Car Hacking A Modern Threat
Posted by Security Team on
Car hacking? you may ask.
As if there aren't already enough cyber security threats lurking in our daily lives.
There is another one gathering an overwhelming increase in attention - car hacking!
The thought of a hacker remotely gaining control of your vehicle sounds like something from a science fiction film.
Car hacking is not only possible today. It has been for quite some time.
Many Cybersecurity experts caution that the auto industry must mature, as there are growing risks as car hacking will become increasingly common in the years ahead.
Particularly as cars become more hyper-connected.
In 2015, security researchers Chris Valasek and Charlie Miller hacked into a 2014 Jeep Cherokee. They managed to briefly disable the brakes, turn the steering wheel, and shut down the engine.
The two researchers found they could also access thousands of other vehicles that used wireless entertainment and navigational systems called Uconnect, which was common to Jeep, Dodge, and Chrysler vehicles.
The hack prompted Fiat Chrysler to recall 1.4 million vehicles.
Many do not generally understand that cars are computers on wheels.
Gone are the days of your traditional car engine, frame, and wheels.
A modern-day car can have as many as 100! Electronic control units.
Concerns have been compounded in recent years as an increasing number of cars come equipped with connections, including satellite, Bluetooth, and Internet, that experts say make them more vulnerable to hackers who can access computerized systems.
How does it happen?
Newer cars contain much onboard computerized equipment, including an electronic control unit (ECU), a controller area network (CAN), Bluetooth connections, key fob entry, and more. Many also connect to central servers through the Internet and various APIs, which can also be vulnerable to attack.
All of which can be compromised in a variety of ways.
Key Fob Hacking and Signal Boosting
Hackers can access a vehicle using a range of different techniques.
By manipulating the rf (radio frequency) signal using easy-to-build electronic devices like the "HackRF one," the car thinks the key fob is nearby.
The attacker can unlock the vehicle without the keys and activate the start button.
The code that the key fob transmits can also be stored and used in a later attack.
Security researchers hacked a Tesla Model S using a cloned key fob, even though it's supported by an extensive security team and uses encrypted keys (It turns out the encryption was the weak link).
Signal boosting, in this context, means stealing a signal.
Hackers can use devices that trick the vehicle and your key fob into thinking they are within the range of each other, then emit the fob's unlock signal without touching any buttons on the fob or car.
Signal boosting is normally used to unlock a car, but similar tactics can be employed to turn on vehicles with keyless ignitions, also.
There are also a plethora of remote key fob attacks, such as roll jamming, that record and spoof your key fob's unlock signal. Although much harder to pull off, they still happen.
All an attacker needs to perform a signal boost is about $20 of equipment and some motivation.
Prevention
Advise storing your keys in a bag that blocks radio frequencies to avoid this risk.
Like a Faraday key fob bag
Faraday bags create an electromagnetic barrier that stops any signals from getting in or out of the bag, like the "Faraday cages" the bags are named after.
With a Faraday bag and other anti-theft measures like security cameras and steering wheel lock, the chances of someone breaking in and possibly stealing your vehicle become dramatically lower.
Also, don't store fobs, spare keys, garage door remotes, and other valuables in your vehicle. This way, if someone still manages to get in (windows are breakable, after all), they won't find much to steal.
App vulnerabilities
If you use any third-party apps linked to your vehicle, this introduces another attack vector.
Third-party apps are becoming increasingly available in cars. Some newer models offer a limited range of apps on their infotainment system.
The number of these apps is steadily increasing.
Many of these apps reach out to central servers and API endpoints which can introduce a whole range of vulnerabilities in the manufacturers or third-party apps.
One hacker found that he could remotely kill thousands of cars' engines through two GPS tracking apps (ProTrack and iTrack) by exploiting weak password protocols in the application.
Prevention
- Be careful if you decide to use any apps linked to your vehicle.
- Turn off the Wi-Fi or Bluetooth when you're not using it.
Entertainment systems
Car entertainment systems can be the most Vulnerable to Hacking. This is because the systems manage everything from music and temperature to steering and breaks.
In a vehicle, the entertainment system must connect to the outside world to receive satellite radio signals, stream content, and convey mobile phone conversations. The channel is like an open sluiceway to the car's central nervous system, called the controller area network, or CAN bus. The CAN enables the car's various components to talk to each other. The greater complexity of vehicles rolling off assembly lines, mainly installed entertainment systems, makes them much more vulnerable than models built before 2010.
Prevention
- Don't download untrusted apps or use your car's Web browser: Your car's entertainment system can be unprotected and ripe for the picking.
- Untrusted applications in your infotainment system can introduce malware.
- It would also help if you tried not to use the Web browser in your vehicle. Use your mobile phone instead while safely parked.
Tips to protect your vehicle from attacks
Apart from the above measures we have covered, there are a few more things we can do.
Don't program your home address into the GPS.
Although it may be convenient, car thieves and hackers can use your GPS to locate your home address. In addition, if they have any access to the garage door opener, they may be able to access more than your car.
Stay on top of vehicle recalls
There has already been one cybersecurity-related vehicle recall for the Jeep Grand Cherokee UConnect entertainment system.
This vulnerability left open access to the car's windshield wipers, acceleration, brakes, radio, and more. In addition, the affected customers received a USB device to upgrade their vehicle's inbuilt software with new security patches.
All vehicle owners should keep a look out for similar recalls.
Limit wireless or remote systems
Systems that disable or monitor your vehicle remotely place you at the most risk.
While many other systems are hard-wired into your vehicle's computer, wireless or remote systems are often controlled online and are more vulnerable and attractive to hackers due to their remote nature.
Take advantage of blocking materials.
Conclusion
Yes, the world of technology is evolving at a rapid pace.
It can be hard to keep up with.
Many things we label as conveniences can leave us vulnerable if we don't educate ourselves about what they are and how they work.
You can do many things to secure yourself, like the tips mentioned in this article.
The good news is that many fantastic hackers are doing incredible research in this field, helping to secure these advancing technologies from modern threats.
We hope this article has given you some knowledge into the future threats we face and steps we can take now to ensure we can enjoy this tech to stay informed, empowered, and in the "driver's seat" of technology."