7 Things You Need to Know About Car Hacking

 

Car hacking is real and likely to happen much more regularly in the future. We look at the top facts you need to know about this emerging trend.

1. The first cars were ‘hacked’ at least five years ago
In 2010, a team of researchers from the University of Washington and the University of California San Diego reported that they could take over a car via a number of wireless vulnerabilities.

This landmark paper explained that as a result of automobiles being equipped with more and more technology, cybercriminals can “infiltrate virtually any electronic control unit … [and] leverage this ability to completely circumvent a broad array of safety-critical systems”.

They documented how, through a number of experiments, they were able to take control of the vehicle they were testing – they could mess about with the radio and, more seriously, completely disable both the brakes and the engine.

At the time, the team chose not to disclose the name of the manufacturer to the public. However, it was later revealed that the car in question was General Motors’ 2009 Chevy Impala.

2. Security fails can result in big recalls

Earlier this year, two US researchers took car hacking to a new level when they demonstrated a major flaw in a 2014 Jeep Cherokee.

Charlie Miller and Chris Valasek exploited vulnerabilities in the radio system of the vehicle to remotely control the car’s air-conditioning, radio and its brakes and engine – they even managed to stop the car with a journalist in it.

Mr. Miller and Mr. Valasek responsibly disclosed the flaws to the manufacturer as and when they found them. This resulted in Fiat Chrysler Automobiles issuing a US-based 1.4 million-vehicle recall for Jeeps, Dodges and Chryslers so that it could update their software.

“The 2014 Jeep Cherokee was chosen because we felt like it would provide us the best opportunity to successfully demonstrate that a remote compromise of a vehicle could result in sending messages that could invade a driver’s privacy and perform physical actions on the attacker’s behalf,” the duo stated in their paper.

3. Car components are just as vulnerable

The rising demand for “connected cars” has led many to question the security repercussions related to this particular development, but it’s also worth noting that car components are just as vulnerable.

Take vehicle immobilizers as an example. One study showed that cybercriminals could disable these electronic security devices and take off with a vehicle without the need of a “genuine key”.

The researchers, Roel Verdult, Flavio Garcia and Baris Ege, explained how they were able to exploit a weakness in the cryptography and authentication protocol used in the Megamos RFID transponder (which is used in many immobilizers).

They said in their paper: “The implications of the attacks presented in this paper are especially serious for those vehicles with keyless ignition. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate.”

Another well-cited vulnerability concerns OBD (On Board Diagnostics) USB sticks, which are used in cars to check driving habits. Earlier this year, the US-based insurer Progressive came under pressure for handing out insecure thumb drives that were found to be lacking security.

Security researcher Corey Thuen told Forbes: “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication [and so on] … basically it uses no security technologies whatsoever.”

4. Insiders remain a danger

Like any business, disgruntled employees can pose an information security risk to all types of organizations, and this is exactly what the Texas Auto Center found out in 2010.

Five years ago, a former member of staff at the car dealer exploited its remote web-based vehicle mobilization system to disable and tamper with more than 100 cars.

Drivers who had purchased vehicles from the Texas Auto Center reported that their respective vehicles were not working or that, in the middle of the night, their car alarms were inexplicably going off.

“First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency,” Wired reported at the time.

5. They don’t have to be connected to the Internet

It is often assumed that only connected cars can only be attacked, but this isn’t exactly true with Dark Reading reporting earlier this year that even certain “non-networked cars” can be tampered with. The Virginian State Police, it said, has found this out through its experiments with 2012 Chevrolet Impalas and 2013 Ford Tauruses.

In an ongoing project that also includes the Mitre Corp, the Virginia Department of Motor Vehicles, the University of Virginia, researchers found that they could make it impossible to shift gears from park to drive, push up engine revs, and – crucially – cause the engine to accelerate or cut off completely.

In addition, Mitre wrote attack code, which opened the trunk, unlocked the passenger doors, locked the driver’s door, turned on the windshield wipers and squirted wiper fluid.

These attacks weren’t easy, as they required the attackers to hijack the state police car computer systems, which in turn required physically jacking the car. Mitre’s first attacks involved a mobile phone app, which was connected to a device in the car via Bluetooth.

This type of attack requires knowledge of the car model’s electronics, and physical access, but it proves attacks are possible – even when there is no Internet connection.

6.    Patches take years to be applied

Patch management remains one of the biggest challenges for information security experts and car developers. Many have argued that the latter has struggled to grasp the seriousness of the situation.

One such individual is US senator Edward Markey, who issued a report in February 2015 criticizing the car manufacturing industry for its weak response to addressing security vulnerabilities.

He said: “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

Exemplary of this is the incident concerning the 2009 Chevy Impala, as discussed at the start of the feature. This took General Motors five years to resolve, Wired magazine reported in September.
“It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists,” commented security researcher Karl Koscher.

7.    Cybercriminals could target driverless cars

Cybercriminals are already targeting car manufacturers, but they could step up their attacks as autonomous cars edge closer to reality.

A number of security experts have questioned the dangers of driverless cars, and some have actually proved it. Jonathan Petit, principal scientist at software security company Security Innovation, discovered that a laser pointer could interfere with the laser ranging (Lidar) systems that most self-driving cars rely on to navigate.

The Lidar system creates a 3D map allowing the car to “see” potential hazards by bouncing a laser beam off obstacles. However, Dr. Pettit discovered that shining the laser pointer at a self-driving car, so that it was picked up by the system, could trick the car into thinking that something was right in front of it. This would cause it to brake quickly.

Alternatively, an attacker could overwhelm it with numerous signals, forcing the car to remain stationary for fear of hitting phantom obstacles.

“There are ways to solve it,” Dr. Petit explained in his interview with IEEE Spectrum. “A strong system that does misbehavior detection could crosscheck with other data and filter out those that aren’t plausible. “But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”
WeLiveSecurity: http://bit.ly/1NWceDS

 

 

« Internet of Things will drive the Digital Revolution of Industry
Cyber War Games: ‘Too Little Too Late’ »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Foundation for Strategic Research (FRS)

Foundation for Strategic Research (FRS)

The Foundation for Strategic Research is France's main independent think tank on strategic, defense and security issues. Cyber security is covered as part of the study areas.

Centre for Development of Advanced Computing (C-DAC)

Centre for Development of Advanced Computing (C-DAC)

C-DAC is the premier R&D organization of the indian Ministry of Electronics & Information Technology. Areas of research include cyber security.

Sepio Cyber

Sepio Cyber

Sepio is the leading asset risk management platform that operates on asset existence rather than activity.

Hexnode MDM

Hexnode MDM

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IAR Systems

IAR Systems

IAR Systems are a frontrunner in a changing industry, and a future-proof software supplier enabling the IoT.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

Open Systems

Open Systems

Open Systems is a Secure Access Service Edge (SASE) pioneer delivering a complete solution to network and security.

Green House Data

Green House Data

Green House Data is a managed services provider delivering hybrid solutions to enterprises who need secure IT environments and efficient management of their critical applications and business data.

Audea

Audea

Audea is a consultancy firm specialising in cybersecurity, risk and compliance. We provide professional services addressing all areas of Cybersecurity and GRC.

FortKnoxster

FortKnoxster

FortKnoxster is a cybersecurity company within the Crypto & FinTech space. Our encryption technologies are blockchain integrated.

Anxinsec

Anxinsec

Anxinsec Technology is a security solution and service provider with a focus on new technology and innovations in cybersecurity.

Green Enterprise Solutions

Green Enterprise Solutions

Green Enterprise Solutions are a Namibian company providing Information and Communication Technology (ICT) services to corporate Namibia.

Global Market Innovators (GMI)

Global Market Innovators (GMI)

Global Market Innovators (GMI) delivers secure technology solutions to organizations in need.

HIFENCE

HIFENCE

HIFENCE delivers cybersecurity and networking services that make your company safer and more secure. That’s all we do, so you can concentrate on all the things that you do best.

appNovi

appNovi

appNovi inventories everything to map the attack surface, identify missing security agents, and prioritize vulnerabilities based on exposure.