DEF CON , Endpoint Security , Events
The Auto Industry's Achilles Heel: Cybersecurity
Thomas Sermpinis of Auxilium Pentest Labs on Challenges of Centralized Car SystemsCentralized architecture in the automotive industry reduces hardware components, simplifies vehicle management and enhances security by allowing updates to be applied across all electronic control units in a system. But the transition to a centralized architecture poses major cybersecurity challenges, according to Thomas Sermpinis, technical director at Auxilium Pentest Labs.
See Also: MDR Executive Report
Manufacturers are required to redesign vehicles and develop new skill sets to manage these advanced systems. This process requires substantial investment, as automakers must rethink how vehicles interact and communicate with sensors, Sermpinis said. The fact that manufacturers have lagged behind other industries in prioritizing cybersecurity compounds the problem.
All major automotive companies started out with a focus on mechanical engineering and "didn't have the ability to catch up with all the progress we did in cybersecurity and all the other industries - be it infrastructure, web application and everything that comes with that," Sermpinis said. "They had to catch up in most of the IT side of the things. But it took them some time to catch up with cybersecurity."
In this video interview with Information Security Media Group at DEF CON 2024, Sermpinis also discussed:
- How increasing connectivity in vehicles introduces new cybersecurity risks, especially in electric and hydrogen vehicles;
- How high costs and complexity of testing in the automotive industry make it difficult to compare vulnerabilities;
- The importance of financially incentivizing researchers for robust vulnerability disclosure.
Sermpinis has decades of experience in automotive security research and in various types of security testing in vehicles, embedded devices and low-level software. Prior to Auxilium Pentest Labs, he served as automotive penetration testing lead at Auxilium Cyber Security.