In this interview with Help Net Security, Laura Hoffner, Chief of Staff at Concentric, talks about modern car vulnerabilities, the techniques hackers are using to compromise connected vehicles and how to protect users.
Cars are becoming increasingly smart and an extension to our mobile phones. How is this impacting users’ security and privacy?
With the expansion of our technology in use, our vulnerability surface increases dramatically. Ultimately, this is yet another vulnerability to keep in mind for your own safety and security. As we grow in our technology and dependence thereon, that inherently expands the opportunity for bad actors to take advantage of the dependence. The difference with car vulnerability, however, is you’re not just talking about your personal data being compromised, but rather the influence over your car while driving could affect your immediate physical safety.
In terms of privacy, the onboard computers of used, rented, or crashed/totaled vehicles can contain sensitive residual data from previous drivers such as contact and calendar details, unencrypted videos, and more.
What are the biggest vulnerabilities of today’s modern cars?
The lack of one single “gate keeper” is a substantial issue when it comes to modern car vulnerability. The patchwork of various technologies being meshed together for the overall car means not only is there not one single overseer of that technology but also that protocols are set without security in mind because they need to be able to easily communicate with each other.
In addition, we see the same vulnerabilities that you have with your phones and computers: protocol vulnerability. The difference is what the bad actors could have access to: electronic control units (ECUs) which all communicate to access and control the subsystems in a car such as your braking or navigation system. Not only could the hacker access the vehicle information resulting in influence on the car such as the alert systems within the vehicle, but could also access personal information such as home addresses or phone IPs.
What are the techniques hackers could use to compromise a car?
Unfortunately for the victims, the access control points available to hackers are plentiful: applications, WiFi, or Bluetooth. Case studies have found little or no code to prevent the electronic unlocking of doors, lack of encryption of username or password credentials, and an ability to incorporate mobile trojans to compromise the apps. With this easy access, hackers can install infected apps, malware, or malicious code within the vehicle system.
The wireless key fobs used to lock/unlock and start the ignition on many cars are convenient but are also vulnerable to attack. A key fob works by transmitting a wireless signal on a specific frequency, which the car’s receiver interprets as an instruction. These signals can be intercepted with readily available tools and can be impersonated by an attacker to gain unauthorized access to the vehicle or even to steal it.
A traditional replay attack works by intercepting and recording the wireless signal from the key fob and then mimicking the signal to gain access. The frequencies used by most vehicles and key fobs modulate, so they aren’t the same every time, which mitigates these kinds of replay attacks, but there are more advanced techniques to circumvent the modulation.
A rolljam attack is a technique where an attacker intercepts and records the signal from the key fob, but blocks it from reaching the car. Typically the car’s owner will attempt to unlock the car again, which allows the attacker to capture the next frequency in the modulation sequence.
Of potentially more concern is the follow-on vulnerability with the car’s lack of security, which is the user’s phone, usually connected to the car via WiFi or Bluetooth. Without adequate security protocol being used on the phone, the user could be granting backdoor access to personal and/or financial information.
What can be done to mitigate the risks or even prevent hacking? Is there anything users can do to protect themselves?
Similar to best practices for your phone and computer: ensure your smart system is always updated. Users can check for updates online by looking up the smart car make and model. You should also sign up for manufacturer updates so you are automatically notified when they report issues and updates. Users should also only use official apps from legitimate sources to prevent possible attacks.
When selling a smart car, or even when returning a rental, always be sure to wipe all the sensitive data stored on the vehicle’s onboard computer. Installing antivirus software and using a VPN on your mobile device are also baseline, yet important, defense mechanisms. Finally, always ensure your WiFi connection is secure without using default passwords.