Coming from humble beginnings, cars have evolved beyond their main purpose of transportation, to now boast an array of sophisticated features. From advanced navigation systems to the use of artificial intelligence, these innovations in the automobile industry have completely changed the driving experience.
The rapid growth of the industry also introduced electric cars and driverless vehicles. In this era, where our vehicles have evolved to become more interconnected, comes the ominous reality of automobile hacking. As our cars grow into larger devices with intricate networks, ensuring its security becomes paramount, as it ushers in a new wave of vulnerabilities.
Throughout this article, Oppos Cybersecurity Consultants will delve into the challenges posed by the increasing integration of technology in our vehicles, understand the vulnerabilities that arise, and seek effective strategies to keep these larger devices—our vehicles—resilient against the growing tide of automobile hacking. Welcome to “The Rise of Automobile Hacking: How to Keep Our Larger Devices Safe.”
What is Automobile Hacking?
Automobile Hacking is the process of gaining unauthorized access to manipulate a vehicle’s hardware, software and communication systems. This involves methods as simple as walking up to an unlocked car door and stealing it or its contents, to more sophisticated methods like connecting wirelessly through Bluetooth or wifi to compromise the vehicle. It also includes ways to prevent normal vehicle functions from working, such as the car alarm, so they do not send a notification when being broken into, disrupt cybersecurity functions, making the car even more vulnerable, or even an air conditioning or heating system which may cause the car to shut down in high-temperature countries.
The hacker’s target is the car’s electronic control unit, ECU, which connects to other communication channels and networks. The ECU is an embedded system in automotive electronics that controls one or more of the electrical systems or subsystems in a car or other motor vehicle.
Case Study: Honda Hack
In March 2022, Honda fell victim to the SNAKE ransomware attack. This resulted in a temporary shutdown of production facilities, customer experience and financial services.
The vulnerability, titled CVE-2022-27254, is classified as a Man-in-the-Middle (MITM) attack or more specifically a replay attack where the attacker intercepts the RF signals normally sent from a remote key fob to the car, manipulates these signals, and re-transmits these at a later time to unlock the car whenever they wish.
While SNAKE did not have the ability to exfiltrate data, it made up for it by forcibly stopping processes, particularly those related to the Industrial Control Systems (ICS). This breach highlighted the vulnerability of the operation technology (OT) system, as it was old and outdated, which made it more susceptible to cyber threats.
How can cyber attacks affect me and my business?
In this article, we’ll give you an overview of the different ways a cyber attack can affect you and your business.
Read More
What are some types of Automotive Hacking?
Key Fobs
Car owners are often warned of the dangers of Key fobs. Many cars are shifting to a keyless or smart key system for convenience. Also referred to as relay attacks, key fob hacking occurs when individuals copy the signal being transmitted by the key fob using an RF transmitter and then use it to unlock the car, which they then can steal valuables from or the entire vehicle itself. Some hackers also use car hacking devices to unlock vehicles. These are readily available online and on the dark web. Depending on the model of the vehicle, some are more difficult to intercept and manipulate than others.
GPS Spoofing
Many modern-day vehicles have a built-in Global Position System (GPS). It is now the standard way for travelers to get from point A to point B efficiently. While it provides many opportunities to businesses and individuals, it is susceptible to cyber-attacks through GPS spoofing. GPS spoofing occurs when a counterfeit radio signal with false times and coordinates is transmitted to a receiver antenna to disrupt and override a legitimate GPS satellite signal. This technique poses threats in various contexts, from disrupting navigation systems and causing inaccurate mapping to remotely manipulating the movement of your car or even aiding criminal activities, for example, stealing shipments or sending pirates to boaters’ locations.
Apps and remote control
Many modern-day vehicles are made with the ability to integrate mobile applications. However, when these applications are created poorly, they are the perfect entry point for hackers.
Users are often warned about vulnerabilities in apps that would have allowed hackers to remotely control the locks, engine, horn, headlights, and trunk of certain cars made after 2012, according to security researchers. Furthermore, cloud-based app services that connect vehicles to external servers are susceptible to malicious actors. If attackers gain access to the cloud infrastructure, they may manipulate or steal data or control vehicle functions remotely. This could result in unauthorized access to user data, tracking of the vehicle’s movement, or manipulating critical systems.
Server Hacking
The servers for automotive vehicles are also very attractive to hackers, as they store a treasure trove of data about mobile apps, sales data, and customer personal and financial information. They thus have the potential to be very catastrophic in many ways. If hackers can exploit the vulnerabilities in software, weak passwords, or other security weaknesses to gain control of the servers, it could lead to data breaches and ransomware attacks on automotive servers resulting in the hijacking of vehicle functions until a ransom is paid and remote access to vehicle functions through vulnerability exploits.
USB port exploitation
Incorporating these ports brought a new avenue of potential cyber threats and car hacking, as hackers can now use the car’s USB ports as a gateway to its electronic systems. In some cases, malicious actors could insert USB drivers or smartphones containing malicious code into a car’s USB sockets to gain control over various vehicle functions. When the compromised device is connected, the malware can infiltrate the car systems, potentially gaining unauthorized access or control. This type of attack can lead to a range of consequences, from unauthorized data access to manipulation of critical vehicle functions, depending on the sophistication of the malware.
Furthermore, when users conduct firmware updates through the USB ports, hackers can intercept the process and inject malicious code into the car’s system, leading to persistent vulnerabilities. This can lead to manipulating safety-critical systems, unauthorized surveillance, or remote control of certain vehicle functions.
Telematics
The telematics system combines the GPS, onboard vehicle diagnostic, wireless devices, and black box technologies that record, store, and transmit vehicle data. This system is commonplace for fleet vehicles, like those purchased by taxi operators and shuttle services. If hacked, threat actors can easily manipulate this system to access private information stored on the car’s internal computer.
Notably, research conducted by the company Spireon identified multiple security holes that allowed hackers to gain “full administrator access to company-wide administration panel with the ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start the engine, disable starter, etc.), read any device location, and flash/update device firmware.”
How can Automotive Hacking be prevented?
Install a firewall
Being connected to a larger network is integral for modern-day vehicles. Removing this connection will result in most of the car’s attractive features not working efficiently.
To keep this connectivity safe, vehicle owners should implement a proper firewall to alert them to any threats and restrict communication from unauthorized parties. Furthermore, manufacturers should install a built-in firewall. An effective firewall will restrict vehicle-to-vehicle (V2V) and vehicle-to-everything (V2X) communication to authorized parties only.
Secure internet access via VPN
VPN (Virtual Private Network) describes the opportunity to establish a secure and private network connection over a public network. VPNs are crucial to securing vehicle gadgets, engines, and internal components.
VPNs encrypt your internet traffic and disguise your online identity. This shields you from traffic from third parties who want to track your activities online and steal data, especially when your phone is on public Wi-Fi and connected to your car’s electronic system. A robust VPN will enable car owners to securely access the internet while also defending linked automobiles from outside assaults.
Faraday Bag to protect Key Fob
A popular method for keeping keyfobs secure is storing them in a Faraday pouch/bag or an RFID-blocking pouch. These work by blocking electromagnetic signals being emitted by the key fob and preventing them from being intercepted by any nearby devices.
Also, avoid leaving key fobs in unsecured locations or near external doors and windows. If a Faraday bag is unavailable, A rudimentary but still effective solution would be wrapping the key fob in aluminum foil, which also blocks electromagnetic signals emitted by the key fob.
Strong Password Protection
Make all accounts that have access to the vehicle password protected, to manage access to your car’s information and to prevent unauthorized logins. The cars about the section may contain information that may provide access to the ECU that stores data for threat actors. It is also recommended to monitor accounts and implement proper access control routinely.
Limit the use of GPS
As GPS is now built into modern cars, it is tempting to always have the system running when using the vehicle. This however, opens the system to transmissions which can lead to a direct attack. It is thus recommended to turn off your GPS when not in use.
Use Manufacturer-Endorsed Software Only
Third-party programs not approved of by the manufacturer can expose the vehicles to many risks. When devices connect to them and accept the terms and conditions (which often do not get read), they can easily become infected with malware. It is thus recommended to only use reputable applications from the Google Play Store and application store. We however urge consumers to also read the policies before agreeing.
Keep your vehicle software up-to-date
As cars have become large computers, staying aware of any software security patches your automaker provides is important. Updates are typically uploaded on the vendor’s websites and then downloaded onto your USB flash drives for you to plug into the port in your car later to transfer the fix or update to your vehicle.
Install the manufacturer’s over-the-air (OTA) updates and security patches. Lastly, you could bring the vehicle to the dealer itself to get the latest software updates.
Revolutionary Cybersecurity Measures
As vehicle hacking becomes more of a concern, vehicle manufacturers must take extra steps to meet security standards to better protect against potential threats. Notably, manufacturers are now incorporating cybersecurity into the design process of new cars instead of adding it at the final stage of production. In addition, other companies have created teams that conduct research on potential threats and develop plans to mitigate them.
As a result, manufacturers can protect their vehicles against long-term security threats and foster innovation by proactively investing in protective measures against merging threats.
In addition, in 2021, ISO/SAE 21434 was finally released, and with it, came many implications for automotive software design. This document specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.
Furthermore, vehicle manufacturers are developing Vehicle-to-everything (V2X) communication technology. V2X represents a groundbreaking system enabling vehicles to communicate and interact with other vehicles, infrastructure, and pedestrians. This emerging technology delivers instantaneous information to drivers regarding potential dangers on the road. This system promises advancement in the automotive sector, enhancing security and contributing to the overall driving experience.
Another notable development is supply chain security. With various supplies contributing to the creation process, it is imperative to secure the complex automotive supply chain to prevent malicious actors from exploiting weaknesses that would allow them to compromise the security of the vehicles.
One component of supply chain security is end-to-end encryption, including securing the transportation of security components, the updating process, and the decommissioning of vehicles to prevent unauthorized access or data breaches. In addition, implementing comprehensive vendor risk management programs that assess the cybersecurity practices of suppliers, enforce security standards, and regularly audit and monitor supply chain partners. Lastly, implementing rigorous testing and validation processes for components, establishing secure communication protocols, and verifying the authenticity of supplied components.
Essentially, we need a combined effort among the authorized stakeholders (car drivers, car manufacturers, service providers, insurance companies, and maintenance operators) to ensure that our vehicles remain safe and secure.
In this collective journey of automotive security, Oppos emerges as a dedicated partner committed to fortifying the defenses of both manufacturers and drivers. With our team of experts with a vast understanding of the unique security challenges presented within the automotive sector, we can establish collaborative partnerships that extend beyond generic solutions.
Our approach begins with a customized consultation and comprehensive risk assessments, addressing vulnerabilities specific to the automotive industry. The solutions range from the development of advanced software tools, implementing hardware security measures, or the provision of expert consulting services, our solutions are finely tuned to meet the distinctive needs of modern day vehicles.
Through our active dedication to remaining up to date and participating in industry standards, we ensure that the security framework we employ aligns seamlessly with emerging regulations for automotive security. Furthermore, through educational initiatives, including awareness programs and workshops, we empower manufacturers and drivers with the knowledge to navigate the evolving landscape of automotive security.
Final Thoughts
In conclusion, the landscape of automotive technology security demands our unwavering attention and commitment. The interconnected nature of modern cars, coupled with the complexities introduced by key fob vulnerabilities, GPS spoofing, server hacking, USB port exploitation, and telematics threats, underscores the need for proactive measures.
As the vulnerabilities and the threat of hacking looms over all authorized stakeholders – car drivers, manufacturers, service providers, insurance companies, and maintenance operators – it forces us to combine a unified effort to safeguard the security of our vehicles.
To fortify them against the rising tide of automotive hacking, we have explored practical strategies such as firewall installations, VPN-secured internet access, and the use of Faraday bags to shield key fobs. Furthermore, we examined steps the manufacturers could embrace from the design stage, to anticipate potential threats, alongside ISO/SAE 21434, released in 2021, which sets new standards for automotive software design, emphasizing the critical role of cybersecurity risk management throughout the entire lifecycle of vehicles.
Looking ahead, Vehicle-to-Everything (V2X) communication technology and advancements in supply chain security promise to revolutionize automotive security, offering real-time information to drivers and securing the complex web of suppliers contributing to the creation process.
Our organization, Oppos, stands as a committed partner in this collective journey, offering tailored consultations, risk assessments, and collaborative solutions to fortify the defenses of manufacturers and drivers alike.
As we navigate this complex terrain, the responsibility to secure our larger devices rests on the shoulders of all stakeholders.
By implementing recommended security measures, staying vigilant, and embracing innovative practices, we can collectively pave the way for a secure and resilient future for our interconnected cars.
In this ongoing journey, collaboration and expertise become the cornerstones, ensuring that the rise of automotive hacking does not compromise the safety and integrity of our vehicles on the road.
Ready to secure your vehicle against cyber threats? Contact Oppos now for cutting-edge solutions and expert advice.
Automotive Hacking FAQs
Automobile hacking involves unauthorized access to a vehicle’s systems, manipulating hardware, software, and communication networks.
How do hackers exploit Key Fobs?
Hackers copy key fob signals using RF transmitters in relay attacks, allowing them to unlock and potentially steal vehicles.
What is GPS Spoofing in the context of vehicles?
GPS spoofing involves transmitting false GPS signals to disrupt or manipulate a vehicle’s navigation system.
How can vehicle owners prevent automotive hacking?
Owners can use firewalls, VPNs, Faraday bags for key fobs, strong passwords, and manufacturer-endorsed software to enhance security.