As more and more digital technology is introduced into automobiles, the threat of malicious software and hardware manipulation increases.
ISec Partners’ researchers got a lot of attention at Black Hat this year when they demonstrated how to start a car’s engine via text message. As it turns out, that was just the latest of several examples of how attackers can turn the electrical systems in your car into their own personal lock pick.
In a new report, McAfee – in partnership with Wind River and embedded security provider ESCRYPT – highlighted research into the risks facing the automotive industry as companies continue to add connectivity to embedded systems. The technology has made its way into today’s cars in a number of ways, including anti-lock braking systems and GPS navigation systems.
This trend extends way beyond cars to devices such as Internet-capable HD televisions. However, the security of such devices is sometimes ignored – not just by consumers, but by network administrators as well. In a recent email discussion with SecurityWeek about the Morto worm, Sean Sullivan, security advisor at F-Secure, noted that networked devices like TVs are often overlooked because IT security doesn’t consider them to be at risk since there is no data to lose. Once a device is infected by a worm however, it can eat up a network’s bandwidth.
“Indeed, back in 2002, the firm that I was working for had “guest laptops” in phone rooms,” he wrote. “They had network access, but were not members of the local domain. Because they weren’t on the domain, they were ignored by IT… until infected by a worm. At that point, the laptops consumed a bunch of bandwidth searching for more vulnerable machines… the network admins discovered the issue because the quality of the firm’s VOIP services noticeably declined.”
Tim Fulkerson, senior director of marketing for McAfee Embedded Security, contended consumers are starting to become more aware of the fact that connectivity has its risks. So far, McAfee has not seen specific tools available to hack into cars available in the cyber-underground, he noted.
“However, hackers can surf the internet and find techniques and tools to exploit Bluetooth and Cellular communications technologies used in cars,” explained Fulkerson. “So if a hacker wants to start targeting attacks to cars, it is not big a leap for a talented hacker to find ways to make this happen.”
In fact, the report highlights several examples, ranging from a rogue employee at a car dealership remotely disabling 100 vehicles to a team of researchers from Rutgers and the University of South Carolina mounting an attack that targeted vehicles’ use of RFID technology.
In another case, researchers at the University of California, San Diego, teamed with researchers from the University of Washington to show how the safety components of a vehicle could be hacked by an attacker with physical access to the electronic components inside the passenger cabin. The result of their efforts was software known as “CarShark” – which they developed using homemade software and a standard computer port.
According to the report, it is time for consumers to begin asking questions about subjects such as the security of GPS data and what systems connect to the Internet or cellular network.
“The auto industry is experiencing a convergence of consumer and automotive electronics,” noted Georg Doll, senior director for automotive solutions at Wind River, in a statement. “Consumers are increasingly expecting the same experiences in-vehicle as they do with the latest connected consumer and mobile devices. However, as the trend for ubiquitous connectivity grows, so does the potential for security vulnerabilities. The report highlights very real security concerns, and many in the auto industry are already actively designing solutions to address them. Given the development time for automobiles, the industry is finding it essential to start work now by teaming up with those possessing the right mix of software expertise.”
The full report is available for download here.
Related Reading: Attacks on Mobile and Embedded Systems: Current Trends
Related Reading: Introduction to Security for Smart Object Networks Devices
Learn More About Embedded Security in the Smart Device Security Resource Center