The New Technology Which Is Making Cars Easier for Criminals to Steal, or Crash
The main route to the CAN bus is underneath the vehicle, so criminals try to gain access to it through the lights at the front of the car. To do this, the bumper has to be pulled away so a CAN injector can be inserted into the engine system.
The thieves can then send fake messages that trick the vehicle into believing these are from the smart key and disable the immobilizer. Once they have gained access to the vehicle, they can then start the engine and drive the vehicle away.
Zero Trust Approach
With the prospect of a potential epidemic in vehicle thefts, manufacturers are trying new ways to overcome this latest vulnerability as quickly as possible.
One strategy involves not trusting any messages that are received by the car, referred to as a “zero trust approach”. Instead, these messages have to be sent and verified. One way to do this is by installing a hardware security module in the vehicle, which works by generating cryptographic keys that allow the encryption and decryption of data, creating and verifying digital signatures in the messages.
This mechanism is increasingly being implemented by the automotive industry in new cars. However, it is not practical to incorporate it into existing vehicles due to time and cost, so many cars on the road remain vulnerable to a CAN injection attack.
Infotainment System Attacks
Another security consideration for modern vehicles is the onboard computer system, also referred to as the “infotainment system”. The potential vulnerability of this system is often overlooked, even though it could have catastrophic repercussions for the driver.
One example is the ability for attackers to use “remote code execution” to deliver malicious code to the vehicle’s computer system. In one reported case in the US, the infotainment system was used as an entry point for the attackers, through which they could plant their own code. This sent commands to physical components of the cars, such as the engine and wheels.
An attack like this clearly has the potential to affect the functioning of the vehicle, causing a crash – so this is not just a matter of protecting personal data contained within the infotainment system. Attacks of this nature can exploit many vulnerabilities such as the vehicle’s internet browser, USB dongles that are plugged into it, software that needs to be updated to protect it against known attacks and weak passwords.
Therefore, all vehicle drivers with an infotainment system should have a good understanding of basic security mechanisms that can protect them from hacking attempts.
The possibility of an epidemic of vehicle theft and insurance claims due to CAN attacks alone is a scary prospect. There needs to be a balance between the benefits of the internet of vehicles, such as safer driving and an enhanced ability to recover cars once they are stolen, with these potential risks.
Rachael Medhurst is Course Leader and Senior Lecturer in Cyber Security NCSA, University of South Wales. This article is published courtesy of The Conversation.
