Security vulnerabilities in connected cars

8669804085?profile=original

Connected Cars

 Connected vehicle technology potentially increases driving safety and efficiency through its ability to communicate with the internet and other automobiles

Consumer demands features range from Bluetooth, Wi-Fi, cellular network connections, keyless entry systems, to deeper cyber physical features like automated braking, and parking and lane assist etc. 

 

Some of the major benefits of connecting cars are:-

A)   Real time diagnostics,

B)    Remote vehicle management,

C)   In-car connectivity & infotainment

 

The biggest concern about connected cars is safety and reliability.  Recent demonstrations by security researchers have proven that increased connectivity has also introduced new risks and attack vectors into the Connected Car ecosystem

( Read More : Top 15 'Hacking & Attack Technique' talks from RSA Conference 2016 (USA) )

 

Vulnerabilities:  

While analyzing the current and potential risks to vehicles, the top three risks created by vehicle software vulnerabilities to be

 

A)   Manipulating Vehicle’s Operation

                          Former National Security Agency hacker Charlie Miller, and IO Active researcher Chris Valasek have shown they can use the Internet to turn off a car's engine as it drives. They demonstrated their ability to remotely hijack a vehicle’s systems while in operation of a vehicle while in operation on a St. Louis highway. As vehicles become increasingly connected to the Internet with an ever-growing roster of features and capabilities, we will see an increase in the options available to malicious actors to exploit vulnerabilities inherent in these expanded capabilities.

 

B)   Gaining  unauthorized  Physical access

                      Attackers exploit vulnerabilities in vehicle connectivity technologies to gain unauthorized entry or access to a vehicle. Many vehicle manufacturers have opted to replace physical ignition systems with keyless systems that utilize mobile phone applications or wireless key fobs. Most unauthorized entry methods exploit the wireless communications between the vehicle and the key fob carried by the driver

                         

C)   Using ECU to support malicious cyber activity

                           Electronic Control Units or an ECU is a generic term for any system that controls one or more of the electrical system or subsystems in a transport vehicle. Connected automobiles built with numerous ECUs. Vehicle ECUs or other components are compromised and repurposed to support other malicious cyber activity.

A modern automobile is comparable to a modern computer network, so the Cyber threat actors could view the automobile as the next frontier to support malicious activity.

( Read More: Information Security Metrics And Dashboard For The CEO / Board )

 

Attack points:

A)   Mobile Apps:

                     According to Arxan, some of the more vulnerable attack points to look out for are mobile apps that unlock vehicles and start a vehicle remotely, diagnostic devices, and insurance dongles.

Interfacing with infotainment system are apps running on the drivers personal phones. Many apps contains vulnerable that expose data and access to critical vehicle controls

 

B)   OBD Devices: 

                        The On-Board Diagnostics port used to connect third-party devices like speed monitor, breaking, location etc. Recent research has shown serious security flaws in commonly used OBD devices which are used by millions of drivers to report on their vehicle health and driving habits.

An ODBII device which contains a cellular modem and automatically collects data about fuel economy, engine status, and even the vehicle’s location via GPS. This diagnostic port is used to connect third party devices and highly vulnerable

 

C)   Infotainment System

                        The modern car buyer expects advanced infotainment systems that offer a lot of amenities to the driver and passenger. The infotainment systems require communication with the outside world.

Navigation systems need to communicate with GPS and with cellular networks, satellite and AM/FM radios need to communicate via radio channels, and many other features need require access to the internet. Once an attacker gains access to the car through any system, they can gain control to the CAN bus, and through that they can gain control of the vehicle as a whole

 

Generic Solutions:

  • Keep software updated, Contact a car dealer and make sure the car's software is up to date
  • Don't plug random devices into the car's USB ports or OBD2 diagnostic port.
  • Before using a connected-car device or app, do some research, or ask the manufacturer. if apps are hardened
  • Automakers should (if they haven’t already) Develop research teams Crowd source vulnerabilities & collect information on every hack
  • The tech industry and automakers need to work together instead of viewing each other as competitors in regards to connected vehicles

8669810872?profile=original 

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)