The hidden security risks within the connected car
Last summer, my friend’s super tech car was stolen. Nothing that strange there except for, with all its tech, maybe it should not have got stolen. However here was the worrying thing. In order to use car's apps and services, you have to give your VIN number and get a dealer to do it for you. So imagine his surprise when two days after the car being stolen he receives an SMS from the car manufacturer saying he had been removed from his ‘own’ car and it now had a new owner of all the app functions, etc.
Not only was the car stolen, it had been to a dealer to have the change done. Yet we want to put more and more tech into cars and manufacturers are all about making money from personalisation and services of your vehicles.
So what does my super connected car mean to hackers? Three of the following probably:
Take Control
Digging for information
Disrupting services I may be connected to
So what does more connectivity mean? It means access. Just on a basic level. It means lots of access points that didn't exist before and now provide hours of fun trying to crack.
Let's just look at personal data theft. It's almost become a way of life in many verticals, automotive is next. It could be as simple as installing malware on ECUs or just information leakage. Just imagine where you could place ransomware. The FBI suggest in 2016 that revenues were $1bn. Hit a whole fleet of vehicles, or even the commercial vehicle that delivers goods to companies (or a whole fleet).
Lets face it, most people don’t think maliciously. We might get paranoid but in general we are trusting. In fact my experience of hackers, good and bad, is that if you say your product has an edge, that's usually the part they will attack because that's the thing your sales team love and is probably going to make your company cash. The thing is, ransomware is actually quite easy and a very powerful threat on vehicles. What's the ultimate aim? To make you, yes you the weak link so to speak, not want to drive that vehicle. Would you risk it? Probably not and let’s face it hacking is pretty much black magic to the rest of the world.
The hacker will be looking for the weak end points. Privileged information that maybe your local garage has access to, or the manufacturer has access to. Below I suggest just one point when you simply hire a car. Or above when my friends BMW was stolen, maybe that data was changed internally.
So once that hacker is in, then the endless fun (for them) begins.
Reverse engineering to find decrypted data. What if you could actually process data without it being in a clear format? Remember code is like a process chart most of the time. All you need to do is reverse engineer to find the decisions.
You think you are okay checking signatures and data and files before it's used? If a hacker has end point access then they can alter your check and binaries can be modified.
So imagine if you could hide your flow chart, process chart in your code. Manufacturers (OEMs) and Tier 1s are looking at control flow flattening.
You think your communications to your vehicle are secure? And you can trust the data you receive? That sort of works, but it's actually really difficult to do with a vehicle with hundreds of data points, let alone the many many flows of data coming in from different sources. Just because data from a verified source is trusted it doesn't mean the data cannot be malicious. Software in the vehicle can make no assumptions about data and it basically means every point of entry device for data on the vehicle has to be secure.
The WPA2 crack is a great example that most Wi-Fi devices have a risk. So how do you as an automotive manufacturer apply updates to keep Wi-Fi security up to date within a vehicle? They have previously struggled endlessly with updating the ECU in your car so this has just added a whole new layer.
A lot of areas, especially rural areas, are focusing on 5G networks to help with the rollout of autonomous vehicles and connected cars. I am still not convinced just because I think 5G rollout is a decade timeline, so not quick, and have some issues around coverage for roads (but that's for a whole different article). But if vehicles are going to share the same 5G network as our mobile phones what do we do about security? It could be as simple as a hacker seeing data about where I left my car parked. Even today I get updates from my BMW app or even Google now to tell me where my car is.
These are just some of the areas. What can be done? Well it's pretty much:
Historically hackers go for the crypto software point
Protect against reverse engineering at end points
Ensure endpoint integrity
Static security is no security over time
Forensics through data needs to happen and needs to be taken advantage of
The fact is it is still in its infancy, no matter what some of the manufacturers say they have in terms of securing vehicles.
And we trust, a lot. We say we don’t but ultimately we do. Whilst writing this I was just thinking that I had to use a hire car the past couple of weeks and it had really good tech in the car that I straight away paired with my iPhone and basically opened up all that data on my phone. I am sure the people at Hertz are good people but it only takes one person right? Imagine if you are the person that delivers and picks up the car, not a bad side line? And yes the same person did pick up the car that delivered it and going by the fact he was struggling to work his iPhone, I think I am safe.
Remember the 1990s when we first came across viruses? Well we spent many years chasing our tails back then and assuming some of our fixes were working. And how much of what happened to us was down to us just simply being fooled by really good cons. Those innocent emails people opened and gave away Paypal logins? The threat is going to be big and no doubt it will be dealt with but I do wonder if we are pushing the issue under the carpet in order to enjoy the excitement of all these new boundaries of technology being pushed.