Security Is Driving the Adoption of Connected Cars
The world as we know it is changing with the arrival of the Internet of Things and the drive to connect everything and make tools and techniques smarter. What seems to be a Sci-Fi movie with “talking” vehicles and “flying” machines has now become a reality.
Automotive companies, seeing huge opportunity and wanting to entice their customers, are rushing to produce more car features so drivers can avoid traffic congestion, plan the next route, check the status of the car, find an available parking space, request for road assistance, or notify/inform friends, family members and business contacts.
Cars of the 21st Century have essentially turned into giant smartphones traveling on the road with complex, in-built, internal IT systems. Since the car is now a networked device, a computer system, a mobile phone, it is susceptible to hacking and cyber attacks just like the rest of your digital equipment.
It becomes evident that more and more connected cars can be hacked, whether it is from GM, Tesla, Chrysler, Nissan, Toyota or other automakers.
The deadly outcome when hackers can “drive” your car
Car hacking can become deadly. Imagine that your car is hacked and the hackers take control of your car: the horn can start blasting on its own, or the windshield wipers can start wiping. How much more dangerous is that the car when it can accelerate on its own too. What would happen if the brake pedal becomes non-responsive? What can be an outcome of any of these threats?
A terrible wreck.
How to hack a connected car
$30 DEVICE CAN UNLOCK KEYLESS CARS
Samy Kamkar, a digital security researcher, found a way to intercept the signals from the OnStar smartphone app so that the car connected to that app could be remote-started, unlocked, or tracked. RollJam, the device which enabled him to do that, costs only $30. This device copies the signals from the remote key fob of any car to unlock or lock the car very quickly.
This was due to a vulnerability found in keyless car entry systems which allows sending remotely a coded signal to unlock the car. The automakers did not set an expiry date for the codes that was previously used.
Kamkar showed that a hacker could place RollJam beneath the target car. As the car owner tried to unlock the car through a remote control, the RollJam device detected the signals and blocked it, and the car didn’t receive the signal. However, RollJam got the code, and as the user pressed the button once more, RollJam used the first code to unlock the car and remembered the second code that could be used at a later time to unlock the car. [Arstechnica]
HACKERS CAN FIND, UNLOCK, AND REMOTE START GENERAL MOTORS CONNECTED CARS
Kamkar also exploited a method that allowed him to track, unlock, and remote start General Motors cars equipped with OnStar application.
[Arstechnica] reports that, “The hack, which is based on an exploit of OnStar's mobile software communications channel, exposes the credentials of the car's owner when it intercepts communications with OnStar's service. The OwnStar device can detect nearby users of the OnStar RemoteLink application on a mobile phone and can then inject packets into the communication stream to the phone, getting it to give up additional information about the user's credentials. Those credentials can then be used to gain access to the vehicle's OnStar account and the full functionality of the OnStar RemoteLink app.”
VIDEO: Hacking cars with OnStar to locate, unlock and remote start vehicles
ZERO-DAY EXPLOIT FORCES CHRYSLER’S JEEP INTO A DITCH.
This is by far the most famous car hacking incident which has attracted massive attention from the press, the government, the consumers, and even people who don’t own cars. Two security experts, Charlie Miller and Chris Valasek, devised a hacking technique called zero-day exploit that can hack a car using the internet. Using this exploit, these white-hat hackers sent different commands to the internal systems of the car and took complete control of its dashboard functions, accelerator, brakes, and even the steering. The helpless driver could not do anything other than remain in the car which eventually drove itself into a ditch.
VIDEO: Hackers Remotely Kill a Jeep on the Highway—With Me in It
NISSAN’S LEAF ELECTRIC CAR
Earlier this year Nissan “deactivated a remote access feature that let owners of its Leaf electric car remotely adjust climate controls and check battery status” and took the app offline after learning that hackers can sniff the climate controls and the GPS logos of your car if they get the right VIN number.
Nissan’s NissanConnect EV smartphone app has another security issue which was reported by Filip Chytry, a security researcher from Avast. Apparently, data is shared over HTTP, a protocol that has no security whatsoever. The app has certain permissions which allows access to other logins you have on your device, such as Facebook, Pandora, etc., and all login information that can easily be obtained on rooted devices.
Any skilled app developers even with limited security knowledge will tell you that they, at least, implement some HTTPS (HTTP secure), which by the way is still basic and not enough. In this case, even the basic level of security implementation is not upheld. As stated by security researcher Troy Hunt,“This API thing is just nuts. It’s not even like they just missed (authentication) or didn’t check (it), it’s actually not implemented. It was built, intentionally, without security.”
Typical attacked targets
There are many ways for attackers to hack connected cars. They can exploit vulnerabilities in the mobile app that controls the car. They can break the communication channel. They can hack into internal car systems. They can attack the car's backends.
Who is going after the connected car industry?
Even though cybersecurity is on the top agenda for automotive companies, Chris Wysopal, Veracode’s co-founder and CTO said that it will take automakers 3 years to catch up with the security requirements for connected car systems. [Threatpost]
SECURITY EXPERT COMMUNITY
Security experts and researchers join forces to pressurize the automotive industry to take responsibility for the security and safety of their connected cars. They even went so far as to come up with exploits to hack into cars in order to raise the level of awareness and educate the public.
It is a common practice for security researchers and ethical hackers to disclose to the public the vulnerabilities or exploits they have discovered so that responsible people can know and fix the issues.
However, because these findings are made public, unethical hackers will know about these vulnerabilities and exploits too on top of all the others on their attack arsenal. If/when they use this knowledge to hack into a car with people driving on the street or a high-speed freeway, rest assured that this won’t be another easy drive in the park.
The consumers are now becoming more aware and no longer just pay attention to nice features. They are now more aware of the security, or lack thereof, of connected car features.
Car drivers think that automakers should be "liable for the safety of the car, including third-party app reliability, manufacturer apps and protection from hackers.” [Threatpost]
They don’t just complain. They sue. There is a class-action suit against Ford, GM, and Toyota. The suit claims that “[Automakers] failed consumers in all of these areas when they sold or leased vehicles that are susceptible to computer hacking and are therefore unsafe. Because [Automakers] failed to ensure the basic electronic security of their vehicles, anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others."
The government is now involved. The US government introduced legislation in the form of the Security and Privacy in Your Car Act (SPY Car Act) to establish federal security and privacy standards for connected cars and created an Automotive Cybersecurity Advisory Council to develop cyber security best practices.
Security is the no. 1 priority for connected cars
Applications and systems for connected cars have not been designed with security in mind. Software developers may be experts in coding and developing features and functions of the applications; however, they are not security experts, and thus lack the expertise and skills to implement security measures.
Security should be considered at the design level and not after the fact. For the implementation of security measures, security architects and researchers need to be involved. They are trained to look for holes in applications, IT systems, and relevant IT infrastructure.
They are the only ones who think like hackers.
How TeskaLabs can help you securely build and operate apps for connected cars
DO YOU KNOW THE SECURITY LEVEL OF THE APPLICATIONS YOU DEVELOP OR MAINTAIN?
Automotive companies must understand and see the impact to their brand and bottom-line if applications for their cars can be exploited by hackers to steal sensitive data about the drivers: their personal information, driving habits or other financial data.
80% of cyber-attacks happen at the application layer. However, 90% of the IT security budget is spent on solving other security issues. That leaves only 10% of the budget on application security which contributes to 80% of the attacks. This needs to change.
We can help find these vulnerabilities through security audits and testing so that responsible people within the extended connected car ecosystem can gain visibility of the risk and plan the next steps.
INCREASE KNOWLEDGE AND SKILLS IN APPLICATION SECURITY TO BUILD APPS THAT ARE NOT ONLY COOL AND PRETTY BUT ALSO SECURE.
The cyber-threat landscape changes rapidly. Hackers come up with new exploits (e.g., zero-day in the example of the Cherokee Jeep hack) every day. They exploit this knowledge to hack into the applications and infiltrate into internal car systems and the backend infrastructure that sits inside the private network of automotive companies.
Security capabilities need to be integrated into car applications and systems, and we can help with that.
Building secure systems for connected cars is not enough. More features and systems mean more attack surfaces and attack vectors for hackers. That's why it's critical to monitor the systems and relevant infrastructure and immediately respond to unfolding attacks.
SeaCat - application security for connected cars
TeskaLabs’ SeaCat is the core technology behind SeaCat Mobile Secure Gateway and IoT/M2M Application Security Platform, which protects mobile, IoT/M2M applications, the communication channel and application backends. SeaCat has successfully fenced off other critical open source bugs like Heartbleed, Glibc, and DROWN, warned by security experts of the impact they have on the world's IT infrastructure.
"If consumers don't realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone." ~ Charlie Miller
If you’d like to get a true assessment of the security of your car app and its application backend, please check out our Mobile App Security Audit service. Alternatively, request a FREE Demo to know how we can assist you with the security of your connected car mobile solutions.
Photo credits: Depositphotos
Are you interested in security for connected vehicles? Visit this page
You Might Be Interested in Reading These Articles
You love your Android phone and you love to go to the Play Store and download exciting new apps. You have also been through the Crazy Birds obsession and the Candi Crush mania. But do you know that your Android phone is not secured against the smartest of breaches: mobile app hackers. Before we go ahead and explain the intensity of this threat to mobile apps, especially Android apps, let’s have a look at the facts and figures!
Published on January 05, 2015
Officially released a month ago, the latest Google mobile OS version has made a few major adjustments, particularly in its security features. The search giant has improved the security in the Android Nougat (or also known as Android N) from strengthening the Android itself to some tools that helps developers to keep things as it is while users install apps.
Published on November 15, 2016
A zero-day, also called zero-hour, vulnerability is a security flaw in the code that cyber criminal can use to access your network. Zero-day attacks call for new technologies built from the ground up for today’s advanced threat landscape. There is no known fix, and by the time hackers attack, the damage is already done
Published on May 12, 2015