Vehicle Hacking & Safety in 21st Century
Car hacking refers to all of the ways hackers can exploit weaknesses in an automobile’s software, hardware, and communication systems in order to gain unauthorized access or to steal it. Cars or rather most vehicles nowadays contain a number of onboard computerized equipment, including an electronic control unit (ECU), a controller area network (CAN), Bluetooth connections, key fob entry, and more. Many also connect to central servers through the internet. So, it means cars or vehicles are computers on wheels and computer can be hacked. Today’s vehicles are more reliant on computers than ever before. Forescout Ref: https://www.forescout.com/ estimates that software in modern cars contains 15 times more code than what is in most airplanes. In a car, hackers have a number of points of access to break into a car’s systems.
Fuzzing:
The goal there with fuzz testing is you want to have many test cases, as many of these misuse cases, to test if there’s any abnormal behavior, which could have a root cause and that there’s a vulnerability and then you can analyze that. If you find that there’s vulnerability, you want to fix that before any before you release that product and really attackers go in and target that vulnerability.
Regulation:
UNECE WP.29 and ISO/SAE 21434 regulations are active for cyber threats on automobiles.
Potential Attack Surface:
Predictions for 2024
- The competitive advantage in the Automotive industry will continue to be driven by digital transformation, requiring stakeholders to secure APIs and expand vSOC coverage to monitor API-related threats.
- Generative AI will have a profound impact on automotive cybersecurity stakeholders, introducing new large-scale attack methods but also equipping stakeholders with advanced detection, investigation and mitigation capabilities.
- Initial signs of regulatory fatigue, amid the maturity of UNECE WP.29 R155 and the abundance of new regulations emerging worldwide, mainly in China.
- OEMs and Charging Point Operators (CPOs) continue to deepen cybersecurity risk assessments, and deploy cybersecurity solutions to protect strategic EV charging infrastructure.
So what kinds of cars can be hacked?
Not one size fits all and each car type has it’s own hack. But Upstream Ref: https://upstream.auto/ has cataloged every major car hacking incident in the world for the last decade and found several trends Ref: https://upstream.auto/reports/global-automotive-cybersecurity-report/ . Here is where its research indicates car companies should look to bolster their cybersecurity efforts.
Some Common types of hacks:
1. Key Fob Hacks (Remote Car keys)
The most common way hackers gain access to cars today is through the computerized key fob — often in order to steal the vehicle (or what is inside of it). This is typically done by spoofing or cloning the signal that a car and key use to communicate with each other.
Researchers in Beijing, for example, were able to extend the effective range of a key fob (convincing a car they were close together) with just $22 worth of equipment that anyone can buy. And they were able to do so without the driver even knowing. Other security researchers hacked a Tesla Model S using a cloned key fob, even though it’s supported by an extensive security team and uses encrypted keys (the encryption turned out to be the weak link). While both of these were done for the sake of research, Upstream’s data shows a number of real, malicious occurrences of key fob hacking across the globe. Meaning it should be a top concern for automakers.
2. Server Hacks
Server hacks have the potential to be catastrophic in more ways than one, as breaking into a central server gives hackers access to everything: sales data, mobile apps, and even the controls of every vehicle connected to it.
“This can lead to multi-vehicle or fleet-wide attacks, which are extremely risky to all parties involved, from OEMs to telematics service providers, and companies who manage fleets to the drivers themselves,” Upstream mentions in its report.
While a large-scale attack on vehicle controls has yet to occur, researchers Charlie Miller and Chris Valasek proved this threat was possible back in 2015 in a piece by Wired Magazine, when, from their couch, they stopped a Jeep that was traveling 70 mph on a highway.
Large-scale data breaches, on the other hand, have already occurred and have resulted in the exposure of millions of peoples’ sensitive data (Toyota’s server breach in 2019, for example).
3. Mobile App Hacks
The mobile app market has exploded since its inception in 2008, when Apple first launched its App Store. The auto industry joined in soon after.
But while automotive mobile apps have been nice for consumers, the increase in their utilization has also given hackers new ways to access automobiles. And when hackers gain access to the information and control available in automotive apps, the results can be devastating.
For example, one hacker found that he could kill thousands of cars’ engines remotely through two GPS tracking apps (ProTrack and iTrack) by exploiting weak password protocols. And in another instance, a security researcher found that they could control a Nissan Leaf’s functions using just the VIN number from the car’s windshield and the associated mobile app.
How to Improve Vehicle Cybersecurity and Prevent Automotive Hacking
Unfortunately, there is no one-size-fits-all solution for car cybersecurity. However, based on the most common auto hacking methods above, here’s what we recommend manufacturers do to secure their vehicles.
For Vehicle Owner:
- Up-to-date software
Check and update the vehicle’s software on a regular basis, because obsolete software is easy to hack.
- Strictly need-basis GPS
General Positioning Systems (GPS) spoofing makes it simple to hack automobiles. This method interferes with the GPS location system by using radio transmission. Our suggestion is to turn off GPS when unnecessary
- Internet access via VPN
Wireless gadgets are particularly vulnerable to cyberattacks since they are often used online, making them more accessible to hackers. A Virtual Private Network (VPN) is highly recommended as a substitute. VPN has proven to be an effective method of securing automobile gadgets, engines, and electronic components from external virus threats.
- Password Protection
Set up password-protected with high complexity passwords on accounts to control who has access to information about your vehicle. This will help to prevent unauthorised logins.
- Manufacturer-endorsed softwares & hardwares only
When customising your vehicle, only use software that has been approved by the manufacturer. Third-party programmes can expose your vehicle to risk. Aftermarket components should not be used unless they are from a trusted source.
For Vehicle Manufacturers:
Firewall
As the first stage of a cyberattack, malicious code and data packets are frequently sent to a vehicle. In order to prevent hackers from attacking the internal network of the vehicle, it is recommended that the vehicle has a firewall built-in. An effective firewall will restrict V2V (vehicle-to-vehicle) and V2X (vehicle-to-everything) communication to only authorised parties.
Threat Detection
Threat Analysis and Risk Assessment (TARA) for modern vehicles. Car hackers have more ways to attack your car today than ever before (not to mention ways to hide those attacks too). So it’s critical that you’re able to detect suspicious activity at every vulnerable point before it turns into a breach (and a PR nightmare)
Simpler, More Secure Logins
Keep it simple (be it the design or the flow or the logic). Many of today’s cars come equipped with a number of remote control features (remote start, for instance). This list will likely only increase as manufacturers continue to increase the number of connected cars they produce.
Each of these remote access points creates dangerous vulnerabilities if any of them are weak. So it’s critical to secure each one. This includes improving the encryption on key fob radio frequencies. But maybe, more importantly, it means securing the logins and passwords to mobile apps and critical server access (which would help prevent major breaches like the iTrack and ProTrack vulnerability could create).