SEWORKS-blog_banner.png

App Security Insights

Connected Cars Are Talking To Hackers

Mar 7, 2018 8:11:00 AM / by SEWORKS team

Blog_Post_Banners_Connected-Cars-Are-Talking-To-Hackers.png

We all love how we can start our cars from our phones, especially when it’s colder than hell outside or our pure laziness just doesn’t want to expel the effort to push the button to start. But, even with the added safety features, general usefulness and extra cool to impress the passengers — all these are more doorways that need to be secured. Don’t get us wrong, the future of connected cars looks great with smartphones that start your vehicle to autonomous driving to your car telling your garage door to open, so you don’t have to. Sounds great, right? Okay, that is a yes from consumers and a heck yes from hackers.

As the cars get more technologically advanced, automakers need to shove in additional devices ECU (electronic control unit) to handle the added features. Here are only a few of the dozen-plus most hackable points in your current and next vehicle: Steering and Braking ECU, ADAS (Advanced Driver Assist System) ECU, Passive Keyless Entry, Bluetooth, and Smartphone. And, as such with the internet-of-things, they are all in communications with one another, often through a Controller Area Network (CAN) bus.

As said by Dr. Charlie Miller in A hacker's guide to fixing automotive cybersecurity, who was one of the guys that hacked the 2014 Jeep Cherokee, “CAN is a specification utilized by almost all automobiles. It is a single two-wire connection between all the components of the car. Instead of running separate wires for everything, all the components can take turns sending messages on this shared bus to one another. Because of the way this specification is designed, the messages are broadcast to all components. There is no way to know which component sent which message or to verify it was really sent by that component.”

Charlie Miller goes on further to note that because of this limitation and shared acceptance in the auto industry, coupled with advancements in safety features for Automated Parking Assist and internet-connection for navigation has led to the current hacking conundrum taking shape in the auto security space now. As vehicles process so much information, it is easy for malicious data to enter the car because any software that uses external data to communicate may contain vulnerabilities that hackers can find and exploit. This state brings the consensus that the majority data of connected cars are vulnerable to some form of cyber attack.

Without A Steering Wheel

This is all very terrifying, seeing an average of over 250 million vehicles are on the road every year. Also, the growth of smart cars gives hackers many targets along with numerous entry points. How can we go about eliminating them? It turns out; complete elimination may be hard to achieve. When we look at the present state of computer and mobile security, even technology powerhouses like Apple and Google aren’t entirely free from hacking attacks. They often improve security by patching newly discovered vulnerabilities. So how does a relative newcomer, the connected car industry, survive?

Well, there are places that automakers can start with to make their vehicles more secure. An excellent place is adding additional security measures, much like the practice done by most computer and mobile app developers, to the CAN bus itself that can work like any standard firewall — regulating traffic between the various devices. Another could be adding encryption or authentication commands as a layer on top of the CAN. These two would be useful fixes but would require automakers to rethink how their components communicate with one another entirely. And, a final, simpler option for the current landscape would be introducing some form of Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) to alert the vehicle and the manufacturer of any suspicious activities.

“Reason automotive network IDS/IPS is likely to work is because the CAN bus is a very controlled and predictable environment populated entirely by automated computers that communicate at well-established time intervals. As such, it is easy to detect anomalous or unexpected traffic.” States Charlie Miller.

Cupholder's Revenge

Let’s say, in an ideal world, we get rid of these external vehicle threats — are we safe now? The answer is still no, because there is still one place the connected car industry cannot fix on its own, and it is usually sitting in the cupholder. That would be your smartphone. Mobile app security will be significant going forward for connected cars and automakers. It turns out, millions of cars are already vulnerable to hacked Android connected car apps. Researchers from Kaspersky discovered that seven of the nine connected car apps were “easily” hackable. Here is their list of hackable issues below:

  • No defense against application reverse engineering: Malicious attackers can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system.
  • No code integrity check: It enables criminals to incorporate their own code into the app and replace the original program with a fake one.
  • No rooting detection techniques: Root rights provide attackers almost endless capabilities and leave the app defenseless.
  • Lack of protection against app overlaying techniques: This helps malicious apps to show phishing windows and steal users’ credentials.
  • Storage of logins and passwords in plain text: Using this weakness, a criminal can steal users’ data relatively easily.

Once hackers get into apps by mobile hacking attacks, they could move freely about the cabin controlling everything from the door locks to the security system to personal credentials like names and credit card information.

Another interesting way for hackers to get through smartphones and connected cars is by compromising Bluetooth and cellular connections. This vulnerability was discovered by researchers at the University of Washington and University of California, San Diego. The way most Bluetooth systems were implemented was not secured — giving them two ways in, one was using a hacked phone already paired with the car, the other was tricking the system into authorizing a new Bluetooth connection to one of their rooted device. And, as for cellular connections, often used to perform tasks like calling for help in the event of an accident (GM OnStar, Ford Sync, etc.), they were able to break the authentication system by spamming the car with calls and uploaded malicious audio to gain control. Both done in a matter of minutes.

Where To?

To secure our future cars, automakers will need to design vehicles with security in mind at inception. They will also need to design their connected apps, in the same manner, making sure the two work together. We, the Team AppSolid, are advocates of proper app security practices, and to secure their apps, automakers need to catch up with the rest of the mobile space — fast. There are quick and powerful security practices that help stop attacks that all developers can use now, like obfuscation to prevent code from being reverse engineered and app monitoring software to alert developers if the code is manipulated. Those are a start, but it needs to go further than that.

Moreover, due to the infancy of the vehicle cybersecurity space, with a bill from the US government only coming in 2015 with the Security and Privacy in Your Car (SPY Car) act and reintroduced again in 2017 from Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut. The auto industry and governments are still finding a footing on how to approach these growing threats. To make a proper impact, they will need to work together on standardizations, legislation, and transparency. The current bill does present valid solutions that would improve overall security, like requiring that all critical software systems, like the CAN bus, be tested and isolated from non-critical systems.

The bill also takes policies from mobile applications, like requiring that every vehicle tell drivers about what data is being collected, transmitted and saved, and allowing drivers permission to opt out of data collection. Vehicle cybersecurity protection needs to start from day one of development and become a non-negotiable part of the development process. It is not limited to just automakers, app developers for the auto industry and the mobile app market at large need to continue to uses proper security tactics throughout to ensure the only thing we need to worry about in our future cars — is where to next.

Topics: Android Mobile Security, Mobile Application Security, Connected Cars

Written by SEWORKS team