Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Cars Plagued by Many Serious Vulnerabilities: Report

Cars are plagued by many serious vulnerabilities that malicious actors can exploit to gain access to a vehicle’s systems, according to a new study conducted by IOActive.

Cars are plagued by many serious vulnerabilities that malicious actors can exploit to gain access to a vehicle’s systems, according to a new study conducted by IOActive.

Over the past three years, the security firm’s Vehicle Cybersecurity Division has spent 16,000 hours analyzing connected cars. Using information obtained from publicly available research and its own private vehicle security assessments, the company has compiled a report that it believes can be highly useful for cybersecurity strategy and planning.

Researchers have demonstrated on several occasions in the past years that cars can be hacked both through local and remote attacks. The most recent demonstration was made by Charlie Miller and Chris Valasek, who showed that an attacker with physical access to a vehicle’s computer systems can bypass Controller Area Network (CAN) protections and hijack several functions, including steering, acceleration and brakes.

Of the vulnerabilities analyzed by IOActive, 25 percent have been rated critical and 25 percent as having high impact. Based on likelihood of exploitation, 7 percent of flaws are considered critical (i.e. publicly disclosed and are almost certain to be exploited), while 21 percent have been classified as high impact issues (i.e. relatively easy to detect and exploit even by an attacker with little skill).

Based on these factors, researchers determined that 22 percent of vulnerabilities can be assigned an overall risk level of “critical” and 18 percent can be placed in the “high” range.

There are several attack vectors when targeting a vehicle and, according to IOActive, the most common is the network (39%), followed by local (17%), cellular network (16%), CAN bus (10%), USB (13%) and serial (5%).

While network-based attacks, which include Ethernet and Web traffic, are the most dangerous, local attack vectors should not be neglected either. Experts pointed out that the availability of apps and third-party software modules can make local attacks just as significant.

The most common types of vulnerabilities found by researchers are information disclosure issues, coding logic errors, buffer overflows, hardcoded credentials, backdoors, and vulnerable dependencies (e.g. use of outdated libraries).

Experts determined that 17 percent of the issues they identified had no impact on the vehicle. However, the rest of the flaws can be exploited for CAN bus access, compromising telematics communications, escalation or attack chains, and compromising or disabling electronic control units (ECUs).

Car vulnerability impact

The good news is that a majority of critical vulnerabilities can be patched with relatively simple fixes. However, flaws related to design are more difficult or impossible to resolve once the system goes into production.

As for preventing security holes from making their way into modern vehicles, IOActive said half of the issues it found would not exist if industry best practices had been followed, particularly when it comes to authentication. Other prevention measures include code review and testing, secure coding practices, patch management and deployment procedures.

Related: FBI Reminds That Cars are Increasingly Vulnerable to Remote Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...