Category: Cars

Red Jeep Parked in the Middle of a Dirt Road

The Rising Cybersecurity Concerns in the Automotive Industry

Posted on by theboss

In recent years, the automotive industry has witnessed rapid technological advancements. From self-driving capabilities to internet-connected infotainment systems, modern vehicles are increasingly becoming complex interconnected systems. While these innovations offer unparalleled convenience and functionality, they also introduce a new realm of risks: cybersecurity threats. Several major car manufacturers have faced cybersecurity incidents, highlighting the evolving challenges in ensuring vehicle security.

Jeep (Fiat Chrysler)

One of the most notable incidents that brought vehicle cybersecurity to the forefront occurred in 2015. Security researchers Charlie Miller and Chris Valasek demonstrated a chilling scenario: remotely hacking into a Jeep Cherokee’s infotainment system. They could not only control the music and air conditioning but also disable the brakes and tamper with the transmission. The ramifications were immediate, leading Fiat Chrysler to recall 1.4 million vehicles to rectify the vulnerability. This incident was a wake-up call, revealing that cars could be new targets for cyber-attacks.

Tesla

Tesla, a leader in electric and autonomous vehicles, has consistently been in the spotlight regarding cybersecurity. The company’s proactive approach involves running a bug bounty program, which incentivizes ethical hackers to discover and report vulnerabilities. Over the years, several security issues have been identified and addressed under this program. Tesla’s approach underscores the importance of proactive measures in an industry racing towards full automation.

Nissan

In 2016, the Nissan Leaf, a popular electric car, faced a significant vulnerability. Researchers discovered that the car’s companion app could be exploited, allowing unauthorized individuals to access vehicle operations data and even control certain functionalities. Such a breach pointed towards the broader risks associated with integrating mobile applications with vehicles.

General Motors (GM)

Following suit with Tesla, GM launched its own bug bounty program after researchers demonstrated vulnerabilities in their vehicles. By fostering a collaborative relationship with the cybersecurity community, GM emphasized the evolving need for continuous vigilance in the automotive sector.

Volkswagen’s Dieselgate

2015’s “Dieselgate” was a different kind of scandal. Volkswagen was found guilty of manipulating emissions tests using software installed in diesel engines. While not a cybersecurity breach per se, the incident highlighted the broader ethical implications of software misuse in vehicles.

Toyota

In 2019, Toyota, one of the world’s leading automakers, faced a traditional cybersecurity threat when unauthorized access to their subsidiary servers was detected. This breach potentially exposed the data of up to 3.1 million customers, reminding the industry that while vehicle control is a concern, data privacy remains a significant issue.

Mercedes-Benz and Mazda

Other major car manufacturers, like Mercedes-Benz and Mazda, have not remained untouched. Researchers found that backend systems of Mercedes-Benz connected services had vulnerabilities that could allow real-time user tracking. Mazda, on the other hand, had issues with its Mazda Mobile Start app, which, if exploited, could have allowed attackers to start car engines or access user accounts.

Navigating the Future

As vehicles continue to evolve, integrating cutting-edge technology and offering enhanced connectivity, the automotive industry must remain vigilant. It’s not just about the potential misuse of vehicles but also about the vast amounts of data these connected vehicles collect.

Several initiatives can help navigate these challenges:

  1. Collaborative Approach: Encourage collaborations between automakers and the cybersecurity community, as seen with bug bounty programs.
  2. Regulatory Measures: Governments worldwide can enact stricter regulations and standards for vehicle cybersecurity, ensuring that manufacturers prioritize security alongside innovation.
  3. Consumer Awareness: Educating consumers about potential risks and best practices can be a line of defense. Simple measures, like updating software regularly and being cautious about granting app permissions, can make a difference.
  4. Investing in R&D: Manufacturers should continually invest in research and development focused explicitly on cybersecurity.

In conclusion, the intersection of automotive technology and cybersecurity is in its nascent stages. While the potential risks are real and evolving, with a proactive and collaborative approach, the automotive industry can ensure that the vehicles of the future are not only smart but also secure.

Tesla was hacked in 2019.

Posted on by theboss

white sedan parked beside mountain during daytimeAt the Pwn2Own hacking competition in 2019, a team of security researchers successfully hacked a Tesla Model S car. The team, which included researchers from Tesla, managed to exploit a vulnerability in the car’s web browser to take control of the vehicle’s infotainment system.

From there, they were able to access the car’s firmware and control its acceleration and brakes, among other functions. The team won a prize of $375,000 for their successful hack.

It’s worth noting that this hack was performed under controlled conditions and with the cooperation of Tesla, who provided the researchers with a specially configured car to work on. Tesla has a bug bounty program that rewards researchers for finding and reporting security vulnerabilities in its products, and the company said it takes the security of its vehicles very seriously.

The hack demonstrated the potential risks associated with connected cars and the importance of manufacturers implementing strong security measures to protect against cyber attacks. Tesla has since released software updates to address the vulnerabilities that were exploited in the hack, and continues to work on improving the security of its vehicles.

Hacking of Your Car Is Possible on Android Phones

Posted on by theboss

We are now living in an era of being connected to the internet or via wireless technology. From smartphones to cars, manufacturers are rushing to connect mobile phones and vehicles to perform various functions like driverless cars and so on. Meanwhile, some mobile apps are now able to summon vehicles just as we have seen in Knight Rider. With the advancement of technology comes the danger – these phones can be hacked and when hackers can launch terror or hijack vehicles with ease.

A test has been conducted on at least nine vehicles built by seven companies that are connected with Android apps and they are all vulnerable to attacks. Researchers from Kaspersky, a software security firm, confirmed that most mobile apps, which have been downloaded over a million times, do not even have basic software defence system for drivers to protect themselves in case of an attack. Hackers can root a phone or trick users into installing malicious malware code, unlock the vehicle and start the ignition key.

The Ignition Remix

As of today, researchers have refused to name specific mobile apps that they tested over the fear that their publication would help car thieves. However, they argue their studies should make the car industry take to consider car security in a serious manner.  It is time connected car application developers treat their products just like banking apps, according to Kaspersky lead researcher Viktor Chebyshev.

In the worst-case scenario, researchers have found that hacker can access to locked vehicles; vehicle thieves would require other tricks for more serious attacks, like controlling the key or maybe disabling the vehicles’ immobiliser, which is a system that prevents vehicles from being stolen. They found that Tesla’s cars which permit a car to be driven via smartphone app only is an excellent example of how hacking a mobile phone can lead to theft, even though Tesla cars were not a part of their research.

The security experts’ analyses are based on the mobile apps themselves—they only ‘hacked’ into one of the affected vehicle models in question. And, they claim that there was no need for injecting Android malware to pull off the dirty tricks thieves or terrorists can pull to cause damage. They also warned that poorly built apps that lacked proper coding are vulnerable to vehicle thieves and they highlighted a case in which hacker forums are showing interest in hacking of apps-connected vehicles. They clearly display offers to buy & sell connected vehicle app credentials including their usernames and passwords, shockingly even PIN numbers and the unique Vehicle Identification Numbers (VINs) of different vehicles. The usual rate runs into hundreds of dollars per such account. Chebyshev said that cybercriminals are preparing for such attacks and the vehicle industry should take notice of these online activities.

The Kaspersky security researchers have highlighted three techniques for exploiting Android applications they tested. (iOS is much more difficult for hackers to attack). They found that, except one app, stored the apps username, password, or both in unencrypted manner in the mobile device’s storage. And, when rooting the victim’s mobile phone —by exploiting full privileges in the phone’s OS —an expert hacker can get access to those stored account login details and send them off to his command-and-control server. Hackers could also trick vehicle owners into downloading an altered/hacked versions of car apps in order to steal login details. Alternatively, car thieves can infect mobile phones with malwares that can launch an “overlay” attack: When the car-app starts, the malware could immediately detect that it is loading and it can preempt it with some fake user interface and the steals the details and transfer the same to some remote location. A hacker may also infect the app with multiple overlays in order to spoof off any connected car app the innocent victim may load.

Time to Buckle Up

The security experts also said that they have reported their findings to several companies whose cars are highly vulnerable. However, they noted that most problems are not even security bugs, so much as a lack of proper safeguards. Encrypting the login credentials stored on a mobile device, adding two-stage authentication or maybe a fingerprint authentication, or maybe creating integrity checks in the apps could work to prevent malicious code from being injected into the apps.

This is not the first time makers of app connected cars are facing safeguards issues in their products. Toyota, Nissan,and Ford has also been vulnerable to hacking. It is also important to note that the problem is not solely confined to phones using Android system. Security expert Samy Kamkar, back in 2015, explained how he could deploy a tiny piece of hardware hidden on a vehicle to intercept login credentials from apps based on iOS like Onstar (GM), UConnect (Chrysler), mbrace (Mercedes-Benz) and Remote (BMW) — all via wirelessly. Kamkar’s hacking method also allowed him to locate a car from a remote location, unlock it, and in some cases start the ignition. In such attack, he said there won’t be “no warnings” and your car credentials would be easily stolen and reused by the hacker “without phone modifications” while comparing his attack method with the one conducted by Android hackers as suggested by security experts at Kaspersky.

As connected vehicles are gaining huge interest among buyers, researchers at Kaspersky said manufacturers must be able to lock down mobile apps that could control their products even as both ethical malware testers and criminal hackers gear up to find flows in their systems. It may be better if we can open the car door without ever triggering the car alarm, however these functionalities are just being explored, said Kaspersky lead researcher Mikhail Kuzin, adding car makers “will have to add new security features to make users lives more convenient and at the same time prevent attacks”. It’s time app makers and car makers take utmost care in security issues, and do it right.