Testing the security of connected cars and IoT devices

IBM Security announced the launch of two new security testing practice areas focused on automotive security and the Internet of Things (IoT).

The new services will be delivered via a team of IBM X-Force Red researchers focused on testing backend processes, apps and physical hardware used to control access and management of smart systems.

“Over the past year, we’ve seen security testing further emerge as a key component in clients’ security programs,” said Charles Henderson, Global Head of IBM X-Force Red. “Finding issues in your products and services upfront is a far better investment than the expense of letting cybercriminals find and exploit vulnerabilities. Our own investments in people, tools and expertise have more than tripled our security testing capabilities in the first year of IBM X-Force Red, making our offense our clients’ best defense.”

The interconnected components and systems in a modern vehicle can number in the hundreds or thousands, each with their own security controls and vulnerabilities. As these components are combined and connected to mobile applications and external servers, the total amount of potential vulnerabilities for the vehicle climbs above the sum vulnerabilities of its parts. With this in mind, IBM X-Force Red performs discrete security testing of the components and solution-based security testing for the complete system of the vehicle.

The researchers worked with more than a dozen automotive manufacturers and third-party automotive suppliers to build expertise and programmatic penetration testing and consulting services. The formation of the automotive practice aims to help to shape and share industry best practices and standardize security protocols.

IBM X-Force Red has changed the delivery of security testing due to the perceived gaps in security of emerging technologies such as IOT and connected cars. Programmatic and on-demand security testing through the entire lifecycle of the products is emerging as the best way to find vulnerabilities in a proactive fashion.

The new IOT services will be delivered alongside the Watson IOT Platform. It provides configuration and management of IOT environments, and the IBM X-Force Red services bring an added layer of security and penetration testing.

The Watson IOT Platform approach is security by design, with security controls built-in, delivered as a cloud-based service with industry-recognized ISO27001 compliance. The Watson IOT Platform also has advanced security IOT service capabilities that extend Watson IOT Platform with Threat Intelligence for IOT. These features help customers visualize critical risks in the IOT landscape and create policy-driven automations to help prioritize operational responses for IOT incidents.

At this year’s Black Hat conference, X-Force Red will also unveil the newest weapon in their arsenal. Cracken is a dedicated password-cracking cluster used by X-Force Red during penetration tests and security assessments.