Contributor: Mario Ballano Barcena
A steady stream of stories in the past few weeks has put the spotlight on vehicle cybersecurity, with researchers uncovering a number of different vulnerabilities in newer models of cars. These incidents reflect the fact that a growing number of cars can be classed as part of the Internet of Things (IoT), since they feature their own computers, software, and connectivity. While this development means that car owners can benefit from a raft of new technologies, it also means vehicles are increasingly exposed to the same kinds of threats that other connected devices face. Is it time to start worrying about your car being hacked?
New vulnerabilities uncovered
The current crop of stories began with news that some Jeep Cherokee vehicles could be remotely compromised. Researchers Charlie Miller and Chris Valasek demonstrated a proof-of-concept attack where they managed to cut a car’s brakes and transmission, in addition to taking control of a number of functions such as the air conditioning, display, radio, and windshield wipers.
The attack was attributed to a number of vulnerabilities and weaknesses in the vehicle, several of which were in Uconnect, an internet-connectivity feature installed in many Fiat Chrysler cars, including the Jeep Cherokee. Its discovery caused Fiat Chrysler Automobiles to recall 1.4 million vehicles, but the company emphasized there has not been a single real-world incident of an unlawful or unauthorized remote hack of any of its vehicles.
Days later, details surfaced about vehicles using the General Motors (GM) OnStar RemoteLink system were vulnerable to attacks which could allow attackers to track the vehicle and unlock it. A proof-of-concept attack was demonstrated by well-known security researcher and hacker Samy Kamkar, who found that it was possible to trick the vehicle owner into connecting to a rogue wireless network, potentially letting an attacker steal their credentials for the OnStar RemoteLink mobile app.
Kamkar said that the vulnerability doesn’t lie in any particular GM vehicle, but instead in the app, which owners can use to locate and unlock their vehicle. Kamkar said the app doesn’t properly check the security certificate to ensure that the owner’s phone is only communicating with the OnStar server. GM has said that it has now fixed the vulnerability.
Following this, Tesla entered the spotlight after researchers found six vulnerabilities in its Model S cars that could potentially allow attackers to take control of the vehicle and compromise its safety (subscription link).
They said attacks against the Tesla were harder to perform than recently publicized attacks against other vehicles, since an attacker would need to physically access the car first. However, once they had compromised the car, they were able to hack into it from afar. The attack allowed them to manipulate the speedometer to show the wrong speed, lower and raise the windows, lock and unlock the car, and turn the car on or off. Tesla has since patched the vulnerability.
Finally, earlier this week, a group of security researchers announced the discovery of yet another new attack. The team from the University of California at San Diego said that it was possible to compromise thousands of vehicles by hacking into monitoring devices used by insurance firms and fleet management solutions to track vehicle location, speed, and behavior.
These devices could be compromised by sending a specially crafted SMS message to the unit. Once the device is hijacked, attackers can transmit commands to the car’s CAN bus, an internal network that controls its driving components. This potentially allows them to do anything from turning on the windshield wipers to disabling the car’s brakes.
Should motorists be concerned?
As the automotive industry brings more new technology to cars, Symantec believes it likely that we are going to see more hacks such as these. To date, incidents have been confined to proof-of-concept attacks performed by security researchers. However, as the technology moves into the mainstream, attacks in the wild cannot be ruled out.
Attacks can be classified into three broad categories:
- The most dangerous types of attack are “over-the-air” hacks, where attackers succeed in compromising a vehicle from a remote location, as demonstrated by Miller and Valasek. However, these attacks usually require extensive research and a high degree of in-depth knowledge about the vehicle and software being attacked, which may be beyond the scope of the average attacker.
- Physical attacks, where the attacker needs to tamper with the vehicle before compromising it, are usually easier to perform. In many vehicles, there is little protection to the CAN bus and Electronic Control Units (ECUs) connected to them. In order to perform such an attack, the attacker would need to find and gain access to the targeted vehicle, in addition to running the risk of being caught in the act.
- Attacks to mobile apps and support tools that enable some remote control functionalities over the vehicle are also a possibility, but most can be easily patched without the need for an upgrade to the vehicle’s own software.
While attacks in the wild are a possibility in the future, worried drivers should consider that the motivation behind most cybercrime is financial and, until attackers discover a way of monetizing attacks, car hacking is likely to remain a niche activity.
Car owners who are concerned about these issues can take a number of steps to decrease the likelihood of attack:
- Keep your vehicle software up-to date. Software updates will frequently include patches to newly discovered security vulnerabilities that could be exploited by attackers.
- Exercise caution when connecting diagnostic or telematics dongles to your vehicle. Connecting these type of accessories to your car opens a door to attackers into its CAN bus network.
- Avoid connecting untrusted devices to your cars infotainment systems, such as USB sticks, phones, or media players. Similarly, if your car has network connectivity, avoid connecting it to untrusted networks.