DeepSec 2023 Talk: Horror Stories from the Automotive Industry – Thomas Sermpinis
In this talk, we will revisit some of the scariest stories we faced during over 50 penetration testing and security research projects, with a twist. In the ever-emerging industry of automotive, with old and new OEMs trying to get a share of the pie, many things are at stake, with many things getting overlooked, forgotten, or even deliberately covered. We will go through a journey of critical findings in different targets and the constant battle between penetration testers, developers, and mid to upper management. This will help the audience get an understanding of how the industry behaves right now, what they (and what we) are doing wrong, and how the future of automotive security should be shaped, not only for the sake of security but also for the sake of safety and reliability.
This talk will try to raise awareness on the current state of automotive security, how does the industry behave in the whole spectrum of it (100-year-old OEMs to 2-year-old OEMs and Tier 1 suppliers) and ultimately try to propose a way forward for both the automotive and security industries, with the goal being a safer and more reliable future for everyone, in and out of the streets.
We asked Thomas a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- While the consensus is that automotive is a mature industry, the current state is the complete rethinking of what a vehicle is and how people use it, which heavily affects the safety and security aspects of those vehicles
- 20 year old vulnerabilities are becoming new again
- Designing and architecting a vehicle is way more complicated than it seems
- Main purpose of the current R155 regulation, is to fix the completely unregulated mess which exists till now. If it’s successful, it will be a completely different topic.
- Backdoors in safety critical components exist, and they are as nasty and dumb as anyone can imagine.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Main spark is my love for making the world a safer place. But fun fact, I thought about the initial idea and topic of the talk, while I was at a concert with my girlfriend. 😅
Why do you think this is an important topic?
One of the most common feedbacks i get is that people don’t talk about these things and that most of us “know”. That’s why it’s important, because people in the automotive industry haven’t learned to share and collaborate. We need to share and bring awareness to the current state of security in vehicles, bring more people on-board, and start hacking together for a better tomorrow.
Is there something you want everybody to know – some good advice for our readers, maybe?
Educate your clients and developers to the best of your knowledge and abilities. It’s hard, but it’s the only way to avoid unnecessary fighting during discussions of a security finding 😉
A prediction for the future – what do you think will be the next
innovations or future downfalls when it comes to your field of expertise
/ the topic of your talk in particular?
Code execution through specially crafted images in the streets, by exploiting the assisted driving cameras and sensors, will be a thing of the future and not a level from Watchdogs. Let’s make it a reality till next Deepsec, and save lives from malicious actors. 😉
Thomas Sermpinis (a.k.a. Cr0wTom) is an Automotive Penetration Testing Lead and independent security researcher with main topics of interest in the automotive, industrial control, embedded device sectors and cryptography. During his research, he published several academic papers, 0days and tools with the ultimate goal of making the world a safer place.