7 Things You Need to Know About Car Hacking

Uploaded on 2015-11-21 in TECHNOLOGY--Hackers, FREE TO VIEW

 

Car hacking is real and likely to happen much more regularly in the future. We look at the top facts you need to know about this emerging trend.

1. The first cars were ‘hacked’ at least five years ago
In 2010, a team of researchers from the University of Washington and the University of California San Diego reported that they could take over a car via a number of wireless vulnerabilities.

This landmark paper explained that as a result of automobiles being equipped with more and more technology, cybercriminals can “infiltrate virtually any electronic control unit … [and] leverage this ability to completely circumvent a broad array of safety-critical systems”.

They documented how, through a number of experiments, they were able to take control of the vehicle they were testing – they could mess about with the radio and, more seriously, completely disable both the brakes and the engine.

At the time, the team chose not to disclose the name of the manufacturer to the public. However, it was later revealed that the car in question was General Motors’ 2009 Chevy Impala.

2. Security fails can result in big recalls

Earlier this year, two US researchers took car hacking to a new level when they demonstrated a major flaw in a 2014 Jeep Cherokee.

Charlie Miller and Chris Valasek exploited vulnerabilities in the radio system of the vehicle to remotely control the car’s air-conditioning, radio and its brakes and engine – they even managed to stop the car with a journalist in it.

Mr. Miller and Mr. Valasek responsibly disclosed the flaws to the manufacturer as and when they found them. This resulted in Fiat Chrysler Automobiles issuing a US-based 1.4 million-vehicle recall for Jeeps, Dodges and Chryslers so that it could update their software.

“The 2014 Jeep Cherokee was chosen because we felt like it would provide us the best opportunity to successfully demonstrate that a remote compromise of a vehicle could result in sending messages that could invade a driver’s privacy and perform physical actions on the attacker’s behalf,” the duo stated in their paper.

3. Car components are just as vulnerable

The rising demand for “connected cars” has led many to question the security repercussions related to this particular development, but it’s also worth noting that car components are just as vulnerable.

Take vehicle immobilizers as an example. One study showed that cybercriminals could disable these electronic security devices and take off with a vehicle without the need of a “genuine key”.

The researchers, Roel Verdult, Flavio Garcia and Baris Ege, explained how they were able to exploit a weakness in the cryptography and authentication protocol used in the Megamos RFID transponder (which is used in many immobilizers).

They said in their paper: “The implications of the attacks presented in this paper are especially serious for those vehicles with keyless ignition. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate.”

Another well-cited vulnerability concerns OBD (On Board Diagnostics) USB sticks, which are used in cars to check driving habits. Earlier this year, the US-based insurer Progressive came under pressure for handing out insecure thumb drives that were found to be lacking security.

Security researcher Corey Thuen told Forbes: “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication [and so on] … basically it uses no security technologies whatsoever.”

4. Insiders remain a danger

Like any business, disgruntled employees can pose an information security risk to all types of organizations, and this is exactly what the Texas Auto Center found out in 2010.

Five years ago, a former member of staff at the car dealer exploited its remote web-based vehicle mobilization system to disable and tamper with more than 100 cars.

Drivers who had purchased vehicles from the Texas Auto Center reported that their respective vehicles were not working or that, in the middle of the night, their car alarms were inexplicably going off.

“First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency,” Wired reported at the time.

5. They don’t have to be connected to the Internet

It is often assumed that only connected cars can only be attacked, but this isn’t exactly true with Dark Reading reporting earlier this year that even certain “non-networked cars” can be tampered with. The Virginian State Police, it said, has found this out through its experiments with 2012 Chevrolet Impalas and 2013 Ford Tauruses.

In an ongoing project that also includes the Mitre Corp, the Virginia Department of Motor Vehicles, the University of Virginia, researchers found that they could make it impossible to shift gears from park to drive, push up engine revs, and – crucially – cause the engine to accelerate or cut off completely.

In addition, Mitre wrote attack code, which opened the trunk, unlocked the passenger doors, locked the driver’s door, turned on the windshield wipers and squirted wiper fluid.

These attacks weren’t easy, as they required the attackers to hijack the state police car computer systems, which in turn required physically jacking the car. Mitre’s first attacks involved a mobile phone app, which was connected to a device in the car via Bluetooth.

This type of attack requires knowledge of the car model’s electronics, and physical access, but it proves attacks are possible – even when there is no Internet connection.

6.    Patches take years to be applied

Patch management remains one of the biggest challenges for information security experts and car developers. Many have argued that the latter has struggled to grasp the seriousness of the situation.

One such individual is US senator Edward Markey, who issued a report in February 2015 criticizing the car manufacturing industry for its weak response to addressing security vulnerabilities.

He said: “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

Exemplary of this is the incident concerning the 2009 Chevy Impala, as discussed at the start of the feature. This took General Motors five years to resolve, Wired magazine reported in September.
“It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists,” commented security researcher Karl Koscher.

7.    Cybercriminals could target driverless cars

Cybercriminals are already targeting car manufacturers, but they could step up their attacks as autonomous cars edge closer to reality.

A number of security experts have questioned the dangers of driverless cars, and some have actually proved it. Jonathan Petit, principal scientist at software security company Security Innovation, discovered that a laser pointer could interfere with the laser ranging (Lidar) systems that most self-driving cars rely on to navigate.

The Lidar system creates a 3D map allowing the car to “see” potential hazards by bouncing a laser beam off obstacles. However, Dr. Pettit discovered that shining the laser pointer at a self-driving car, so that it was picked up by the system, could trick the car into thinking that something was right in front of it. This would cause it to brake quickly.

Alternatively, an attacker could overwhelm it with numerous signals, forcing the car to remain stationary for fear of hitting phantom obstacles.

“There are ways to solve it,” Dr. Petit explained in his interview with IEEE Spectrum. “A strong system that does misbehavior detection could crosscheck with other data and filter out those that aren’t plausible. “But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”
WeLiveSecurity: http://bit.ly/1NWceDS

 

 

« Internet of Things will drive the Digital Revolution of Industry
Cyber War Games: ‘Too Little Too Late’ »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CyberVista

CyberVista

CyberVista is a cybersecurity training education and workforce development company. Our mission is to eliminate the skills gap by creating job ready professionals.

Beame.io

Beame.io

Beame.io is an information security company that distributes open source authentication infrastructure based on encryption.

AXA XL

AXA XL

AXA XL is the P&C and Specialty Risk Division of AXA. Professional insurance products include Cyber Insurance.

Wizlynx PTE LTD

Wizlynx PTE LTD

Wizlynx PTE LTD is the Singapore branch of Wizlynx Group located in Singapore, offering Information and Cyber Security Services throughout the entire Asia Pacific (APAC) region.

Combis

Combis

COMBIS is a regional high-tech ICT company focused on the development of application, communication, security and system solutions and the provision of services.

European Healthcare Fraud & Corruption Network (EHFCN)

European Healthcare Fraud & Corruption Network (EHFCN)

EHFCN is the only organisation dedicated to combating fraud, corruption and waste in the healthcare sector across Europe.

Onevinn

Onevinn

Onevinn's goal is to create a transparent, cost-effective security that is noticed as little as possible by the users. We simply call it "intelligent security."

Cranfield University

Cranfield University

Cranfield Defence and Security are at the forefront of their fields, offering capabilities ranging from cyber security and digital warfare to robotics, forensic sciences and simulation and analytics.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

Rimstorm

Rimstorm

Rimstorm’s mission is to significantly improve the security of your data using award-winning, state-of-the-art technology combined with cyber managed security services.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

Cytek

Cytek

Cytek is a leading provider of cybersecurity and HIPAA compliance for dental practices and other industries.

Oz Forensics

Oz Forensics

Oz Forensics is a global leader in preventing biometric and deepfake fraud. It is a developer of facial Liveness detection for Antifraud Biometric Software with high expertise in the Fintech market.

Twilio

Twilio

Twilio are the customer layer for the internet, powering the most engaging interactions companies build for their customers. We provide simple tools that solve hard problems.

YSecurity

YSecurity

At YSecurity, we simplify compliance, prevent breaches, and help startups scale with confidence. Focus on growth—we’ll handle the security.

Element

Element

Element is a new type of communications platform. It combines consumer messaging apps, collaboration tools and video conferencing to replace email, address shadow IT and improve security.