Is your connected car open to cyber attack?

FAIRFAX NZ Could hackers make it unsafe to drive on our increasingly busy roads?

Technology in today's cars is so hackable that those aboard are now at physical risk of their vehicles being intentionally crashed, warns a leading New Zealand cyber-security company.

While the breach of a website can result in loss of reputation or sensitive company information, a breach of computerised systems aboard a vehicle can result in physical risk and even loss of life, says the Wellington-based company, Aura Information Security.

The warning is contained in an opinion piece written by security consultant Vladimir Wolstencroft.

Vladimir Wolstencroft, security consultant, Aura Information Security.

"It is estimated there are between 20 and 70 microprocessors within a modern car system - each with its own specialised function and varying degrees of communication with other components," he says.

MIKE BLAKE/REUTERS A mobile phone displays car app.

"So in reality these vehicles can be treated as complex computer networks as opposed to a single entity - and as most of us in the cyber security field know, complex computer networks are very hard to defend."

Wolstencroft points out that every day there are more cyber attacks revealed where dolls, web cameras, fridges and even televisions are used to eavesdrop on conversations taking place in the privacy of peoples' homes.

"The reality is we all need to be aware of the danger the cyber-physical world can bring, especially through the introduction of connected systems to our everyday lives," he says, claiming the development of these connected systems appear to have come with "early 2000s thinking" in terms of security.

SUPPLIED Checking the electronic security systems on a car.

Even without taking into account autonomous cars, there's a big issue to be faced when it comes to introducing connected technology into motor vehicles - the very technology that controls these large objects capable of moving at very high speeds.

"So what happens when we introduce these concepts to an industry that should have safety regulations? Particularly when a security breach can have a serious impact - for example crashing a car?"

Wolstencroft claims there are three major issues that car manufacturers and testing authorities face right now, particularly when it comes to technology and its expanding influence in the automotive world. These are:

-The inability to test for malicious third-party acts, such as hackers.

-A lack of understanding of what happens when critical and non-critical systems are connected.

-Lack of consumer knowledge and visibility when it comes to cyber threats.

Looking at the question over how "hackable" a car can be, Wolstencroft says one of the first things attackers do when looking at compromising a car is to evaluate the attack surface. Connected cars unfortunately are built using technology which is well understood by attackers, is difficult to secure, and allows remote access.

This includes cars equipped with wi-fi, Bluetooth, keyless locks that use radio frequency, AM/FM radio, telematics, GPS and phone sync systems. While each system requires different proximity of the attacker - Bluetooth is up to 10 metres, and radio data systems are up to 100 metres - wi-fi and telematics systems could possibly be accessed from anywhere over the internet.

"One of the first things you learn when you are attacking a network is to look for the easiest way in. Once you are inside you can escalate your privilege, permission or access until you get to the target system that you are looking for. If you are hacking someone's bank account, the easiest thing to do is to compromise the person via their home computer, steal their password and then get access to the account (rather than actually attacking an account via the banking infrastructure).

"This is one of the reasons why we have seen such an increase in the use of ransom ware and malware being delivered via phishing attacks, as they target the weakest links in the chain – the user.

"Cars in this respect are no different. As an attacker, if I want to compromise a vehicle, I want to get access to the components with the highest impacts – the control systems, the GPS, the brakes, the engines and locking mechanisms."

Some vehicle systems have already been hacked. In one case researchers were able to spoof a cellphone station and send fake messages to a car to unlock and lock the car doors. But perhaps an even easier way to compromise the system is via rooted firmware through updates that users download from the manufacturer's website and install themselves in the car via a USB.

The site to download the update from is usually not over HTTPS meaning anyone performing a 'man in the middle' attack during a download can inject their own executable files modified to take control of the system. If they have control of that, they have control over critical functionality and can simply crash the system - and potentially the car if it is in motion.

Modern cars have started connecting their entertainment systems, telematics and GPS to critical control functionality. As an example some recent vehicles use a system that has wireless communication such as Bluetooth and wi-fi. This system not only exposes the vehicle to remote attacks, but the telematics and Bluetooth are on the same network as the brakes, steering and the engine, which means the compromise of any one system could lead to the compromise of the safety of the vehicle.

Potentially hackable features of other systems include remote keyless entry, Bluetooth, a cellular network, AM/FM/XM radio and proprietary radio. Adaptive cruise control, adaptive steering, steer-by-wire and driver assistance also may be susceptible to a hacker's attacks via the aforementioned remote vectors.

"So why aren't these systems being properly tested and why are they not properly secured?," Wolstencroft asks.

"This is where our first point comes in regarding the inability to test for malicious third party hackers. Vehicles are designed five years or more in advance of them actually being available to consumers. This means they often feature old technology that is vulnerable to attack."

Wolstencroft claims testing not only has to take place now for the obvious and known, but also for the unpredictable and the unknown. Not only because the potential attack surface through combination of technology has increased, the understanding of interaction between these systems is sparse and the technology chosen (such as wi-fi, Bluetooth and telephony) have been attacked and examined over many years.

"If we cannot secure these technologies in isolated systems such as wi-fi routers then how can we expect to secure them in complex, interlaced architecture within safety-critical systems?

"These technologies no doubt make our lives easier, safer (in certain respects) and in general better. But they do introduce new risk into our lives which we must acknowledge for the short term if we want to really change the prospect of securing the cyber-physical world."

