[Team Upstream, Feb 15, 2018]
Modern connected cars are a complex amalgamation of embedded systems, featuring on average over 160 million lines of code. Multiple, powerful on-board computers and connectivity to internal and external channels add huge complexity and widen the attack surface. The problem is particularly acute for OEMs, connectivity service providers and businesses managing car fleets.
The potential for brand damage and financial losses for these stakeholders is enormous. We’re not just talking about “standard” enterprise IT security breaches such as IP and data theft and service outages. Automotive cyber threats introduce the potential for mass compromise of the vehicles themselves which could have even life-threatening implications.
Unfortunately, the cyber-risks of connected cars are no longer theoretical. Here’s a breakdown of our top nine incidents over the past few years to highlight just how wide the connected car attack surface is.
As you’ll see, each one involves a different threat vector:
When hackers go after a connected car system’s command and control (C&C) server, they can potentially reach multiple vehicles. That’s exactly what happened when a disgruntled former employee of Texas Auto Center logged on to another staff member’s account and caused havoc for more than 100 customers. He switched on a feature in the Webtech Plus system normally used by the dealership to target those behind in their auto payments. The result? At the click of a mouse, he managed to disable the vehicles or cause their horns to start honking incessantly, resulting in sleepless nights for the blameless customers.
The On-Board Diagnostics (OBD II) port is a vital part of any connected car, often used to hook up to a range of aftermarket telematics units offering everything from fleet management to usage-based insurance. Using a laptop plugged into the control socket and custom-written software, security researchers hacked into the control systems of a family car, disabled the brakes and turned off the engine while the vehicle was moving.
Mobile device applications are increasingly used to communicate with connected cars via centralized application servers. However, this extra layer of complexity creates extra risk, once again raising the possibility of hackers being able to remotely control a targeted vehicle. Qihoo 360 researchers demonstrated exactly this after they hacked a Tesla Model S, reportedly cracking the app’s six-digit code to control the car’s door locks, headlights, wipers, sunroof, and horn while it was in motion.
One of the most infamous demonstrations of connected car hacking in recent years was made by noted researchers Charlie Miller and Chris Valasek. They were able to remotely control a Jeep Cherokee’s accelerator, steering, brakes and transmission, even shutting down the engine as it was driving on the highway. How did they do it? A vulnerability in the Uconnect entertainment system’s cellular connection allowed anyone with the car’s IP address to gain access from anywhere in the United States. From there, the researchers pivoted to an adjacent chip and rewrote its firmware, allowing them to send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes and transmission. The research sparked a recall by the carmaker of 1.4m vehicles causing damages to the company’s reputation.
Telematics Control Units (TCUs) are another major threat vector which remains dangerously unsecured. These are sometimes plugged into the OBD port as wireless dongles, and used by insurance firms, fleet owners and others to monitor vehicles’ location, speed and other metrics. They can also be fitted as an aftermarket black box. However, researchers have demonstrated how by merely sending carefully crafted SMS messages, commands could be issued to the CAN bus of a Corvette and on to important components like the brakes and steering.
Modern carmakers increasingly offer in-vehicle wi-fi connectivity as an internet access point for passengers. However, this feature came back to bite Mitsubishi when researchers easily cracked the pre-shared key, and were able to locate individual vehicles via the SSID, enabling them to disable the alarm, among other things.
As the number of electric cars grows, so does the number of charging stations, where station providers receive money in exchange for providing energy. This brings with it multiple inherent vulnerabilities which were raised by Mathias Dalheimer at the thirty-fourth Chaos Communication Congress. He was able to collect ID card numbers, imitate them and use them for transactions, rewire charging request and gain root access to the station.
The data center is the hub of operations for the OEM, telematics provider or fleet operator, hosting key servers which receive and process data, remotely control functions of the car and update important software. In the case of major fleet service provider Uber, it also contained highly sensitive information which hackers managed to obtain on 57 million customers and drivers. They are said to have located the keys to the AWS S3 database in question by infiltrating its GitHub account, which itself was protected only via a password.
Ransomware can also cause chaos for OEMs, telematics firms and fleet operators if enterprise IT systems, servers and consumer computers are targeted. Renault suffered a major service outage when it was forced to halt production to prevent the spread of the infamous WannaCry ransomware. A Nissan car plant in the UK was also affected. Cyber-criminals could cause havoc for connected car systems by targeting OTA and telematics servers.
Large-scale identity theft is a particular challenge for fleet operators like car rental companies, which store large quantities of personal data. In Australia, a man was recently arrested on suspicion of hacking the database of car-sharing service GoGet, using stolen credentials to allegedly ride for free.
A recent KPMG report stated that fleetwide attacks represent the next big threat to the automobile industry. As cars integrate more and more electronic, hardware and software components, the hack can come from anywhere. Cybersecurity must be properly addressed as a cyber misstep can cause consumers to abandon a brand – forever.
This is just a small snapshot of the top real-world cyber security threats facing connected car ecosystem players today; there are many, many more that we didn’t include here.
As technology advances, the likelihood of a platform-wide cyber attack on a fleet of connected vehicles is almost certain.
BI Intelligence estimates that 3 out of 4 cars will be shipped with connectivity by 2020 and over time, many more cyber threats will emerge unless the industry takes a more holistic approach to fleet cybersecurity and fraud.
Analyzing the entire fleet-level data offers full visibility into the fleet’s security posture. By understanding the complete picture, normal car and driver behavior can be monitored effectively and attacks can be prevented before reaching the network and cause harm.
Upstream offers exactly this: our centralized, cloud-based, non-intrusive automotive cybersecurity solution can monitor and secure huge amounts of data travelling back and forth between vehicles, mobile apps and servers. It sits in the data center, combining machine learning algorithms with powerful IPS/IDS designed specifically to work with proprietary automotive protocols.
The result is a purpose-built automotive cybersecurity solution designed to protect connected OEMs and aftermarket fleets, whilst also offering fraud detection and valuable vehicle, driver and fleet behavioral insights.