially if it’s provided by a third-party.
Q: Let’s talk a bit more about car hacking – we all know the infamous 2015 Jeep Cherokee remote hack. Can this kind of incident still happen?
The short answer is yes. Cars are developing very quickly in terms of technology, and legislation is starting to take notice. For example, the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) announced that cybersecurity would now be a prerequisite for type approval before going on the market — that is industry-speak for saying manufacturers need to ensure that the vehicle meets specific cybersecurity standards before it can be sold. Manufacturers know hacking is a potentially serious matter and are investing in cybersecurity measures. But there is still a lot of places we need to catch up.
In addition to a vehicle’s infotainment system the Tire Pressure Monitoring Systems (TPMS), GPS, remote keys, USB, engine and transmission ECUs, lighting system, OBD-II, and Advanced Driver Assistance Systems (ADAS), are all entry points — and that’s just to name a few.
Q: You mentioned ADAS. As ADAS technologies continue to improve, we know that they will eventually result in fully autonomous driving. Are autonomous vehicles safe from these types of threats?
Autonomous driving is tricky because the word “self-driving” or “autonomous” is thrown around by a lot of manufacturers. There are five (or six, depending on where you live) levels of autonomous capabilities ranging from none to completely driverless. Very few vehicles are fully self-driving, but that doesn’t mean more won’t be in the very near future. With new regulations coming, more manufacturers are beginning to implement cybersecurity measures, but so far it’s mostly to satisfy a selling point and prioritizes functionality over security. If they continue to do that, it can be potentially catastrophic as our autonomous mobility options expand.
Q: So, what do you think is next for the automotive industry in terms of hacking or cybersecurity?
When people hear the word “hacking” in the automotive industry, I think a lot of people’s minds go immediately to remote hacking vehicles. But really, the automotive industry isn’t just about passenger vehicles anymore. As more of the industry turns to IoT (the “Internet of things”) and Mobility-as-a-Service (subscription models and services for transportation), I think hacking will soon focus more on the infrastructure surrounding that. EV charger and charging network hacking and Roadside Unit (RSU) hacking are, in my opinion, prime targets. If we want to really achieve safe driving, it’s crucial to secure the entire mobility ecosystem, not just the vehicle itself.