Vulnerabilities

Information Security Vulnerabilities of Automobiles

Daniel Dimov
January 13, 2015 by
Daniel Dimov

1. Introduction

In the past, cars and computers did not have many touching points. Nowadays, modern cars contain numerous computers. As Bruce Emaus, the chairman of SAE International, stated: "It would be easy to say the modern car is a computer on wheels, but it's more like 30 or more computers on wheels." The complexity of modern cars can be understood by comparing their software with the software used on the space ship (Apollo 11) that put humans on the moon. While Apollo 11 had 145,000 lines of computer code, modern cars have more than 100 million lines of code.

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

Although in-car computers ensure the comfort and the safety of the occupants of the car, they may be hacked by criminals. Car thefts may be one of the reasons for hacking cars. Criminals stealing cars by using hacking methods can hide very well from law enforcement institutions, because they do not leave evidence that would be left by a forcible entry.

The purpose of this article is to examine the information security vulnerabilities of the following elements of the modern cars: door locks (Section 2), in-vehicle infotainment systems (Section 3), MP3 players (Section 4), systems for on-board diagnostics (Section 5), and telematics systems (Section 6). Finally, a conclusion is drawn (Section 7). These five elements of the modern cars are displayed on the diagram below.

2. Door locks

The door locks of most modern cars can be opened by a radio frequency remote keyless system. The users of such systems can open the car by pressing a button on a remote control key fob. The first car with a radio frequency remote keyless system was the French Renault Fuego. A radio frequency remote keyless system can be hacked by spoofing the signal from a wireless key fob. In this context, the term "spoofing" refers to emitting a fake signal.

It should be noted that hacking of a car by spoofing the signal from a wireless key fob is not a hypothetical threat. Such hacks have already been reported. Below, I provide two examples demonstrating successful hacking of door locks.

Silvio Cesare, a security researcher, invented a technique allowing anyone to spoof the signal from a wireless key fob and unlock the car. The hacking process takes a few minutes. According to Casare, the technique "effectively defeats the security of the keyless entry." A video of the hacking process can be found at the following URL: http://www.wired.com/2014/08/wireless-car-hack/ .

Srdjan Capkun, Aurélien Francillon, and Boris Danev, scientists working for ETH Zurich in Switzerland, successfully opened the door locks of 10 cars by intercepting and relaying signals from the cars. The attack used by them works irrespectively of the cryptography and the protocols used by the remote keyless system.

3. In-vehicle infotainment systems

The term "in-vehicle infotainment system" means a collection of hardware devices installed into transportation devices that display navigation and other information and provide audio or video entertainment (e.g., listening to audio files and playing video games).

Most in-vehicle infotainment systems allow the user to install mobile applications developed by third parties. In case a mobile app contains malware, it can affect the in-vehicle infotainment system. In this regard, it is worth mentioning that in 2013 there were over one million malicious applications for download on the Android market only. FAKEINST and OPFAKE were the most popular malware programs. FAKEINST disguises as a legitimate program and sends text messages without a user's permission. OPFAKE also disguises as a legitimate program, but, instead of sending text messages, it opens webpages that contain malicious files.

As a response to the threats associated with mobile apps, many car manufacturers decided to allow the users of their cars to install only certain pre-approved apps on the in-vehicle infotainment systems. While such a solution may increase the information security of car users, it significantly restricts consumer choice. The car users may "jailbreak" the in-vehicle infotainment systems in order to remove the restrictions imposed by the car manufacturers. The term "jailbreaking" refers to circumventing security measures of a mobile operating system with the aim to install unauthorized software.

4. MP3 players

Virtually all modern cars have an MP3 player. The MP3 player can be used by hackers as an entry point for accessing the computers of the other components of the car. The MP3 player is an especially attractive place for hacking attacks because people generally do not consider digital music files as potential carriers of malware. As Stefan Savage, a professor at the University of California, noted, "it's hard to think of something more innocuous than a song."

Although the digital music files are considered by some as "harmless" files, the researchers at UCSD and the University of Washington demonstrated hacking of a car MP3 player. By adding code to a digital music file, they were able to infect a song burned to CDR with a malware. When played on the car's MP3 player, the infected song changed the software of the MP3 player in such a way as to allow the hackers to access the other components of the car.

A McDonald's promotion in Japan is a real-life example of the information security risks associated with digital music files. During the promotion, McDonald's gave to people 10,000 USB-stick MP3 players containing ten free songs. The MP3 players also contained a Trojan horse (QQPass) that was capable of stealing data from the computers of the users. In this case, the infection seems to have been caused by third parties, not by McDonald's. McDonald's apologized for the case and set up a help line.

5. Systems for on-board diagnostics

The systems for on-board diagnostics provide the vehicle owner or the technician access to the status of various components of the vehicle. Such access can be obtained by connecting to a port which can be found in the car. The port can be used not only by owners of the car and technicians, but also by hackers willing to infect the computers of the car with malware. Researchers at The Center for Automotive Embedded Systems Security (CAESS) proved such a possibility by installing a malware program onto the car's CAN bus through the (On-Board Diagnostics) OBD-II port. After the installation, the malware was able to move the windshield wipers and activate the brakes.

In 2012, The Register stated that on-board diagnostics bypass tools were imported in Europe and Australia from China and Eastern Europe. The tools can be used for reprogramming a blank key and stealing a car. David Stupples, a professor at City University London, stated in relation to the tools that: "Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key."

In the same context, the Australian Theft Reduction Council chief Ray Carroll pointed out that: "Not long ago insurers were safe in saying a car with an Australian-standard immobiliser that was stolen without the keys was potential fraud. Now you can't really say that because there's good evidence where OBDs are able with a bit of black-market software to recode the immobiliser module to a key you've brought along."

It should be pointed out that car manufacturers have recently started using encryption in order to prevent information security attacks on the systems for on-board diagnostics.

6. Telematics systems

The telematics systems are in-car electronic systems which can perform various functions, including, but not limited to, disabling the vehicle in case of a theft, notifying the police in the event of a crash, and displaying diagnostic information. By gaining access to the telematics systems, hackers can activate or deactivate the functions of those systems. There are two scenarios of attacks on the telemetics systems. In the first scenario, a mechanic installs malware on a telematics system. In the second scenario, a hacker receives unauthorized access to the wireless networks the telematics system is plugged into. A research paper written by computer scientists from the University of Washington and the University of California warns that the second scenario is not merely theoretical. More particular, the paper states that:

"In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance. While outside the scope of this paper, we wish to be clear that vulnerabilities in such services are not purely theoretical. We have developed the ability to remotely compromise key ECUs in our car via externally-facing vulnerabilities, amplify the impact of these remote compromises using the results in this paper, and ultimately monitor and control our car remotely over the Internet."

7. Conclusion

At present, there are not many reported cases of hacked cars. However, because hacking of cars may be a relatively simple activity, the number of such cases may significantly increase in the near future. The following quote from the above-mentioned paper clearly indicates the easiness of hacking a car:

"In starting this project we expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability. However, we found existing automotive systems—at least those we tested—to be tremendously fragile. "

In order to prevent the appearance of car hacking cases, car manufacturers need to implement up-to-date information security measures. These measures will not only protect car users, but also pave the way toward the introduction of new self-driving cars, which will be entirely dependent on technology.

The car manufacturers that do not ensure the information security of their cars risk losing significant market share, because car users are seriously worried about the security and privacy of their cars. A Harris Interactive poll indicated in 2012 that 76% of 2,634 respondents consider the in-car connectivity as a dangerous aspect of modern cars. 55% of the respondents stated that car manufacturers went too far in including interconnected technologies in their vehicles.

* The author would like to thank Rasa Juzenaite for her invaluable contribution to this article.

References

1. Barry, K., 'Can Your Car Be Hacked: Hack to the Future', Car and Driver, July 2011. Available at http://www.caranddriver.com/features/can-your-car-be-hacked-feature .

2. Brooks, R., 'Introduction to Computer and Network Security: Navigating Shades of Gray', CRC Press, 2013.

3. Covert, A., 'Now Cars Are Vulnerable to Malware', Gizmodo, 15 March 2011. Available at http://gizmodo.com/5781966/now-cars-are-vulnerable-to-malware .

4. Dimov, D., 'Legality of Jailbreaking Mobile Phones', InfoSec Institute, 16 December 2014. Available at /legality-jailbreaking-mobile-phones/ .

5. Greenberg, A., 'Watch This Wireless Hack Pop a Car's Locks in Minutes', 8 April 2014, Wired.com. Available at http://www.wired.com/2014/08/wireless-car-hack/ .

6. Ippolito, J., 'Hack someone's car with a malicous tune', NMDnet, 4 February 2011. Available at http://www.nmdnet.org/2011/04/02/hack-someones-car-with-a-malicious-tune/ .

7. Kelly, G., 'Report: 97% of Mobile Malware is On Android. This is The Easy Way You

Stay Safe', Forbes, 24 March 2014. Available at http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/ .

8. Leyden, J., 'Got a BMW? Thicko thieves can EASILY NICK IT WITH $30 box', The Register, 17 September 2012. Available at http://www.theregister.co.uk/2012/09/17/bmw_car_theft_hack/ .

9. Motovalli, J., 'The Dozens of Computers That Make Modern Cars Go (and Stop)', New York Times, 4 February 2010. Available at http://www.nytimes.com/2010/02/05/technology/05electronics.html?_r=1& .

10. Naone, E., 'Car Theft by Antenna: Researchers beat automatic locking and ignition systems', 6 january 2011, MIT Technology Review. Available at http://www.technologyreview.com/news/422298/car-theft-by-antenna/page/1/ .

11. O'Connor, F., 'Survey: Drivers like in-car Internet, worry about safety, privacy', Computerworld, 2 August 2012. Available at http://www.computerworld.com/article/2505379/vertical-it/survey--drivers-like-in-car-internet--worry-about-safety--privacy.html .

12. Osborne, C., 'Malicious apps, mobile malware reaches 1 million mark', ZDNet, 1 October 2013. Available at http://www.zdnet.com/article/malicious-apps-mobile-malware-reaches-1-million-mark/ .

13. Pagliery, J., 'Your Car is a giant computer - and it can be hacked', CNN, 2 June, 2014. Available at http://money.cnn.com/2014/06/01/technology/security/car-hack/ .

14. Stevens, C., 'McDonalds' free Trojan: "Would you like malware with that?"', CNET, 17 October 2006. Available at http://www.cnet.com/news/mcdonalds-free-trojan-would-you-like-malware-with-that/ .

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

15. '$30 device available online blamed for spike in car thefts in Queensland', news.com.au, 18 August 2012. Avaiable at http://www.news.com.au/national/queensland/device-available-online-blamed-for-spike-in-car-thefts-in-queensland/story-fndo4ckr-1226452922444 .

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.