Imagine that you are driving along, foot on the pedal, enjoying the ride, when suddenly your radio blasts out music and your heater switches on full blast, all independent of your touch. And then, just to add danger to the confusion, your transmission cuts out.
This happened to a Chrysler Jeep Cherokee during BlackHat 2015 in Las Vegas. Security researchers, Charlie Miller and Chris Valasek, demonstrated just how easy it is to hack a connected car using simple hacking techniques like password guessing.
With computing power like that, should be worried that our cars could become our enemies?
In this blog article, we will shed a light on the increasingly popular concept of smart cars, give examples for possible smart car security threats and provided recommendations for how to prevent your smart car from being outsmarted.
The smart car market is revving up and expected to be worth $43 Billion by 2023. People are falling in love with smart technologies and cars are just one area that is picking up on the trend towards smartness.
Cars are smart when they become connected.
The first connected car was the Onstar by General Motors. It had a built-in telematics system and automatic crash notification – sending out a call to an advisor who could then contact emergency services.
Now, connected cars have an array of sensors and connect via intelligent systems directly (or indirectly) to the Internet. McKinsey describes the modern connected car like this: “today’s car has the computing power of 20 personal computers, features about 100 million lines of programming code, and processes up to 25 gigabytes of data an hour.”
In a survey looking at the obstacles to connected car uptake, cybersecurity and privacy were the biggest concerns for consumers.
But what kinds of security threats put connected cars and their drivers at risk? In recent years, a number of researchers have explored vulnerabilities in smart car systems with some interesting results – some of which we have listed below.
A car running software, especially software that is connected to a mobile app or the Internet, is at risk of the same vulnerability exploits as any other computer. Protocol or code vulnerabilities are areas of potential weakness in connected car security.
One of the selling features of a smart car is its great infotainment system. The car’s infotainment system is connected via protocols, like the MirrorLink protocol, to the driver’s/passenger’s smartphone to allow music to be played. MirrorLink uses the same type of mechanism that is often used in remote desktop sharing.
A team of security researchers at New York University Tandon School of Engineering and George Mason University have demonstrated inherent critical security flaws in the system. The team found that hackers could exploit these vulnerabilities and override the safety features of the car.
The mazda_getInfo repository on Github demonstrates how the infotainment system in a Mazda could be vulnerable. The MZD Connect firmware of Mazda’s connected car, allowed a user to run malicious scripts from a USB flash drive via the car’s dashboard. However, Mazda put out a disclaimer about this, stating “ Please be assured and note that customizations cannot be carried out remotely by a third party”.
Another infotainment initiated attack was discovered by researchers looking at Volkswagen and Audi connected cars. The researchers used the car's Wi-Fi to exploit an exposed port and hijack the infotainment system.
They were able to identify critical security vulnerabilities in two of the largest smart alarm systems affecting 3 million vehicles. The vulnerabilities included both security issues, such as unlocking the car and privacy violations exposing the personal data of the car owner.
Mobile apps are a potential weak point in smart cars.
Kaspersky took seven connected car mobile apps and analyzed them for vulnerabilities. What they found was shocking. Amongst others, they identified little or no code obfuscation for door unlocking. They also found none of the apps encrypted username and password credentials. One of the main concerns of the exercise was that mobile Trojans could be used in the future to compromise smart cars.
And, it isn’t just cars at risk here. The Xiaomi Electric Scooter connects via Bluetooth to mobile app allowing various functions such as an anti-theft system to switch-on/off. Unfortunately, researchers have identified a flaw that allows a remote hacker (up to 100 meters) to send commands to the scooter via the app without the need for the password.
Smart cars are vulnerable to the same issues as other software. And, because components are connected, they offer an expanded attack surface for cybercriminals. As consumers of smart cars, we recommend several things to hack-proof our connected vehicle.
Like any other computer, you should endeavor, wherever allowed, to patch firmware.
Also, always keep mobile phones and associated smart car apps up to date. UConnect, who develop a connected vehicle platform for a number of well-known smart car makes, let you check for updates online. Also, make sure you sign up for manufacturer updates.
If you aren't using it, deactivate it. Bluetooth, for example, is a possible exploit point for cybercriminals.
Check out the Wi-Fi hotspot used by the car and wherever possible secure it – this includes replacing any default passwords. In addition, make sure you don’t write down any passwords associated with your smart car and leave them in the car.
Related Post: [Infographic] How to Secure the IoT Environment
Malware upload may be more difficult to perform remotely, but it is easier if a malicious insider does it. Take care to find a trustworthy mechanic when you have your smart car serviced.
Secure best practices in the automotive industry are a must if we want to ensure a secure driving experience. The manufacturing process, itself, needs to be based on the principle of ‘Security by Design’. To this end, frameworks and best practice guides are being developed to ensure smart cars have good security built-in, by design.
One such example is Enisa smart car best practice guidelines. The guidelines look at ways to develop best practices in keeping smart cars safe from cyber threats.
Related Post: GDPR: What is Privacy by Design?
Another body working in the area of smart car security best practices is the National Highway Safety and Transportation Administration and the Federal Trade Commission. A workshop held in Washington D.C. in 2017, explored ways of improving the data security and privacy of connected cars.
A number of key points emerged from the workshop. A focus was on data collection in smart car environments being expansive across myriad areas of the car. The workshop discussed how data privacy fundamentals such as consent to share data and the minimization of data collection must be incorporated into car design.
From the workshop, a document offering voluntary guidance on smart car security was released – “Automated Driving Systems 2.0: A Vision for Safety”.
Ensuring that our smart cars give us a secure and privacy-enhanced driving experience means our manufacturers need to ‘design smart’.
Smart cars are the equivalent of an Internet-connected device on wheels. All of the same vulnerabilities and exploits found in the Internet of Things (IoT) will come to haunt smart cars unless we plug the gaps with Security by Design.
If you’d like to learn more about how to secure an IoT environment, download our free infographic “10 Tips to Secure Your IoT Environment”