In this article we will discuss about The Nightmare of Car Hacking.
In recent weeks, the discussion about car hacking has become more and more popular. Every day, newspapers and TV shows propose broadcasts and articles related to the possible hacking of cars and their components.
In this post, I summarize the latest news on car hacking and discuss possible attack scenarios, potential risks, and mitigation strategies.
In the beginning it was a Jeep hack done by Fiat Chrysler
As detailed in my previous post on car hacking, Charlie Miller and Chris Valasek demonstrated how to hack a car by accessing its internal network. They presented the results of their tests to the security community and expected further studies to sensitize the automotive industry to possible risks related to cyber attack.
Modern automobiles are complex systems composed of sophisticated components that exchange vast amounts of information; hackers can manipulate them to gain control of the vehicle.
To demonstrate the feasibility of a cyberattack on a connected car, Miller and Chris Valásek used weaknesses in a car’s cellular connectivity system to hack into the vehicle. Experts hacked the Uconnect car system, which is installed in many connected cars, including nearly 471,000 vehicles in the US. Charlie Miller and Chris Valasek demonstrated the attack by hacking a Jeep Cherokee equipped with the Uconnect system.
The pair asked popular journalist Andy Greenberg to drive the Jeep while they attempted to hack it remotely.
“To better simulate the experience of driving a vehicle while being hijacked by an invisible virtual force, Miller and Valášek declined to tell me in advance what kinds of attacks they planned to carry out from Miller’s laptop at his home 10 miles to the west. Instead they just assured me that they wouldn’t do anything life threatening. Then they told me to drive the jeep on the highway. ‘Remember, Andy,’ Miller said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, ‘whatever happens, don’t panic,'” Greenberg wrote.
Uconnect is the connected car system that Fiat Chrysler has chosen for its vehicles in the US market. This system allows owners of connected cars to communicate with the vehicle remotely; uses Sprint’s cellular network to stay connected to the Internet. Car owners control their vehicle using a smartphone, a mobile app allows them to remotely start the engine, get the vehicle’s location and activate anti-theft features.
Charlie Miller and Chris Valasek exploited a vulnerability in Fiat Chrysler’s connected car system that could allow hackers to scan Sprint’s cellular network for Uconnect-equipped vehicles to obtain vehicle identification and location.
The two researchers used this data to attack the car’s connected system, knowing the IP address assigned to the vehicle, they were able to turn off the car’s engine, activate and deactivate the brakes, take remote control of the vehicle’s information display. and entertainment system and activate the windshield wipers.
The experts were able to operate various components of the 2014 Jeep Cherokee, including the steering, brakes, engine, vehicle signals, wipers and fluid, and door locks, as well as reset the speedometer and tachometer and transmission controls.
Miller and Valašek also discovered that they could remotely control the steering of the Jeep Cherokee.
“As the two hackers remotely fiddled with the air conditioning, radio and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they broke the transmission. My accelerator immediately stopped working. As I frantically floored the pedal and watched the revs climb, the Jeep lost half its speed and then slowed to a crawl. It happened just as I reached a long overpass with no shoulder to offer me escape. The experiment stopped being fun. Greenberg continues.
The hack shocked the automotive industry and public opinion. Researchers have shown for the first time that hackers can exploit bugs (now fixed) in the Uconnect connected car system to control any vehicle from virtually anywhere.
On July 16, Fiat Chrysler informed its customers about the vulnerability affecting its Jeep models by posting a notice on its website.
A few days later, Fiat Chrysler recalled 1.4 million vehicles in the US that could be exposed to cyber attacks due to the presence of a vulnerability in the UConnect infotainment system.
Fiat Chrysler recalled 1.4 million vehicles, including:
- 2013-2015 MY Dodge Viper Special Vehicles
- 2013-2015 Ram 1500, 2500 and 3500 Pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUV
- 2014-2015 Dodge Durango SUV
- MY Chrysler 200, Chrysler 300 and 2015 Dodge Charger sedans
- 2015 Dodge Challenger Sports Coupe
“You can develop the most advanced vehicle that has all the latest safety features and high-tech gadgets, but if it can be disabled by a remote attack, you’ll have wary customers who may choose another brand of vehicle because they put more emphasis on safety,” says Ken Westin, Principal Security Analyst at Tripwire. “The auto industry understands the importance of safety and is working not only with researchers but with each other to help develop standards and best practices for safer vehicles, and the work that researchers like Miller and Valašek are doing is actually helping make vehicles safer in the future.”
The company initially encouraged customers to download and install the update themselves from a USB drive or take the car to an authorized dealer.
You are not sure that this is an operation that each customer is able to perform independently.
Fortunately, FCA later announced that it was conducting a voluntary safety recall to update the software in about 1.4 million vehicles in the United States.
“The recall is in line with the continued distribution of software that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal activity,” the FCA said. “Furthermore, FCA US applied network-level security measures to prevent the type of remote manipulation demonstrated in the recent media report. These measures – which required no action by the customer or dealer – block remote access to certain vehicle systems and were fully tested and implemented on the mobile network on 23 July 2015.”
Related article:The Hacker Methodology 2023
New hacks, old and familiar problems
Even though Car hacking has reached the peak of popularity due to the recent Fiat Chrysler Jeep hack, groups of experts have been working on this matter for a long time.
Recently, a duo of European experts revealed the presence of security flaws in the Megamos Crypto transponder used in more than 100 cars produced by major car manufacturers.
Models from popular brands including Audi, Ferrari, Fiat, Cadillac and Volkswagen use a faulty transponder. Hackers can use the flaw to start the car without using the key.
The surprising news is that the same pair of researchers tried to present their findings at the 22nd USENIX Security Symposium in 2013, but were prevented from doing so by Volkswagen, who won a UK High Court injunction barring them from publishing the key findings of their discovery.
Experts have reverse-engineered the transponder’s firmware and analyzed the security mechanisms it implements. The researchers developed three different attacks against the transponder, which they described with the following statements:
“Our first attack consists of decrypting the cipher and authentication protocol. Our second and third attacks not only target the cipher, but also the way it is implemented and misconfigured in the automotive industry.” reads the paper.
“Our second attack exploits a weakness in the transponder key update mechanism. This attack recovers the secret key after 3 × 216 authentication attempts with the transponder and negligible computational effort. We performed this attack in practice on several vehicles. We were able to get the key and start the engine using a transponder emulation device. This attack only takes 30 minutes to complete from start to finish.
“Our third attack takes advantage of the fact that some car manufacturers have set weak cryptographic keys in their vehicles. We propose a trade-off between time and memory that recovers such a weak key after a few minutes of computation on a standard laptop.”
The experts explained that their first attack, which works with all vehicles using Megamos Crypto, exploits the following weaknesses:
- The transponder lacks a pseudorandom number generator, making the authentication protocol vulnerable to replay attacks.
- The internal state of the cipher consists of only 56 bits, which is much less than a 96-bit secret key.
- The successor function of the cipher state can be inverted, given the internal state and the corresponding ciphertext bit, it is possible to calculate the predecessor state.
- The final steps of the authentication protocol provide the adversary with 15 bits of known plaintext.
In one attack scenario, experts were able to retrieve the key in just 30 minutes and start the engine using a transponder emulation device.
Another attack requires the attacker to have access to both the car and the transponder for a certain period of time; a circumstance that can occur when the attacker takes a rental car or the victim parks the vehicle.
“It is also possible to envisage a setup with two perpetrators, one of whom interacts with the car and the other wirelessly retrieves the car key from the victim’s pocket,” explained the researcher. “Our attacks require close range wireless communication with both the immobilizer unit and the transponder.
This year, experts had the opportunity to present their findings at the 24th USENIX Security Symposium.
“Although two years have passed, this work remains important and relevant to our community,” noted Sam King, USENIX Security ’13 Program Chair, and Casey Henderson, USENIX Executive Director, in a foreword accompanying the research paper.
It’s been three years since the flaws were first discovered by experts, but according to reports circulating in the car hacking space these days, security issues are still very much present in a number of components present in modern connected cars.
Experts reiterated that IoT drive-related devices lack security by nature. Researchers like this need to encourage the automotive industry to seriously consider security as a mandatory requirement for the safety of car owners.
A few days ago, popular hacker Samy Kamkar presented to journalists a new gadget that he designed to hack GM Cars. The tool is able to locate, unlock and start vehicles.
Before introducing Ownstar, we need to know what OnStar is (don’t get the names mixed up), using the words used by The Register website:
“OnStar is a cellular service that uses AT&T’s cellular network to connect vehicles to the Internet: a device in the car connects to the network through OnStar and sets up a Wi-Fi network inside the vehicle, so people can browse Facebook on the go, or whatever. OnStar’s RemoteLink mobile app is used to connect to the car remotely from a smartphone and control the vehicle’s systems. reports The Register.
Ownstar is a hack kit quite similar to a computer board; it is equipped with several antennas and several controller circuit boards. A would-be thief must use this to launch a sort of Man-In-The-Middle Attack within range of someone using the OnStar app.
This Ownstar attack aims to intercept communications and find out the location of the car and model. Basically, Kamkar created a Raspberry Pi-based gadget that captures traffic from nearby mobile devices running a specific application that could control some of the vehicle’s functions.
“After a user opens the RemoteLink mobile app on their phone near my OwnStar device, OwnStar intercepts the communication and sends specially crafted packets to the mobile device to get additional credentials and then alerts me, the attacker, about the vehicle to which I have unlimited access. , including its location, make and model,” Kamkar explained in a PoC video of the Ownstar attack.
When the car owner leaves the perimeter, an attacker can use the captured information to impersonate the Onstar app, unlock the car, start the engine, impersonating the legitimate owner.
“If I can intercept this communication, I can take full control and act like a user indefinitely,” says Kamkar.
“From then on I can geolocate your car, drive up to it and unlock it and use all the features that the RemoteLink software offers. I recommend not opening the RemoteLink app until an update is provided from OnStar,” he added.
The expert pointed out that even if the owner is in the car and the engine is running, he cannot drive the vehicle because it requires a key.
“GM takes matters that affect the safety and security of our customers very seriously. GM Product Cybersecurity representatives have reviewed a potential vulnerability recently identified,” General Motors said.
“Working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, additional action is required in the RemoteLink application itself. We take all cyber matters seriously and an improved RemoteLink app will also be available in app stores soon to fully mitigate the risk.”
Let me take a look at the Ownstar presentation video provided by Kamkar:
GM told WIRED that it has now patched the vulnerability that Kamkar’s device was exploiting without any action being taken by OnStar users.
While GM reassured its customers, other car models made by other automakers, including BMW, Chrysler and Mercedes-Benz, are vulnerable to the Ownstar attack.
Kamkar found that the BMW Remote, Mercedes-Benz embrace and Chrysler Uconnect apps are all vulnerable to the Ownstar attack. Additionally, in this case, mobile apps do not validate SSL certificates, which allow an attacker to impersonate the legitimate owner once they launch a Man in the Middle attack.
Kamkar will not release updated code for the OwnStar attack for at least 30 days to give automakers time to fix the security issue. Hopefully, other car manufacturers will carefully analyze their systems and look for similar flaws.
How to solve security flaws in the automotive industry
In modern connected cars, we cannot avoid the presence of software flaws; however, it is important to properly manage their publication and patch management process.
Together, we will analyze several cases that demonstrate different approaches to the problem of different car companies.
Let’s start with the Kamkar’Autostar attack. The expert reported the flaws he discovered to the major car manufacturers, but it appears that although BMW knew about them months before the researcher presented them to the press, they have not yet fixed it.
According to Han Sahin, co-founder of Securify, he reported the vulnerability to BMW on April 22, 2015. BMW’s CISO confirmed receiving the bug report the next day, but the Ownstar attack still works on the My BMW Remote iOS app.
“Securify has reported the same issues to various organizations in the past; from small organizations to enterprises. Most organizations take these issues seriously and update their applications in a timely manner. In our opinion, three months should be enough to resolve such issues,” Sahin told SecurityWeek.
“At the time of writing, the BMW iOS app is still vulnerable to man-in-the-middle attacks. We informed BMW more than 120 days ago. We have not yet received a formal response from BMW,” the expert added. “We think BMW has had enough time to fix this problem. If they did, they wouldn’t have been hit by OwnStar’s attack.”
BMW sent an official comment to Wired on August 15, dismissing the possibility that an attacker could launch a MITM attack
BMW confirmed that its apps “meet the same industry standards as other apps that use SSL-encrypted communication with the backend, such as online banking apps.” The company also noted that “a man-in-the-middle attack on client-server communication can never be completely ruled out, but it is virtually impossible to execute, and the likelihood of such a specific attack in everyday life is highly unlikely.”
It is useless to hide our surprise when we hear this news. BMW is a company that always cares about the security of its customers, but apparently something went wrong in the management of the loopholes exploited in the Ownstar attack.
Security experts are not surprised by the lack of public disclosure of the bug, nor the lack of a quick fix. Unfortunately, there have been other cases in recent months that point to the questionable management of security flaws in connected cars.
As an example, let’s look at the case we described earlier in connection with the discovery of a team or European experts who have been aware of the presence of security flaws in the Megamos Crypto transponder since 2012. The transponder is used in more than 100 cars made by major automakers, but researchers were prevented from doing so by Volkswagen.
Fortunately, this year the experts had the opportunity to present their findings at the 24th USENIX Security Symposium.
I suggest you read the message carefully. Despite the fact that three years have passed since the bug was first discovered, security issues are still very common in a number of components present in modern connected cars.
Sometimes car owners are better off and security flaws in their connected cars are promptly fixed by automakers, as happened with Tesla.
Tesla Motors Inc. recently announced that it distributed a software update to fix security vulnerabilities in the Tesla Model S sedan. According to the company, an attacker could exploit the flaw to take control of a Tesla vehicle.
The Financial Times reported Thursday that a group of security researchers took control of a Tesla Model S and shut it down at low speed. Among the vulnerabilities researchers discovered is a bug that could be exploited to control the vehicle, the company confirmed.
“Hackers first had to physically gain access to the Tesla, which made the job more difficult than many other hacks. Once connected with an ethernet cable, they were later able to access the systems remotely, allowing them to take control of the screens. They were able to manipulate the speedometer to show the wrong speed, roll down and roll down the windows, lock and unlock the car, and turn the car on or off,” reports the Financial Times.
Tesla acknowledged the existence of the bug and informed the press that it had already released a software fix. Tesla clarified in an official statement that the hackers did not turn off the car remotely, but from inside the vehicle.
“Our security team works closely with the security research community to ensure that we continue to protect our systems against vulnerabilities by constantly stress testing, validating and updating our security measures,” Tesla said.
Expert duo Kevin Mahaffey (Chief Technology Officer of cyber security firm Lookout) and Marc Rogers (Chief Security Researcher at Cloudflare) decided to test a Tesla vehicle due to the company’s high reputation for safety. Tesla Motors is considered by the hacking community to be one of the companies that have made more efforts to make safe cars.
“We turned the car off when it was initially going at a low speed of five miles per hour,” Roger explained to the Financial Time. “All the screens go dark, the music turns off, and the handbrake pulls, bringing it to a halt.”
Tesla confirmed that it distributed the fix via an over-the-air update.
In April 2014, a Tesla security researcher reported a number of security issues related to the Model S that could be exploited by attackers to locate and unlock the vehicles.
Well, I find Tesla’s approach very effective. The company immediately recognized the importance of the shortcomings and its experts quickly solved the problems.
The way Tesla distributed the patch to their customers is also very effective by choosing a wireless mechanism for their customers that requires no effort from them.
In this way, the company controlled the deployment of the patch, which reached almost every car owner, a situation quite different from the approach chosen by Fiat Chrysler.
In order to make even safer vehicles, Tesla launched a bug bounty program paying around $10,000 per vulnerability, involved the security community and improved its cars.
Conclusions[The Nightmare of Car Hacking]
The number of connected cars is growing every year. These vehicles are equipped with automatic accident alerts, speed alerts and safety alerts, but recent studies have shown them to be vulnerable to hackers. Experts speculate that automakers have not taken measures to adequately protect their connected cars from cyberattacks.
Hackers could hack vehicles to sabotage or steal owner data managed by its components.
Cloud services, email, text messages, contacts and other personal, financial and work data are vulnerable to hackers. Thieves could determine the location of the vehicle provided by these sources
Connected cars can share information with other vehicles in a real-time C2C (car-to-car) or C2I (Car-to-Infrastructure) connection. Cars are becoming part of the IoT (Internet of Things), sophisticated global network nodes that manage vast amounts of information. Experts predict that IOT risks will increase drastically this year; this means that we need to take a different approach to implementing cybersecurity for these devices.
A recent study published by the IBM Institute for Business Value titled “Driving Security: Cyber Assurance for Next-Generation Vehicle” identified three areas that automakers and partners can focus on when creating connected car features:
- 1.Design Secure Cars:Security starts with the car. The design process should be security-focused, which means outlining and testing the risks and threats for every component, subsystem, and network that a connected vehicle will be exposed to once it leaves the car brand’s production line.
- Create secure networks: Communications should be encrypted; this means that all service organizations that connect roads, cars and devices must protect their networks and monitor transactions to detect suspicious activity.
- Vehicle hardening: These connected cars should be secured at all levels:
- Encryption of data at rest and data in motion.
- Implementing proper cloud security controls.
- Access control mechanisms
- Operating system security.
- Application penetration testing.
Researchers must encourage the automotive industry to seriously consider security as a mandatory requirement for the safety of car owners; the most important thing is that in the future, car owners will also choose their cars based on the safety features implemented by car companies.