automotive

A brief history of software vulnerabilities in vehicles

Car Hacking News Timeline 2017-2019 [1] 2019: Hack of an OEM’s automotive cloud via third-party services and tier-1 supplier network 2019: Memory vulnerability at a cloud provider exposed data incl. passwords, API keys, and tokens 2019: A malware infection caused significant production disruption at a car parts manufacturer 2019: Vehicle data exposed during registration allowed for remote denial-of-service attacks on cars 2019: Malware infected the back end, making laptops installed in police cars unusable 2018: An ex-employee breached the company network and downloaded large volumes of personal information 2018: Cloud servers hacked and used for cryptomining 2018: Researchers exploited vulnerabilities of some infotainment systems and gained control of microphones, speakers, and navigation systems 2018: Security issues discovered in 13 car-sharing apps 2018: Researchers demonstrated >10 vulnerabilities in various car models, gaining local and remote access to infotainment, telematics, and CAN buses 2018: EV home chargers could be controlled by accessing the home Wi-Fi network 2017: Rental car companies exposed personal data 2017: Ransomware caused the stop of production across several plants Car Hacking News Timeline 2002-2015 [2] 2015: Researchers remotely sent commands to the CAN bus of a specific car that had an OBD2 dongle installed to control the car’s…


Cybersecurity Engineering in the Automotive industry

A lot is happening in the Automotive industry these days. It has to do with connectivity, autonomous driving, autonomous parking, and so on. All these have one thing in common: they are producing extremely large amounts of data which needs to be processed in the backend by very powerful computers. When we talk connectivity, we MUST talk about cybersecurity.   This is why the Automotive industry has started to take this very seriously: We have the  ISO/SAE AWI 21434 : Road Vehicles — Cybersecurity engineering which is in the preparation stage We have the European Automobile Manufacturers’ Association (ACEA) who have released the “Principles of Automobile Cybersecurity“ ACEA represents currently the 15 Europe-based car, van, truck and bus manufacturers (Source): BMW Group, DAF Trucks, Daimler, Fiat Chrysler Automobiles, Ford of Europe, Hyundai Motor Europe, Iveco, Jaguar Land Rover, Opel Group, PSA Group, Renault Group, Toyota Motor Europe, Volkswagen Group, Volvo Cars, and Volvo Group ACEA and its members have identified a set of six key principles to enhance the protection of connected and automated vehicles against cyber threats. 1. Cultivating a cybersecurity culture 2. Adopting a cybersecurity life cycle for vehicle development 3. Assessing security functions through testing phases: self-auditing & testing 4. Managing a…


Chinese Researchers Remotely Hack Tesla Model S (Update)

Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move. The researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could: control the sunroof, the turn signals, the position of the seats, all the displays, the door locking system. While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment). WOW… this can be deadly!   But wait, after “several months of in-depth research” ? This means that they spent several months to search for vulnerabilities to exploit ? This is what I mean by being insistent. The most interesting part is the UPDATE. Tesla told SecurityWeek that it addressed the vulnerabilities found by Keen Lab within 10 days after learning of their existence. The company pointed out that the attacks are not “fully” remote and they are not as easy…


Car hacking again… now at high speed!

Not even a week has passed since I was writing about “Not yet worried about vehicle hacking? You should be!” and we see in the news that at Blackhat that exactly this is happening. At BlackHat USA this week, the security researchers Charlie Miller and Chris Valasek are scheduled to present their latest findings in the world of car hacking. Again ! Miller and Valasek have already made names for themselves last year with the dramatic hacking of Jeep Cherokee, a interfering with its entertainment system, engine and brakes, while it was being driven down a busy highway at 70mph. Fiat Chrysler announced back then a safety recall of 1.4 million vehicles. Now, the situation changed. “By sending carefully crafted messages on the vehicle’s internal network known as a CAN bus, they’re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed.”(Wired) Watch for yourself the movies on YouTube:   What does this mean? Thankfully, their previous work helped Chrysler create a security update to fix the flaw that gave them their earlier, remote access to the Jeep’s guts. This new hack, however, is…


Let the competition for “securing the car” begin!

I didn’t actually want to write such a post, but several press releases drew my attention. So, the competition to protect the car has begun. Big players are now on the hunt for customers. But, when you talk to customers like Daimler, VW, BMW, Nissan and others, the discussions  will take a while. I will maintain the list below with technologies I see in categories. Please note that I write here only vendors that actually have a technology that mitigates threats in the cars and not just any vendor that talks generic about IoT or embedded solutions. I also exclude solutions which address only encryption and/or authentication because this is not enough to protect vehicles. Feel free to contact me if you see a vendor is not here and it should be.     Classic security vendors Company Technology Symantec Symantec Embedded Security: Critical System Protection       Newcomers Company Technology Argus Security Partnered with CheckPoint IDS/IPS TowerSec ECUShield             Vendors that have only papers: Company  Link Intel/McAfee http://www.mcafee.com/us/solutions/embedded-security.aspx


Do you actually need a security product in your car? Part 1: Prevention, Detection, Remediation

Note: This is going to be a somehow longer article which I will finish in a couple of related posts.   A security product is a program that Prevents that malware enters the system Detects if previously unknown malware is running on the system Remediates the actions of detected malware on the system Note that it is not mentioned *how* PDR gets implemented in practice. There are many ways to implement them and it is out of the scope of this article how this gets realized.   Back to our question: Do you actually need a security product in your car? Today, no, you don’t. But in 1-2 years the situation will change. Remember that in the automotive industry innovations need time until they reach the end-customers. Why? Read on…   The “Today” Why not today? The cars today are just beginning to become connected. It is like it was in the 80′ with the PCs: have little to no attack surfaces. They are mostly closed systems or have a single encrypted connection to a backend from which they get the data they need. the entry points in the car are: the infotainment system the ODB2 port the in-car Wi-Fi network…


Responsibility for Vehicle Security and Driver Privacy in the Age of the Connected Car

Source: Responsibility for Vehicle Security and Driver Privacy in the Age of the Connected Car Sponsored by: Veracode, Created by IDC Author: Duncan Brown   IDC conducted in-depth interviews with leading vehicle manufacturers and automotive industry representatives, as well as 1072 drivers across the UK and Germany. These are the questions that the survey had:   What are the cybersecurity implications of the connected car? Around 30% in both countries are somewhat concerned” that such aids could be hacked and fail to operate as intended. If you then also include those who were “very concerned” and “extremely concerned” the total increases to over half (57%) in Germany and half (50%) in the UK.   Who is responsible for ensuring the applications are secure? When considering who would be liable for a vulnerability in an application downloaded by the driver, nearly a third (32%) of drivers in Germany would hold the app developer responsible while for a quarter (23%) it’s the vehicle manufacturer, and for 22% the app store where they downloaded it. While only a fifth (20%) think they themselves should be liable.   Where does product liability lie with regard to the connected car? German drivers (41%) and British drivers (51%)…


Nissan’s connected car app offline after trivial to exploit vulnerability revealed

On Wednesday Nissan disabled an app that allowed owners of its electric Leaf car to control their cars’ heating and cooling from their phones, after the Australian researcher Troy Hunt showed he could use it to control others’ cars as well. The NissanConnect EV app, formerly called CarWings, enabled a remote hacker to access the Leaf’s temperature controls and review its driving record, merely by knowing the car’s VIN (vehicle identification number). The app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that Nissan’s APIs use to target the car is its VIN—the requests are all anonymous. Those are the findings of Troy Hunt and Scott Helme, who published their findings on Wednesday. Thursday, Nissan took the service offline.   Conclusion In order to speed up the release, they had to cut corners. Well, they cut the wrong corners. These are the rules of connecting apps to a backend: always use encrypted connections authenticate the client authorize the client (which is different than the authentication) to access various functions filter and validate the incoming data   Sources: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shocking-vulnerability-revealed/ http://www.usatoday.com/story/tech/news/2016/02/24/nissan-disables-app-hacked-electric-leaf-smart-phone-troy-hunt/80882756/


More insecure software around car (in)security

As I mentioned already, anything that runs software has to abide to secure coding principles. Cars run more software than many other devices around us. And they run special software… which needs to be taken care of by other special software. And when that software is vulnerable, then you’re in trouble! Now some researchers discovered that by exploiting a zero-day exploit found in car mechanics software used to debug and fix cars sold by the Volkswagen Group. This software is built and sold by third-parties, not Volkswagen. This is not new, I already wrote an article about this: As expected: the USB Stick-like infection from PCs goes to automotive as well! The researchers said they only experimented with the exploit on an Audi TT model, but other car makes and models may be vulnerable as well, at least in theory. The attack leverages poor PC security measures, not the actual car software (source: Softpedia) The attack, as described by the three scientists, relies on infecting with a car dealership’s computers with malware which leverages this vulnerability in the car computer debug tools used by mechanics. When this tool is connected to an Audi TT to perform routine maintenance checks or fixes, the malware…


As expected: the USB Stick-like infection from PCs goes to automotive as well!

Just seen this article on Wired Magazine: Car Hack Technique Uses Dealerships to Spread Malware At the Derbycon hacker conference in Louisville, Kentucky last week, security consultant Craig Smith presented a tool designed to find security vulnerabilities in equipment that’s used by mechanics and dealerships to update car software and run vehicle diagnostics, and sold by companies like Snap-On and Bosch. Smith’s invention, built with around $20 of hardware and free software that he’s released on GitHub, is designed to seek out—and hopefully help fix—bugs in those dealership tools that could transform them into a devious method of hacking thousands of vehicles. If a hacker were to bring in a malware-harboring car for service, the vehicle could spread that infection to a dealership’s testing equipment, which in turn would spread the malware to every vehicle the dealership services, kicking off an epidemic of nasty code capable of attacking critical driving systems like transmission and brakes, Smith said in his Derbycon talk. He called that car-hacking nightmare scenario an “auto brothel.” “Once you compromise a dealership, you’d have a lot of control,” says Smith, who founded the open source car hacking group Open Garages, and wrote the Car Hacker’s Handbook. “You could…


%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close