Nexix Security Labs
The Rise In Automotive Hacking
Automotive hacking is the practice of exploiting vulnerabilities in automotive software, hardware, and communication systems. Hundreds of onboard computers operate everything from vehicle controls to the infotainment system in modern automobiles.
These computers, known as Electronic Control Units (ECUs), communicate with one another over a variety of networks and protocols, including the Controller Area Network (CAN) for vehicle component connectivity, such as engine and brake control connections; and the Local Interconnect Network (LIN).
Most common types of Automotive Hacking
Computers are more important in today's vehicles than they have ever been. According to Forescout, modern car software has 15 times the amount of code found in most airplanes. As a result, hackers have a variety of ways to get access to a car's systems.
The type of automobile hack depends on the vehicle. However, Upstream has compiled a list of every major car hacking incidence worldwide over the last decade and discovered numerous patterns. Here are some of the areas where its analysis suggests car companies should focus their cybersecurity efforts:
1. Key Fobs
The computerized key fob is the most popular means for hackers to gain access to cars today, often to steal the vehicle (or what is inside of it). This is usually accomplished by spoofing or cloning the signal used by a car and a key to communicating.
With just $22 in equipment that anyone can buy, researchers in Beijing, for example, were able to extend the effective range of a key fob (convincing a car that they were close together). They were able to accomplish this without the driver's knowledge.
Other security researchers used a cloned key fob to hack a Tesla Model S, even though it is maintained by a large security team and employs encrypted keys (the encryption turned out to be the weak link).
While both of these were done for research purposes, Upstream's data shows several real, malicious key fob hacking incidents around the world. As a result, it should be a major concern for automakers.
2. Server Hacks
Server hacks may be disastrous in more ways than one because gaining access to a central server grants hackers access to everything: sales data, mobile apps, and even the controls of every car connected to it.
"This can lead to multi-vehicle or fleet-wide attacks", according to Upstream's report, "which is exceedingly harmful to all parties involved, from OEMs to telematics service providers, and fleet management companies to the drivers themselves."
While a large-scale attack on vehicle controls has yet to occur, researchers Charlie Miller and Chris Valasek demonstrated the threat in a Wired Magazine article in 2015, when they stopped a Jeep moving 70 mph on a highway from their couch.
Large-scale data breaches, on the other hand, have already occurred, exposing millions of people's sensitive data (for example, Toyota's server breach in 2019).
3. Mobile App Hacks
Since its inception in 2008, when Apple first released its App Store, the mobile app business has grown. Soon after, the automobile industry joined in.
While the increased use of automotive mobile apps has been beneficial to consumers, it has also provided hackers with new ways to gain access to autos. And the consequences of hackers gaining access to the information and control available in automobile apps can be disastrous.
For example, one hacker found that by exploiting weak password protocols, he could remotely disable the engines of thousands of automobiles using two GPS tracking programs (ProTrack and iTrack). In another case, a security researcher discovered that using only the VIN number from the car's windshield and the linked mobile app, they could manage the functionality of a Nissan Leaf.
How to improve vehicle cybersecurity and prevent automotive hacking
Unfortunately, automotive cybersecurity does not have a one-size-fits-all answer. However, based on the most prevalent auto hacking methods listed above, here's what we advise manufacturers to do to protect their vehicles.
Today's automotive hackers have more options than ever before to assault your vehicle (not to mention ways to hide those attacks too). As a result, being able to detect suspicious activity at every susceptible point before it becomes a breach is crucial.
Simpler, more secure logins
Many modern automobiles come with a variety of remote control features (remote start, for instance). As manufacturers expand the number of linked automobiles they create, this list will almost certainly grow.
However, if any of these remote access points are weak, it introduces significant vulnerabilities. As a result, it's vital to protect each one. Improved encryption on key fob radio frequencies is part of this. But perhaps more significantly, it involves safeguarding mobile app logins and passwords, as well as critical server access (which would help prevent major breaches like the iTrack and ProTrack vulnerability could create).
Multi-factor authentication (MFA) and biometrics are two features that can help secure access and block hackers looking for a quick way in. To log in with multi-factor authentication, for example, a user must have more than just their name and password. An additional credential, such as a voice sample, fingerprint, or mobile device, is required for access.
APIs are the interfaces that allow different proprietary software systems to communicate with one another. As more automotive systems expose APIs for remote access via third-party software, it will be vital to defending these entry points with modern authentication techniques to ensure that each one is safe from hackers.
Adaptable Cybersecurity Solutions
The automobile industry is a fast-paced sector. To stay up with the constant changes in cybersecurity, your threat detection, authentication, and identity management systems must be adaptable enough to meet your changing business objectives.
Your infrastructure must be adaptable to changes such as:
New features: You may need to handle new entry points/vulnerabilities as a result of this.
New ways and places to use those features: When parking at a restaurant, for example, some users may seek to link their cars to local Wi-Fi hotspots, posing a security risk.
Hackers are finding new ways to gain access to automotive systems: Hackers are always on the lookout for flaws to exploit. As a result, keeping up with new advances in the automotive business is crucial.
While today's car's sophisticated networking capabilities are amazing, they also make vehicle security a lot more challenging than simply remembering to lock the doors.
There are numerous vulnerabilities that the average customer cannot protect against. As a result, it's up to manufacturers to take the initiative and lead the way.
For more information visit us on: www.nexixsecuritylabs.com
To schedule an audit you can contact us at: firstname.lastname@example.org
Your Security | Our Concern