Can your car be hacked? | Loop Secure
It seems not even our cars are safe from hackers.
Automotive hacking is a worrying trend, and involves the exploitation of vulnerabilities within the software, hardware, and communication systems of cars.
Modern automobiles contain hundreds of computers that control the vehicle, called Electronic Control Units (ECU). These ECUs communicate with each other to keep everything running smoothly, such as the engine and brake control, and door locks and interior lights.
These computers allow the driver to see valuable information about their car, from engine performance tracking and maintenance, and provide data for manufacturers to improve on their future models.
These computers also leave modern cars vulnerable to security threats.
Tools to interface with cars via the on-board diagnostics port are readily available. These can be used to interface with the ECU via the CAN bus or other protocols. Researchers can then use these tools to then probe and modify the systems connected to the car to search for vulnerabilities and then make changes to the system.
Loop’s Senior Offensive Security Consultant, Topaz Aral displaying one such device he obtained at this year’s DEF CON Security Conference in Vegas on the Loop Pool Table!
Recently, security researchers from Keen Security Lab in China recently discovered 14 flaws in BMW cars, including some vulnerabilities that can be exploited remotely, potentially compromising the safety of a vehicle.
Keen Security Lab, which is a cybersecurity research unit run by Chinese behemoth Tencent, found these vulnerabilities over a 12-month security audit on BMW from January 2017 and February 2018.
Keen Security Lab also found security flaws in a number of in-car modules used by Tesla, potentially allowing hackers to remotely hijack a Tesla, and even control its brakes from almost 20 kilometres away.
Jeep researchers also proved they could hijack a moving Jeep on a highway, remotely controlling the stereo and windscreen wipers, through to more serious breaches, such as cutting the transmission and stopping the accelerator from working.
“It’s these types of findings that have both automakers and the cybersecurity industry accepting that connected cars are as vulnerable to hacking as anything else connected to the internet,” says Topaz.
The biggest issue for connected cars right now is perhaps keyless entry, giving thieves access to your car and steal any valuables they can find.
But as Topaz says, the worst-case scenario is easy to imagine. “When a moving vehicle is involved, personal safety is the biggest concern. Hackers gaining access to a moving car’s infotainment system, then taking control of the vehicle's door locks, brakes, engine or even semi-autonomous driving features.”
“The research has shown that it’s possible. And the first car to be compromised in this way would most certainly have a huge effect on their brand.”
Despite these concerns, there have been no reported instances of hackers shutting off engines mid-journey. And little would be gained by doing this, unless the motive is to cause panic.
Like any security flaw that can be exploited by hackers, automobile manufacturers release patches for car owners. A growing number of vehicles also have the ability to wirelessly download security patches, similar to how computers and smartphones have been getting software updates for years.
These over-the-air updates allow auto companies to respond to threats and newly discovered vulnerabilities faster than having to ask customers to bring their vehicles to dealerships. The ability to download patches wirelessly will certainly streamline patch management for manufacturers, as the number of autonomous vehicles on the roads is expected to increase significantly in the 2020s.
The sophistication of the car’s operating system will also evolve. For instance, cars will eventually be built with vehicle-to-everything (V2X) communication capabilities, which is the passing of information from a vehicle to any entity that may affect the vehicle. This includes other vehicles, infrastructure, and pedestrians. While V2X’s main benefits are safety and energy savings, it again presents more opportunity for hackers to exploit security holes.
Over the next decade, cars will continue to be loaded with tech, with improved, built-in diagnostics, tools and add-on devices that will continue to advance.
“The safety and efficiency gains will be significant,” said Topaz. “And while the risk of falling victim to automobile hacking remains low, manufacturers still need to think about the potential vulnerabilities to their vehicles.”
Want to build a cybersecurity resilient enterprise? Download our latest whitepaper here: