Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Forget Carjacking, What about Carhacking?

Like all computers, automobiles can be hacked and compromised. As auto manufacturers continue to rush new features to market, security cannot continue to be an afterthought.

If you’ve watched Gone in Sixty Seconds or played the video game, you’ve seen how easily a car can be hotwired—especially older models. Just pry open the steering column, connect the battery wires and touch the starter wires together. Vroom!

Like all computers, automobiles can be hacked and compromised. As auto manufacturers continue to rush new features to market, security cannot continue to be an afterthought.

If you’ve watched Gone in Sixty Seconds or played the video game, you’ve seen how easily a car can be hotwired—especially older models. Just pry open the steering column, connect the battery wires and touch the starter wires together. Vroom!

Stealing newer vehicles isn’t nearly as easy. However, tech-savvy thieves have some surprising ways of getting it done. In fact, a growing number of vehicles today can be unlocked and started by a mobile phone or via the Internet. They can be disabled the same way. All that’s required is some system data and a password.

Hacking CarsIf you’ve looked at new cars recently, you’re no stranger to sticker shock. Automobiles are one of the largest purchases most people will make in their lifetime. Yet, as expensive as cars have become, today’s vehicles contain something far more valuable than the vehicle itself: The occupants’ personal information. Given the amount of personally identifiable data showing up in cars, carhacking is a crime that’s about to gain traction.

Computers on Wheels

Today’s cars sport a growing list of innovative features. Embedded devices control everything from engine and brake performance to safety and emissions. There’s even a new system that monitors driver alertness. If only we could make this a standard feature on all automobiles.

As impressive as these features have become, safety and reliability don’t sell cars anymore. Today’s digitally connected consumers crave state-of-the-art infotainment systems, social networking capabilities, hands-free mobile phone access—even in-vehicle Wi-Fi hotspots. Yesterday’s breakthroughs—built-in navigation systems and voice-activated controls—are standard equipment these days—not just in high-end cars, but in entry-level Fords as well.

Make no mistake, cars are becoming increasingly digitally powered, and this trend will continue. Consulting firm Frost and Sullivan estimates that cars will require 200 million to 300 million lines of software code in the near future. Unless you have serious skills in computer science and embedded systems, gone are the days of being able to work on your own car for anything but routine maintenance.

Put simply, cars have become sophisticated mobile computers. And like all computers, automobiles can be hacked and compromised. Interconnectedness with other embedded systems and cellular networking or Internet connectivity can also introduce security flaws that may become exploitable. As auto manufacturers continue to rush these new features to market, security cannot continue to be an afterthought.

Advertisement. Scroll to continue reading.

Drive-by Hacking

Hacking Cars Electronics SystemsWhere personal information is available, there’s money to be made by cyberthugs. Onboard systems that provide access to email, voicemail, social networking and location-based media offer a treasure trove of valuable personal information—information that can be stolen and exploited for financial gain.

So just how secure is the personal information that resides in today’s digitally friendly vehicles? Security experts are taking a close look at this issue, and what they are finding is alarming. Last year, researchers at the University of California, San Diego and the University of Washington demonstrated that critical safety components of a vehicle can be hacked via Bluetooth access. In addition, researchers at the University of South Carolina and Rutgers University were able to mount attacks that tracked a vehicle and compromised passengers’ privacy. What’s surprising is how they gained entry to the vehicle’s control systems. New vehicles now contain RFID tags in the rims that transmit tire-pressure information to the car’s control systems. These signals can be intercepted at distances up to 40 meters. Researchers have proven that cyberthugs can use these and other wireless transmissions to hack into the car’s digital systems to compromise passenger privacy.

Even the police aren’t safe. One security expert was able to easily hack into onboard police cruiser systems, access dashcam video storage and copy and delete these files using basic FTP and telnet commands. What’s truly troubling is how easily this expert gained access to these systems—using a default password for the patrol car’s DVRs, which was readily available in support manuals found during a routine Internet search. Who is responsible for protecting personal information? Evidently a provider of aftermarket GPS systems figured it wasn’t his problem. He was caught recording driver behavior and selling it to Dutch police, who used the data to target speeding vehicles.

And what about the personal safety of drivers? Navigation systems and mobile phones can pinpoint a person’s location. Imagine the cyberstalking vulnerabilities that could be exploited by understanding a person’s behavior pattern, tracking their location and being able to remotely disable their vehicle. It’s scary, creepy—and yes—readily possible right now.

Where the Rubber Meets the Road

Protecting personal information has become a hot regulatory compliance topic. As the vulnerabilities we just discussed begin to be more widely exploited, it stands to reason that auto manufacturers who fail to protect both personal information and vulnerable safety systems could soon face expensive recalls and fines. Smart manufacturers will secure their customers’ vehicles before serious public safety issues and brand-damaging exploits can occur.

In fact, security will soon be a key differentiator in the new breed of intelligent automobiles. One proponent for strengthening automobile system security is Professor Christof Paar, chair for Embedded Security at the electrical engineering department of Germany’s University of Bochum. According to Paar, “Security will soon become an enabling technology for almost all innovations in cars. Most people would rather have malicious software running on their laptop than inside their car braking system. Thus, incorporating strong security solutions will give manufacturers a competitive advantage.

Getting a Handle on Carhacking

Here’s the good news: There’s no need to become digital roadkill. There are proven technologies available today that make it possible for automakers to secure the embedded devices that power these digital systems.

The best way to easily and cost-effectively protect embedded devices—in automobiles and other systems—is to implement a security solution that features application whitelisting and change control technologies. Whitelisting lets you create a dynamic set of applications authorized for the device. A whitelist can be built into the embedded system’s gold image and applied automatically to all devices being provisioned. As for change control, you can prevent any unwanted changes. For authorized modifications, you can track who changed what, where and when. All changes are logged and administers can be alerted.

Related Reading: Car Hacking: Researchers Highlight Emerging Risks and Lack of Security in Automobiles 

Related Reading: Attacks on Mobile and Embedded Systems: Current Trends

Related Reading: Introduction to Security for Smart Object Networks Devices

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.