Auto manufacturers are asleep at the wheel when it comes to security
And rising car thefts suggest the criminals are taking advantage
Cars are getting smarter every year but their increasing computational power isn’t being backed up by good IT security practices – hacking them is child’s play.
That’s the conclusion of a series of speakers at the Kaspersky Security Analyst Summit. These security researchers have demonstrated how easy it is to introduce software into vehicles to steal data, take control of vital functions, get around alarm and electronic key systems and even crash the car.
“Most cars these days are essentially computers running on four wheels,” said Stefan Tanase, principal security researcher at Romanian network testing shop Ixia.
“The only difference is when you have a problem with computer it won’t affect your physical security, but a car can put your life in danger and automotive security is something that the industry needs to take seriously.”
His fellow researcher Gabriel Cirlig recently bought a car and they decided to see how difficult it would be to hack. It proved to be astonishingly easy. They even managed to turn it into a war-driving machine that could spot and log open Wi-Fi connections.
Cirlig found some code on an open car hacking website that claimed to be able to give root access to a car’s control systems. After using the autorun-enabled USB port, he added the code and found it worked like a charm and tunneled into the car’s infotainment system.
What he found was rather disturbing. When he had connected his phone to the car earlier, it had crawled his entire address book and email list, taken a copy of SMS messages and logged his most visited locations in the last month – all stored in plaintext and perfect for those interested in surveillance.
After installing UNIX Cron software to ensure persistence, the two were able to set up the car’s Wi-Fi to scan for open connections. Thankfully it didn’t seem possible to hack the car from afar via the Wi-Fi but the two suggested it could probably be done given enough research.
Cirlig also found something useful in the car’s software relating to the automatic braking software. The car pings out a 40khz pulse of sound and uses echolocation to detect if there’s an obstacle in the road and will brake if a collision is imminent.
He theorised that if you mounted a similar speaker on another car you could fool another vehicle into slamming on the brakes by tricking it into thinking another car was just ahead, possibly injuring the driver or causing a skid.
While the two were careful not to reveal the make of car involved in the testing, it looked very like a late-model Mazda. After contacting the supplier they said the manufacturer considered its systems features, not bugs.
It gets worse
In a separate presentation Marc Rogers, head of information security at Cloudflare, detailed a number of ways in which basic manufacturing mistakes left car drivers vulnerable to hacking.
The average time from conception to a finished vehicle coming out of the factory is between four to six years, he said. But most Linux distros used in vehicles become outdated sooner than that and he said that vulnerabilities had been found in car code that were more than ten years old.
The current generation of controller area networks in cars is hopelessly out of date and isn't designed to be secure, he said. Data traffic is unencrypted and access to the CAN is easy using mandated data ports in vehicles.
Keys are another area of weakness. Some electronic keys have a pitifully small number of combinations, but more worrying is the use of signal amplification technology. There is kit available online for around $60 that can pick up the signal from keys and copy them to the car, unlocking them and disabling the alarm system.
All cars sold in the US these days also have to have tire pressure measurement systems installed as standard, and the signal is unencrypted. A suitably programmed Raspberry Pi can use the signal to track cars, but more worryingly can be used to crash the engine control unit that controls keyless entry.
“Car theft rates have been falling for years,” he said. “But in the UK in the last two years they have risen 20 per cent. A direct causal link is difficult but it looks suspicious.”
It’s not just the UK. In the US, car theft rates have risen in the past two years. In 2015 they were up 3.8 per cent and in 2016 there was a further 7.8 per cent rise.
Most manufacturers are still not taking security seriously, he noted, and while they might pen test some subsystems they never do the whole car. This needs to change if future drivers are to be secure on the road. ®