7 Things You Need to Know About Car Hacking

 

Car hacking is real and likely to happen much more regularly in the future. We look at the top facts you need to know about this emerging trend.

1. The first cars were ‘hacked’ at least five years ago
In 2010, a team of researchers from the University of Washington and the University of California San Diego reported that they could take over a car via a number of wireless vulnerabilities.

This landmark paper explained that as a result of automobiles being equipped with more and more technology, cybercriminals can “infiltrate virtually any electronic control unit … [and] leverage this ability to completely circumvent a broad array of safety-critical systems”.

They documented how, through a number of experiments, they were able to take control of the vehicle they were testing – they could mess about with the radio and, more seriously, completely disable both the brakes and the engine.

At the time, the team chose not to disclose the name of the manufacturer to the public. However, it was later revealed that the car in question was General Motors’ 2009 Chevy Impala.

2. Security fails can result in big recalls

Earlier this year, two US researchers took car hacking to a new level when they demonstrated a major flaw in a 2014 Jeep Cherokee.

Charlie Miller and Chris Valasek exploited vulnerabilities in the radio system of the vehicle to remotely control the car’s air-conditioning, radio and its brakes and engine – they even managed to stop the car with a journalist in it.

Mr. Miller and Mr. Valasek responsibly disclosed the flaws to the manufacturer as and when they found them. This resulted in Fiat Chrysler Automobiles issuing a US-based 1.4 million-vehicle recall for Jeeps, Dodges and Chryslers so that it could update their software.

“The 2014 Jeep Cherokee was chosen because we felt like it would provide us the best opportunity to successfully demonstrate that a remote compromise of a vehicle could result in sending messages that could invade a driver’s privacy and perform physical actions on the attacker’s behalf,” the duo stated in their paper.

3. Car components are just as vulnerable

The rising demand for “connected cars” has led many to question the security repercussions related to this particular development, but it’s also worth noting that car components are just as vulnerable.

Take vehicle immobilizers as an example. One study showed that cybercriminals could disable these electronic security devices and take off with a vehicle without the need of a “genuine key”.

The researchers, Roel Verdult, Flavio Garcia and Baris Ege, explained how they were able to exploit a weakness in the cryptography and authentication protocol used in the Megamos RFID transponder (which is used in many immobilizers).

They said in their paper: “The implications of the attacks presented in this paper are especially serious for those vehicles with keyless ignition. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate.”

Another well-cited vulnerability concerns OBD (On Board Diagnostics) USB sticks, which are used in cars to check driving habits. Earlier this year, the US-based insurer Progressive came under pressure for handing out insecure thumb drives that were found to be lacking security.

Security researcher Corey Thuen told Forbes: “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication [and so on] … basically it uses no security technologies whatsoever.”

4. Insiders remain a danger

Like any business, disgruntled employees can pose an information security risk to all types of organizations, and this is exactly what the Texas Auto Center found out in 2010.

Five years ago, a former member of staff at the car dealer exploited its remote web-based vehicle mobilization system to disable and tamper with more than 100 cars.

Drivers who had purchased vehicles from the Texas Auto Center reported that their respective vehicles were not working or that, in the middle of the night, their car alarms were inexplicably going off.

“First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency,” Wired reported at the time.

5. They don’t have to be connected to the Internet

It is often assumed that only connected cars can only be attacked, but this isn’t exactly true with Dark Reading reporting earlier this year that even certain “non-networked cars” can be tampered with. The Virginian State Police, it said, has found this out through its experiments with 2012 Chevrolet Impalas and 2013 Ford Tauruses.

In an ongoing project that also includes the Mitre Corp, the Virginia Department of Motor Vehicles, the University of Virginia, researchers found that they could make it impossible to shift gears from park to drive, push up engine revs, and – crucially – cause the engine to accelerate or cut off completely.

In addition, Mitre wrote attack code, which opened the trunk, unlocked the passenger doors, locked the driver’s door, turned on the windshield wipers and squirted wiper fluid.

These attacks weren’t easy, as they required the attackers to hijack the state police car computer systems, which in turn required physically jacking the car. Mitre’s first attacks involved a mobile phone app, which was connected to a device in the car via Bluetooth.

This type of attack requires knowledge of the car model’s electronics, and physical access, but it proves attacks are possible – even when there is no Internet connection.

6.    Patches take years to be applied

Patch management remains one of the biggest challenges for information security experts and car developers. Many have argued that the latter has struggled to grasp the seriousness of the situation.

One such individual is US senator Edward Markey, who issued a report in February 2015 criticizing the car manufacturing industry for its weak response to addressing security vulnerabilities.

He said: “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

Exemplary of this is the incident concerning the 2009 Chevy Impala, as discussed at the start of the feature. This took General Motors five years to resolve, Wired magazine reported in September.
“It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists,” commented security researcher Karl Koscher.

7.    Cybercriminals could target driverless cars

Cybercriminals are already targeting car manufacturers, but they could step up their attacks as autonomous cars edge closer to reality.

A number of security experts have questioned the dangers of driverless cars, and some have actually proved it. Jonathan Petit, principal scientist at software security company Security Innovation, discovered that a laser pointer could interfere with the laser ranging (Lidar) systems that most self-driving cars rely on to navigate.

The Lidar system creates a 3D map allowing the car to “see” potential hazards by bouncing a laser beam off obstacles. However, Dr. Pettit discovered that shining the laser pointer at a self-driving car, so that it was picked up by the system, could trick the car into thinking that something was right in front of it. This would cause it to brake quickly.

Alternatively, an attacker could overwhelm it with numerous signals, forcing the car to remain stationary for fear of hitting phantom obstacles.

“There are ways to solve it,” Dr. Petit explained in his interview with IEEE Spectrum. “A strong system that does misbehavior detection could crosscheck with other data and filter out those that aren’t plausible. “But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”
WeLiveSecurity: http://bit.ly/1NWceDS

 

 

« Internet of Things will drive the Digital Revolution of Industry
Cyber War Games: ‘Too Little Too Late’ »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Centre for Secure Information Technologies (CSIT)

Centre for Secure Information Technologies (CSIT)

CSIT is a UK Innovation and Knowledge Centre (IKC) for secure information technologies. Our vision is to be a global innovation hub for cyber security.

Research Institute in Science of Cyber Security (RISCS)

Research Institute in Science of Cyber Security (RISCS)

RISCS is focused on giving organisations more evidence, to allow them to make better decisions, aiding to the development of cybersecurity as a science.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

National Cyber Security Agency (NACSA) - Malaysia

National Cyber Security Agency (NACSA) - Malaysia

NACSA is the leading government agency in Malaysia responsible for the development and implementation of national cyber security management policie and strategies.

Hunters.AI

Hunters.AI

Hunters is the world's first autonomous hunting solution that leverages top-tier cyber expertise and AI to uncover hidden cyber threats.

Rublon

Rublon

Rublon protects endpoints, networks and applications by providing trusted access via two-factor authentication (2FA).

Ashley Page

Ashley Page

Ashley Page offer a unique cyber insurance and risk management solution - Cyber+Insure.

DigiByte (DGB)

DigiByte (DGB)

DigiByte (DGB) is a rapidly growing global blockchain with a focus on cybersecurity for digital payments & decentralized applications.

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

CleanCloud by SEK

CleanCloud by SEK

CleanCloud by SEK is a CSPM product focused on public cloud data protection and security regulations, with over 400 compliance checks for the market's leading frameworks and regulations.

Fenix24

Fenix24

Fenix24 is an industry leader in the incident-response space. We ensure the fastest response, leading to the full restoration of critical infrastructure, data, and systems.

Surefire Cyber

Surefire Cyber

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities.

Association of Azerbaijani Cyber Security Organizations (AKTA)

Association of Azerbaijani Cyber Security Organizations (AKTA)

The Association of Azerbaijani Cyber Security Organizations (AKTA) is a non-commercial organization aimed at strengthening the country's cybersecurity system.

Ipseity Security

Ipseity Security

Ipseity Security provide security-centric advisory and consulting services for organizations to secure their perimeter-less digital transformation to meet business and security requirements.

XeneX

XeneX

XeneX Cloud Security Services address enterprise-class security challenges by enabling DevOps and Security teams to access a shared source of truth.