Automobiles have come a long way since they were introduced to the masses at the beginning of the 20th century. Once measured by the roar of their engines and the comfort of their seats, today’s cars have metamorphosed into interactive computers on wheels. With the Internet of Things (IoT) phenomenon now taking the world by storm, a wide range of vulnerabilities are being exposed on today’s advanced automobiles. So what is the security situation right now and what can be done to ensure automotive safety going ahead?
The modern car is no longer just a mechanical and electrical marvel. Virtually every electronic system is hooked up to the vehicle’s main computer, with dedicated applications operating the various Electronic Control Units (ECUs). The backbone of the modern automobile’s digital structure is the Controller Area Network Bus, commonly known as CAN Bus. This is basically the hacker’s primary target.
In a nutshell, the CAN Bus is a multi-master serial bus standard to connect the various ECUs in the vehicle. Driven by in-house developed proprietary software, the manufacturer connects and syncs the following:
But the area that is evolving by leaps and bounds is the main dashboard. Modern cars have multi-functional dashboards that resemble an airplane cockpit, controlling every aspect of the driving experience except the steering. This also includes the entire telematics package – smartphone functionality, WiFi hotspots, Bluetooth connectivity, advanced GPS navigation and more.
Hacking a car – Is it really that easy? Courtesy: CNET
Furthermore, the self-driven car revolution is already underway. Google’s fully-automatic computer driven car is already being test-driven on American roads. While the technological gadgetry on these vehicles is impressive, there has been no talk about how security will be enforced. Traditional car manufacturers from all around the world are voicing legitimate concerns, albeit commercially motivated.
“A car is one’s second living room today,” Audi Chief Executive Rupert Stadler commented about the lurking Privacy Violation risks at a recent conference where Google chairman Eric Schmidt was present. “That’s private. The only person who needs access to the data onboard is the customer. The customer wants to be at the focus, and does not want to be exploited.”
These mega-cars are expected to hit the market as early as 2020. Open source software implementation will become common practice, potentially enabling potential hackers to tap into the aforementioned CAN Bus through the dashboard USB input or even via wireless connections. Harvesting of location data and other private data can also become potentially tempting for commercial hackers.
A group of security researchers led by Stefan Savage from the University of California-San Diego proved that the computerized solutions in the modern automobile can be easily exploited. Their study concentrated on the vulnerable Controller Area Network (CAN) Bus, which is present on all USA manufactured cars from 2008 onwards.
Despite the POC requiring the hacker to be skilled and in need of physical access to the car, the malware could shut down the car’s engines and brakes, causing serious damage. Their “self-destruct” demonstration showed that just 200 lines of malicious code were enough to start a 60-second countdown on the dashboard. This obviously could be escalated further if desired/needed.
The Snapshot Dongle Hacking
The Snapshot driver tracking tool, provided as an add-on by a popular insurance firm to its customers, is installed in over 2 million American cars. This dongle, which connects to the OBD-II diagnostic port and runs on the insecure FTP protocol, helps the insurance company evaluate the driver’s habits and possibly give him a better rate on his policy if his performance is deemed satisfactory.
Security researcher Cory Thuen found that this monitoring contraption could be used to hack into cars. The Snapshot device doesn’t authenticate the cellular network, nor does it encrypt its traffic while working. There is no signing or validation done either. Thuen’s work shows that tapping into the CAN Bus is not a problem due to the problematic operation of the equipment.
The Multi Electronic Control Unit (ECU) Exploit
Security experts Charlie Miller and Chris Valasek also exposed a flurry of vulnerabilities that crippled a car’s vital systems. The automobile used for the demonstration was a Toyota Prius and they made all happen from a laptop that was connected to its diagnostic port. This POC was extremely worrying due to its severity. The following exploits were achieved by the ethical hackers:
The POCs are piling up and are painting a very grim picture of the risks going ahead. As shown in the table below, the attacking avenues available to the hackers options are mind-boggling.
Attack Surface Capabilities. Courtesy: AutoSec
Innovation without proper security is a risky proposition. The computerization of the retail/shopping field was rapid. Credit cards replaced hard cash on such a widespread scale that Point of Sale (POS) computers reached even the smallest of shops. But unfortunately, this wide-scale boom in transactions happened with minimal attention to security and protecting private/personal information.
The Target data breach in 2013 is considered by many to be the wake-up call that the industry needed. The Payment Card Industry Data Security Standard (PCI DSS), a global security standard initiated by the world’s leading credit card companies, is now considered mandatory in all western economies. Not implementing PCI DSS can even lead to legal action and financial penalties.
The Internet of Things (IoT) revolution in automobiles has introduced technologies into a world that has never been previously required to eliminate cyber-threats. If secure development is not implemented, this can cause similar catastrophes unless the following steps are taken to secure the applications involved in the process. Without the following practices, user privacy is at serious risk.
1 – Securing all applications involved in the driving process
A modern car is typically driven by around 100 million lines of code, all systems combined. Automobile manufacturers maintain that their proprietary software is secure and unhackble, they rarely elaborate on their security protocols. Questions raised around these claims are further boosted due to the fact that these companies are not bonafide IT organizations and have questionable development experience.
Applications should be developed securely for high code integrity. Once application-layer vulnerabilities are eliminated early in the Software Development Life-Cycle (SDLC), the hackers have limited options. A commonly implemented solution in security-savvy organizations is Static Application Security Testing (SAST). This method is extremely effective in automizing the security process within organizations.
2 – Limiting/Restricting Open Source Software on the Car
Regardless of the security levels of the car’s proprietary software, it’s known for a fact that in-house development is limited and slow. Most automobile companies currently use 2 platforms – QNX Software Systems (Honda, Toyota, Mercedes, etc) and Microsoft Embedded (Ford, Kia, Fiat, etc). These platforms are relatively secure, but very limiting. This is where open source software is entering the scene.
Linux powered systems are appearing on more and more automobiles in recent times. Manufacturers enjoy faster development times and increased functionality with this open source platform, but stability and security are tough to achieve. It’s thereby recommended that manufacturers stick to Windows and QNX, which is now offering HTML5 compatibility.
3 – Keeping User Privacy as a Top Priority
Regardless of the software used to power the automobile, many applications today sync with the users smartphones/tablets and transfer private information to the car’s computer. Syncing of contacts from the smartphone is a common occurrence. This is done without any real provision to safeguard the data, which can potentially be harvested.
More and more cars and buses today are providing the option of having a WiFi hotspot. Most can be accessed freely with a basic password (typically 0000 or 1234). The same goes for Bluetooth pairing with the automobile’s media system. This growing functionality offered by automobiles will only rise once self-driven cars will enter production worldwide.
An encouraging sign can be found in BMW cars produced 2014 onwards. The German manufacturer has added a “Clear All” button in all their infotainment systems. This allows the drivers to know that their phone numbers, destinations or other kinds of private information are not on the car and cannot be harvested or stolen by hackers. Such preventatives eventually help limit cybercrime.
Related: OWASP Top-10 for IoT, Explained
The credit card industry has the PCI DSS protocol, which has to be observed by all related organizations. The health-care sector has the Health Insurance Portability and Accountability Act (HIPAA). Most organizations also have to comply with security standards like the OWASP Top-10 and SANS Top-25, things that are non-existent when it comes to car technology.
Vehicle-to-infrastructure (V2I) and vehicle-to-retail (V2R) communications are taking off in a big way and are expected to reach mammoth proportions in coming years. A recent ABI research states that by 2030, more than 459 million vehicles will support V2I, with over 406 million having V2R. Application security will have to be non-negotiable during this transition.
Unfortunately the Internet of Things (IoT) aspect of the automobile industry simply has no appropriate security standard right now. The computerization of the modern automobile is happening at a rapid pace, but application security is an aspect that is simply not being given the right attention. This problem will have to be addressed, the sooner the better.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.