Connected Cars Create New Security Challenges

Connected cars are essentially computer networks on wheels. The dashboard is now the control center for telecommunications, web surfing, car diagnostics, navigation, and a host of other functions. The rolling computer network monitors the car’s systems using built-in sensors to make sure everything is running properly. A wireless connection can also be used to send telemetry to the telematics service provider or the manufacturer to facilitate service and update software. Once a vehicle is connected to the internet it becomes susceptible to hacking.


Car hacking is the latest in a long series of consumer security threats and has been getting a lot of attention in the news. Major carmakers including BMW, Mercedes-Benz, General Motors, and Tesla have already had to address car hacking threats. Clearly, automotive hacking is posing a safety concern. And as consumers demand more from their connected cars, it will likely mean hacker attacks will target personal data and private information as well.

What Are the Primary Motivators for Hackers?

Hacking has a life cycle like almost everything else in the world. The initial wave of hacking is based on an inherent desire to ‘see what is possible’. This is both the cause of great innovation and the beginning of the opening of a Pandora’s Box. Once something is known to be ‘possible’ there is a natural attraction to the hacker communities, who are seeking some level of self-gain. In the automotive arena, there are currently two or three use cases where a hacker may be motivated to take advantage of vulnerable vehicles. 

We believe these can be summarized into three categories:

  • Phishing Attacks - Hackers take a long-term view of gaining an economic return for their efforts. The point of phishing is to ‘learn something of value’ about a person or a group of people. They are casting a very wide net.

  • One to One Attacks - Let's face it, some people are more interesting than others and hackers are going to go after high-profile opportunities. Sometimes this is just to make a name for themselves and other times it is to target an enemy of their cause.

  • Mass Attacks - What motivates the hacker is to make a big splash and hacking a mass number of vehicles would generate a lot of buzz in the media. We can all imagine the economic impact of waking up one morning and finding that an entire set of vehicles can’t start due to a hacking incident, or worse, that there has been a rash of accidents caused by hackers remotely interfering with cars while they are been driven.

While we think the chances of a major event remain remote at this time, we cannot continue to believe that vehicles are ‘islands’ protected from foreign elements by their disconnected nature.

Manufacturers Need to Be Proactive about Hacking

Over the last year, the high-profile car-hacking events in the news have dramatized the vulnerability of the connected car. 

Using simple wireless communications systems, hackers have demonstrated that no connected car network is safe:

  • BMW was one of the first to report a hacking incident. To dramatize the vulnerability of the new connected cars, the Allgemeiner Deutscher Automobil-Club (ADAC), the German automobile club, was able to reverse-engineer the telematics software that controls BMW’s Connected Drive system, which is installed in more than 2.2 million vehicles. Exploiting security weaknesses in the software, ADAC was able to access the air conditioning system, traffic information system, and the door lock controls using a wireless computer.

  • Chrysler suffered a similar embarrassment when two hackers were able to shut down a Jeep by remote control. In a profile published in Wired magazine, the hackers were able to take control of a Jeep Cherokee traveling at highway speed, first operating the windshield wipers, taking over the radio, and ultimately shutting down the vehicle altogether by locking the transmission.

  • Tesla was also the victim of a cyber attack. Two mobile security experts demonstrated their ability to hack a Tesla Model S at the Dev Con hacker conference in Las Vegas. In order to hack the Tesla, they first had to gain physical access to the vehicle’s network infrastructure to introduce a Trojan. Once the virus was inserted, the hackers were able to convince the car that their laptop was the car’s controller, allowing them to take command, including the ability to shut off the engine.

While all these hacking incidents demonstrate the vulnerability of the connected car, how these carmakers dealt with the problem demonstrated manufacturers’ preparedness to deal with hackers. Chrysler’s approach was the old school ‘sneaker net’ approach, essentially shipping USB drives with a software patch to 1.4 million car owners. BMW’s solution was more elegant; they were able to develop a patch and then send it wirelessly to all affected cars so the software update was automatic. Tesla had the most sophisticated solution. The company already sends regular software updates wirelessly to all its vehicles, so the software patch to fix the security bug was ready for delivery.

What this demonstrates is that with connected car advances, OEMs need to be prepared to address security problems before they occur. Patching faulty software is one thing, but OEMs need proactive security measures to protect vehicles, such as firewalls and data encryption to protect vehicle telematics.

One of the interesting thoughts that arise out of this discussion is what role the consumer should play in security management for their vehicle. In the computing space, consumers play a fairly active role. Will they necessarily play a similar role in the vehicle? Do OEM’s want consumer consent and participation in applying updates?

Personal Security Part of the Connected Car Risk

Security to promote driving safety is a primary consideration. However, manufacturers are also going to have to start thinking about securing personal data as well.

As cars increasingly become an extension of today’s connected lifestyle, car owners will start storing sensitive data in their car systems to handle music downloads, toll payments, and other transactions. Credit card information and identify theft are attractive targets for hackers and something automakers need to consider.

For example, a hacker could set up a wireless sensor to access credit card data stored in cars driving past a given location on the highway. Hackers wouldn’t even have to go looking for targets; the data drives right past their door. Or what about hacking navigational data? If you can match a car’s GPS location to a known home address, then a housebreaker can tell when you are away from home.

To address these security concerns, Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) have introduced the Security and Privacy in Your Car Act, also known as the SPY Car Act. The legislation would establish a rating system for consumers to rank how well cars protect security and privacy. The senators’ proposal also asks the National Highway Traffic Safety Administration (NHTSA) to establish new standard of protection. These standards would require OEMs isolate software systems and take steps to secure connected vehicles. They also want to require technology that would detect, record, and stop hacking attempts in real time.

Smart OEMs are becoming proactively involved in connected car security. By being proactive and taking positive steps today, manufacturers can become part of the security solution and help shape industry standards and legislation. They also can be ready to reassure customers that the next generation of connected cars is safe and secure.

Share or Bookmark this post…
  • Facebook
  • Google
  • LinkedIn
  • TwitThis

10 Tips to Avoid Car Theft

 

According to the FBI’s Uniform Crime Reports, 1.09 million motor vehicles were reported stolen. While auto theft has decreased, it still means that every 28.8 seconds, a vehicle is stolen in the United States.

These statistics are especially important to keep in mind because of car theft, according to the Insurance Information Institute, peaks in July and August.

One of the biggest misconceptions about auto theft is where they occur. Did you know more than 33% of all vehicle thefts occur near the car owner’s residence and around 20% of thefts occur in parking lots? Do these numbers have you worried?

Well, you should be vigilant in securing your car and luckily there are many preventive measures you can take to keep your car safe.

Here are 10 things you can do to help protect your car from theft:

  1. Don’t leave your car unlocked
  2. Never leave your car running, especially while it is unattended or unlocked
  3. Do not leave a spare key near your vehicle
    Many people keep a spare key under the car, just in case they get locked out and thieves know exactly where to check for an extra key. While getting locked out of your car is a pain, think about the potential hassle of your car getting stolen.
  4. Never leave your windows open
    Even during the summer when it is scorching hot, don’t leave your windows open or slightly cracked when you are not in the vehicle.
  5. Park in well-lit, public areas
    Avoid parking in areas that are poorly lit or places that are not immediately seen by the public. This will not only keep you safe when you exit the car, it will also help keep your car safe because thieves tend to avoid areas that are highly visible.
  6. Install an audible alarm system and a visible anti-theft device
    Car thieves tend to avoid cars with alarms or anti-theft devices because they attract attention when they go off. These devices are well worth the investment.
  7. Install a vehicle immobilizer system
    Thieves can bypass your ignition by “hotwiring” your car. You can prevent this by using a vehicle mobilizer system such as fuel cut-offs and smart keys
  8. Consider installing a GPS tracking system
    When your car is stolen, this tracking system will emit a signal to the police of your vehicle’s location. This may help the police recover your vehicle faster and may minimize the damage to your car. This may be a good investment if you live in an area with high auto theft rates.
  9. Don’t leave valuable personal property in your car
    The best way to attract a thief is to leave your purse or another high-value item in a highly visible area of your car. If you must put something of value in your car, keep it in the trunk or under the seats, where it is not visible to others.
  10. Use Common Sense
    If you are wary of the safety of your car or see someone loitering around the parking lot, it’s best to park somewhere else. It’s better to walk a few extra steps than to have your car stolen because you ignored your instincts.
Share or Bookmark this post…
  • Facebook
  • Google
  • LinkedIn
  • TwitThis

Auto Security: Do Feds Have Our Back?

Consumers should be aware of the possibility of a hacker attack on their cars. We now know that what used to be considered a movie scenario — remote hacking — could be done.

The current reality is that, while a variety of connectivity technologies have been transfused into cars, the equal and opposite security measures are yet to be deployed.

Surely, car hacking is the last thing automakers want to mention as they push the connected cars into the vast consumer disconnect. But government watchdogs in both the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned.

"Whether we're turning vehicles into WiFi-connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks," said Martin Callanan, a minister in the Department for Transport at the British government.

He said this last week when the U.K. agency issued new guidelines, requiring manufacturers of Internet-connected vehicles to put in place tougher cyber protections to ensure a stronger shield against hackers.

It isn’t just the U.K. The National Highway Traffic Safety Administration (NHTSA) in the United States also issued last fall the federal guidance to the automotive industry for improving motor vehicle cybersecurity.

Questions to ask
So should we all sleep well, confident that the feds have our back?

Not so fast, Gracie.

Questions that come to my mind include:
1. Do the guidelines issued by NHTSA and British Department of Transportation have any teeth for security enforcement? 
2. More important, have they gone far enough to suggest effective cybersecurity measures for cars?
3. What are the differences in the proposals of the two separate governments?

As Roger Lanctot, director automotive connected mobility in the global automotive practice at Strategy Analytics, told us, “All of the work and guidance today is advisory vs. compulsory in nature.” Things will become real, in his opinion, “when financial and liability consequences are in fact defined.”

Sources of vulnerability in connected cars are many. Lanctot listed: “diagnostic ports, hobbyist/enthusiasts, dealers, suppliers/supply chain, criminals and terrorists to say nothing of incompetence, bugs, and the management of multiple onboard systems crossing domains with different development standards.”

Facing so many areas inside cars that must be protected as cars morph into always-on computing devices, it isn’t easy to come up with comprehensive guidelines. And yet, “Regulators need to demonstrate they are doing something,” said Lanctot.

How do security experts see the development of government guidelines?

Gene Carter, vice president of products at OnBoard Security, for example, believes that “both the U.K. and NHTSA guidance documents included basic security tenets.”

He explained such measures should be followed by any company connecting hardware or software to the web — including security by design, defense in depth, principles of least privilege, etc.  In Carter’s opinion, however, these are basics. “I would hope that the automakers have learned enough from the IT world’s experiences, and they [should be] already doing those essential things.”

A few experts, including Carter, pointed out that the U.K.’s guidance does not go far enough in the area of software updates after a vulnerability is discovered.

Share or Bookmark this post…
  • Facebook
  • Google
  • LinkedIn
  • TwitThis

Android for cars: Secure connection?

Fast-forward 17 years and there are apps for everything — even your car. Chances are, if an app might make part of your life easier, someone will develop it and plenty of people will use it.

Over the past few years, the concept of the connected car has continued to evolve — and become reality. At this year’s RSA Conference in San Francisco, our anti-malware researchers Victor Chebyshev and Mikhail Kuzin presented research that they conducted on seven popular apps for vehicles.

The apps seem to make users’ lives easier by linking their Android devices to their automobiles, but we have asked: Are we trading security for convenience? And as with many IoT connected devices, the answer is, security needs to become more of a priority for developers and manufacturers.

The primary functions of these apps are to open doors and in many instances start the car. Unfortunately, flaws in the apps could be exploited by attackers:

No protection against application reverse engineering. As a result, malefactors can dig in and find vulnerabilities that give them access to server-side infrastructure or to the car’s multimedia system.
No code integrity check. This allows criminals to incorporate their own code in the app, adding malicious capabilities and replacing the original program with a fake one on user’s device.
No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless.
Lack of protection against overlaying techniques. This allows malicious apps to show phishing windows on top of original apps’ windows, tricking users into entering login credentials in windows that send the info to criminals.
Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.

Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, even steal the vehicle.

The researchers disclosed their findings to the developers (they did not disclose names of the apps publicly) and also told them that no exploitations had been seen in the wild. A full, detailed report on this can be found over on Securelist, where each of the apps is evaluated.

It’s easy to bury your head in the sand, thinking you won’t be hacked or that this is the stuff of science fiction, but the truth is, ever since its invention, the automobile has been a target for criminals. And if there is a hack to make things easier, just imagine the possibilities.

Another thing to keep in mind is that we’ve already seen vulnerabilities allow smart white-hat hackers to make the jump from “benign vulnerability” to controlling a car. Two of the bigger automotive stories of the past two years was about how Charlie Miller and Chris Valasek took control of a Jeep via vulnerabilities.

 

Ultimately, personal security and app usage come down to personal preference. Who we share our data with or entrust our convenience to is really up to us. With IoT devices and apps, convenience is too often considered before security.

In closing, Chebyshev notes:

“Applications for connected cars are not ready to withstand malware attacks. We expect that car manufacturer will have to go down the same road that banks have already taken with their applications… After multiple cases of attacks against banking apps, many banks have improved the security of their products.

“Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible — one day they can act like normal adware, and the next day they can easily download a new configuration, making it possible to target new apps. The attack surface is really vast here.”

Share or Bookmark this post…
  • Facebook
  • Google
  • LinkedIn
  • TwitThis