August 16, 2016
Why Connected Cars Are So Vulnerable
Connected cars may implicitly trust anything that communicates with them and fall victim to transmissions with no authentication.
Connected automobiles are just like any Internet of Things device, in that they have an identifying address on a network and are susceptible to being targeted. Vehicles are built with several electronic control units (ECUs) that manage such systems as the infotainment setup. These systems require connection to a back end, typically, the automaker, which will “push” patches and data to the system remotely through cellular transceiver stations (BTS).
The same goes for cellular networks, where identifiers are on SIM chips. Exploitation of vulnerabilities is not limited to the mobile device, but also to the communication infrastructure.
See also: Insurance and the Internet of Things
In tests of IoT devices that Brier & Thorn has performed, information technology security is lagging. Many systems seem to implicitly trust anything that communicates with them; connected automobiles can fall victim to attacks via transmitted communications that have no authentication.
Many nodes for attack
Like a mobile phone, an electronic control unit that uses cellular to communicate with its back end is going to automatically associate with its closest base station or cell tower, and trust it. That’s where hackers could strike in a number of ways.
Of particular concern is the kill chain model of attack. This involves a pattern of transaction activities that, when linked, work together to compromise a system.
In it studies, Brier & Thorn looked at an electronic control unit connected to its back end over cellular using a built-in SIM chip. The attack vectors depended on: the ECU’s communication connection with SIM chips for connections to mobile service providers’ cellular base stations; Wi-Fi for connections with its head unit within the car; Bluetooth; and the physical attack surface.
An ECU within an automobile is connected to a controller area network (CAN), which is designed to allow microcontrollers and devices to communicate in an application without a host computer.
Crooks in driver’s seat
Unfortunately, having the ability to send or receive CAN signals in a car gives someone “root” privileges. They might gain the ability to control the car and make it do whatever they want. Such a hack also might give a system within the automobile the ability to send and receive commands with the car itself, opening another door to hackers.
Vulnerabilities to connected automobiles can be found in the infrastructure and in applications.
- Infrastructure vulnerabilities: Electronic control units trust cellular base stations they associate with through cellular networks; they use the network infrastructure to communicate with any outside system. If the ECU links to a rogue BTS, a hacker could perform a “man-in-the-middle” attack by intercepting messages between the ECU and the back-end system.
- Application vulnerabilities: Many ECUs will leverage SMS (Short Message Service) to send and receive commands to back-end servers, which depends on an encryption cipher employed on the network. This leaves them open to attack via cellular networks.
Other areas of concern depend on which generation of technology a network is using. They can range from 2G to 4G, with each using a different type of encryption cipher.
Keys to criminals
When a connected automobile is camped on a cellular base station, it’s susceptible to numerous attack vectors, including the ability to capture the SIM chip identifier and intercept traffic to and from the ECU via SMS.
Depending on which network the system uses, SMS text messages can be captured, and hackers can crack the codes, giving them access to communications between the back end (an automaker) and the ECU. Hackers have access to several tools that can intercept and decipher these messages.
See also: How Safe Is Your Data?
ECUs are more secure when camped on 4G LTE networks, but unfortunately, especially in the European Union, the prevalence of LTE networks is low. Because automobiles have unrestricted travel capacity to areas with spotty coverage, the probability of a car’s electronic control systems camping on a 2G or 3G network is quite high.
This article originally appeared on ThirdCertainty and was written by Alissa Knight as a guest essay.
More stories related to connected cars:
Cheat until caught? VW hack raises ethical questions
Who’s in the driver’s seat? Car hacking worries multiply
Is the price of convenience loss of control?