CONNECTED CARS: Which are risks for automated vehicles?

Pierluigi Paganini March 22, 2015

Findings reveal that there is a clear lack of appropriate security measures to protect drivers of a connected car against hackers.

“Findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information” says a recent report by Senator Edward J. Markey

Every day, more and more new devices are connected to the internet. From the introduction of Internet enabled watches, wearable devices, IP enabled refrigerators, washing machines to biohacking implants, we are entering a new phase of technological development.  Connected cars are growing in number each year. Although these cars are well equipped with automatic notification of crashes, notification of speeding and safety alerts but reports suggest that they are prone to hacking, since not enough measures have been taken to adequately protect these connected cars from hackers.  Hackers have recognized the new attack surface because of which threat to connected cars will be on the rise. The connected car could make our cloud services, e-mail, text messages, contacts, and other personal, financial, and work data vulnerable to hackers. Burglars could determine vehicle location provided by the vehicle’s e-email, text messages, contacts, and other personal, financial, and work data vulnerable to hackers. Burglars could determine vehicle location provided by the vehicle’s GPS to monitor when a home’s occupants are miles away. Hackers can gain access to vehicle networks and wreak havoc on traffic and even threaten the safety of vehicle occupants.

connected car

Security Risks of Connected cars

Connected cars can share information for a C2C (car-to-car) or a C2I (Car-to-Infrastructure) connections in real-time. Cars are becoming part of IoT (Internet of Things). Experts predict that (car-to-car) or a C2I (Car-to-Infrastructure) connections in real-time. Experts predict that IOT risks are going to increase drastically this year. We should take an entirely different approach in implementing cyber security for these devices. Having a team of Brainy cyber security experts only during the development of these connected cars will not be sufficient to tackle the myriad possibilities of a cyber attack on these cars post production. How data is fetched from the internet or data requests that are going from the car should be analyzed and evaluated. So, the focus is going to be in the cloud.

The U.S. Department of Transportation sees such potential that it’s enabling vehicle-to-vehicle, or V2V communication, ushering in a future where cars on the road will automatically swap data such as speed and direction, sending alerts to avoid crashes or traffic snarls. And with all the time we spend in where cars on the road will automatically swap data such as speed and direction, sending alerts to avoid crashes or traffic snarls. And with all the time we spend in our cars, it makes sense that they should become personalized digital assistants. Recently, German auto outfit announced it was sending an over-the-air update to cars featuring its SIM-based ConnectedDrive module. This allows drivers to remotely unlock their car, but the German automobile club ADAC had reverse-engineered the telematics software and warned BMW that a flaw made it possible for third parties to unlock vehicles. The update, which introduces HTTPS encryption to the car’s connection with BMW’s servers, is automatically downloaded as soon as the car module talks to that system.

“No one wants to travel in a vehicle that can be hacked” – Martin Hunt, Senior Business Development Director, Automotive Global Industry Practice

Hackers were in theory able to dupe the car into unlocking by creating a fake mobile network, according to Reuters. There is no evidence that the flaw has been exploited, though it was present in up to 2.2 million BMWs, Minis and Rolls-Royces. Though the vulnerability was patched on time by the company, there is always a learning from such an event. The majority of automakers transmits data to third parties.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” Markey, a member of the Commerce, Science and Transportation Committee, said in a statement.

The vulnerability in these connected cars can be proven by the event when a 14 year old boy was able to easily unlock and start a connected car by just spending 15$.  Such vehicles will inevitably become the norm in the coming years as people look for safer driving experiences with their cars connected to local infrastructure such as traffic signals and emergency services but security concerns only seem to get worse.

Use of Cryptography and Encryption

BMW fixed the above mentioned vulnerability by increasing the security of data transmission in its vehicles, included encrypting data from the car via HTTPS. Now the question arises on, why the standard HTTPS communication was missed out when such encryption techniques were available for quite some time. Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.          According to Frost & Sullivan, cars will have anywhere between 10 to100 Ethernet ports from 2020. The lower end will be typical of entry-level cars and luxury cars at the high end of the spectrum. Automakers are adopting Ethernet for two reasons. One, the economies of scale to be gained by adopting a standardized communications backbone, and, two, to accommodate the continually increasing connectivity and bandwidth needs in the connected car.

Securing the connected cars – Hardening the vehicle

In a recent IBM Institute for Business Value study, “Driving Security: Cyber Assurance for Next-Generation Vehicle,” they have identified three areas for automakers and partners to focus on when creating connected car features:

1. Design Secure Cars: Security starts with the car. The design process should be laser focused on security from get go. Which means outlining and testing the risks and threats each component, subsystem, and network that the connected vehicle will be exposed to once it leaves the car marker’s production line. Every software and hardware component and system has to be designed with security as a first order of business.

2. Create Safe Networks: In a system as far flung as connected cars will create, security has to be designed especially for and built into every component. Communications should be encrypted. All the organizations providing services that connect roadways, cars, and devices need to protect their networks and monitor transactions to detect suspicious activity.

3. Harden the vehicle: In the 1950s and ‘60s, it took a mechanical engineer to design vehicle control systems; now it takes a computer scientist. A typical luxury car contains around 100 million lines of software code, which are managed by between 70 to 100 electronic control units, or ECUs. These used to be closed systems that required a toolbox and a mechanic’s creeper dolly to be tampered with. But by opening them up through mobile networks, Bluetooth, USB ports, and even near-field communications (NFC) sensors, cars are now at risk of remote hacking. These connected cars should be security hardened at all levels:

  • Encryption of data at rest and data in motion.
  • Implementing proper cloud security controls.
  • Access control mechanisms
  • Securing the operating system.
  • Penetration testing of the apps.

Recently, Oracle developed a platform to develop an application for cars using JAVA. Similarly, Qualcomm, AT&T and others are bringing in new platforms exclusively for connected cars. With such great technologies, we are creating a vast new attack surface for the hackers. The future is going to depend on the way we are going to provide Security awareness and security development for these connected cars

About the Author Ashiq JA (@AshiqJA)
Ashiq JA (Mohamed Ashik) is a Cyber Security Researcher and Writer passionate about Web Application Security, Security research using Machine Learning and Big Data, Deep web, Security Technologies and Threat Analysis. He is currently working as a Security Consultant for a financial firm. He believes in knowledge sharing as the best source for information security  awareness. To catch up with the latest news on InfoSec trends, Follow Ashiq JA on Twitter @AshiqJA.

Edited by Pierluigi Paganini

(Security Affairs –  connected car, cyber security)



you might also like

leave a comment