7 Things You Need to Know About Car Hacking

 

Car hacking is real and likely to happen much more regularly in the future. We look at the top facts you need to know about this emerging trend.

1. The first cars were ‘hacked’ at least five years ago
In 2010, a team of researchers from the University of Washington and the University of California San Diego reported that they could take over a car via a number of wireless vulnerabilities.

This landmark paper explained that as a result of automobiles being equipped with more and more technology, cybercriminals can “infiltrate virtually any electronic control unit … [and] leverage this ability to completely circumvent a broad array of safety-critical systems”.

They documented how, through a number of experiments, they were able to take control of the vehicle they were testing – they could mess about with the radio and, more seriously, completely disable both the brakes and the engine.

At the time, the team chose not to disclose the name of the manufacturer to the public. However, it was later revealed that the car in question was General Motors’ 2009 Chevy Impala.

2. Security fails can result in big recalls

Earlier this year, two US researchers took car hacking to a new level when they demonstrated a major flaw in a 2014 Jeep Cherokee.

Charlie Miller and Chris Valasek exploited vulnerabilities in the radio system of the vehicle to remotely control the car’s air-conditioning, radio and its brakes and engine – they even managed to stop the car with a journalist in it.

Mr. Miller and Mr. Valasek responsibly disclosed the flaws to the manufacturer as and when they found them. This resulted in Fiat Chrysler Automobiles issuing a US-based 1.4 million-vehicle recall for Jeeps, Dodges and Chryslers so that it could update their software.

“The 2014 Jeep Cherokee was chosen because we felt like it would provide us the best opportunity to successfully demonstrate that a remote compromise of a vehicle could result in sending messages that could invade a driver’s privacy and perform physical actions on the attacker’s behalf,” the duo stated in their paper.

3. Car components are just as vulnerable

The rising demand for “connected cars” has led many to question the security repercussions related to this particular development, but it’s also worth noting that car components are just as vulnerable.

Take vehicle immobilizers as an example. One study showed that cybercriminals could disable these electronic security devices and take off with a vehicle without the need of a “genuine key”.

The researchers, Roel Verdult, Flavio Garcia and Baris Ege, explained how they were able to exploit a weakness in the cryptography and authentication protocol used in the Megamos RFID transponder (which is used in many immobilizers).

They said in their paper: “The implications of the attacks presented in this paper are especially serious for those vehicles with keyless ignition. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate.”

Another well-cited vulnerability concerns OBD (On Board Diagnostics) USB sticks, which are used in cars to check driving habits. Earlier this year, the US-based insurer Progressive came under pressure for handing out insecure thumb drives that were found to be lacking security.

Security researcher Corey Thuen told Forbes: “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication [and so on] … basically it uses no security technologies whatsoever.”

4. Insiders remain a danger

Like any business, disgruntled employees can pose an information security risk to all types of organizations, and this is exactly what the Texas Auto Center found out in 2010.

Five years ago, a former member of staff at the car dealer exploited its remote web-based vehicle mobilization system to disable and tamper with more than 100 cars.

Drivers who had purchased vehicles from the Texas Auto Center reported that their respective vehicles were not working or that, in the middle of the night, their car alarms were inexplicably going off.

“First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency,” Wired reported at the time.

5. They don’t have to be connected to the Internet

It is often assumed that only connected cars can only be attacked, but this isn’t exactly true with Dark Reading reporting earlier this year that even certain “non-networked cars” can be tampered with. The Virginian State Police, it said, has found this out through its experiments with 2012 Chevrolet Impalas and 2013 Ford Tauruses.

In an ongoing project that also includes the Mitre Corp, the Virginia Department of Motor Vehicles, the University of Virginia, researchers found that they could make it impossible to shift gears from park to drive, push up engine revs, and – crucially – cause the engine to accelerate or cut off completely.

In addition, Mitre wrote attack code, which opened the trunk, unlocked the passenger doors, locked the driver’s door, turned on the windshield wipers and squirted wiper fluid.

These attacks weren’t easy, as they required the attackers to hijack the state police car computer systems, which in turn required physically jacking the car. Mitre’s first attacks involved a mobile phone app, which was connected to a device in the car via Bluetooth.

This type of attack requires knowledge of the car model’s electronics, and physical access, but it proves attacks are possible – even when there is no Internet connection.

6.    Patches take years to be applied

Patch management remains one of the biggest challenges for information security experts and car developers. Many have argued that the latter has struggled to grasp the seriousness of the situation.

One such individual is US senator Edward Markey, who issued a report in February 2015 criticizing the car manufacturing industry for its weak response to addressing security vulnerabilities.

He said: “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

Exemplary of this is the incident concerning the 2009 Chevy Impala, as discussed at the start of the feature. This took General Motors five years to resolve, Wired magazine reported in September.
“It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists,” commented security researcher Karl Koscher.

7.    Cybercriminals could target driverless cars

Cybercriminals are already targeting car manufacturers, but they could step up their attacks as autonomous cars edge closer to reality.

A number of security experts have questioned the dangers of driverless cars, and some have actually proved it. Jonathan Petit, principal scientist at software security company Security Innovation, discovered that a laser pointer could interfere with the laser ranging (Lidar) systems that most self-driving cars rely on to navigate.

The Lidar system creates a 3D map allowing the car to “see” potential hazards by bouncing a laser beam off obstacles. However, Dr. Pettit discovered that shining the laser pointer at a self-driving car, so that it was picked up by the system, could trick the car into thinking that something was right in front of it. This would cause it to brake quickly.

Alternatively, an attacker could overwhelm it with numerous signals, forcing the car to remain stationary for fear of hitting phantom obstacles.

“There are ways to solve it,” Dr. Petit explained in his interview with IEEE Spectrum. “A strong system that does misbehavior detection could crosscheck with other data and filter out those that aren’t plausible. “But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”
WeLiveSecurity: http://bit.ly/1NWceDS

 

 

« Internet of Things will drive the Digital Revolution of Industry
Cyber War Games: ‘Too Little Too Late’ »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

USNA Center for Cyber Security Studies

USNA Center for Cyber Security Studies

The mission of the Center for Cyber Security Studies is to enhance the education of midshipmen in all areas of cyber warfare.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

Green Hills Software

Green Hills Software

Green Hills Software is the largest independent vendor of embedded secure software solutions for applications including the Internet of Things.

Entreda

Entreda

Entreda offers a unified platform to automate cybersecurity and compliance policy enforcement for your devices, users, networks, applications.

Hedgehog Security

Hedgehog Security

The key objective of Hedgehog is to provide simple, effective and affordable information security improvements that support your drive to increase productivity and profitability.

Modux

Modux

Modux focus on a number of core competencies across cyber security including; cyber intelligence & analytics, penetration testing and training.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

African Cyber Security

African Cyber Security

African Cyber Security and it's partners, have the expertise and skills to provide holistic solutions for companies, institutions and government.

GELLIFY

GELLIFY

GELLIFY is the first innovation platform dedicated to the high-tech B2B market, supporting start-ups and companies.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

Cipher

Cipher

Founded in 2000, Cipher is a global cybersecurity company that delivers a wide range of Managed Security Services.

Cognyte

Cognyte

Cognyte are a market leader in security analytics software that empowers governments and enterprises with Actionable Intelligence for a safer world.

Xscale Accelerator

Xscale Accelerator

Xscale's vision is to create world-class startups out of India by transforming sales and providing access to global markets.

Nuance Communications

Nuance Communications

From revolutionizing the doctor-patient relationship to reinventing the way brands connect with their customers, Nuance technology helps organizations push the boundaries of what’s possible.

Secure Enterprise Engineering (SEE)

Secure Enterprise Engineering (SEE)

SEE provides disruptive cybersecurity system engineering, architecture, and operational capabilities to make our customer’s missions execute faster, smarter, and more securely.