Thursday, March 14, 2019

Do You Know Your Car Can Be Now Hacked?

The hacking vulnerability has increased due to software used to control features-functions. 
Car hacks are no longer science fiction, it’s now a reality.  Security researchers Chris Valasek and Charlie Miller conducted a successful hacking experimental on the Cherokee Jeep’s infotainment system using a simple 3G connection. This hack is even more stunning as the duo found a way to took over a car remotely. The driver was driving at 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Straight from the source, Wired’s report reveals what was the driver’s reaction to compulsive behavior of his electronic compromised car. The Andy Greenberg, who was behind the wheel, stated that researchers took control over completely the car’s brakes include an accelerator, plus other less-essential components like radio, horn and windshield wipers. To do that Chris and Charlie had to hack the entertainment system Uconnect through a cellular network. In the end, the jeep ended up in a ditch after Valasek and Miller killed its engine and slammed its breaks remotely. The demonstration led Fiat Chrysler to recall 1.4 million cars after Jeep was hacked.

This isn’t the first time that this type of hack has happened. Earlier in 2015, German security specialist Dieter Spaar discovered vulnerabilities in BMW’s ConnectedDrive that allowed a hacker to remotely open the vehicle’s locks. They were also able to track the car’s real-time location and speed, as well as read data sent and received via the BMW Online feature. This was quickly addressed, but as we all know with any publically-released software, there’s always a possibility of some other vulnerability left undiscovered.



The investigative report published by the SmartGate system, first introduced by Škoda Auto in their Fabia III cars. SmartGate allows car owners to connect a smartphone to a car to read and display real-time data, such as how fast your car is going, your fuel mileage, etc. In our analysis, we discovered that an attacker can steal that information from a SmartGate-enabled Škoda car, and that’s just by being in the car’s SmartGate in-car Wi-Fi range. This allows the attacker to identify the car’s Wi-Fi network, break the password (which, due to SmartGate’s own design, is very insecure) and then gain access.

The only chance of failure here is if the attacker goes out of range of the car’s Wi-Fi signal, which is pretty hard to do considering the attacker can be as far back as fifty feet from the target and still be within range. And yes, we’ve tried it while in motion as well—it still worked. While the vulnerability we discovered in SmartGate isn’t as dire as those found in Uconnect or ConnectedDrive of BMW's cars, there’s still a way for attackers to turn it into a very malicious exploit for themselves. For example, an attacker could use the information to track the driver and find out where they’re going, and when they’ll be possibly stopping. They could also control the driver’s movements, by locking him out of SmartGate and forcing him to stop by the car dealership in order to get electrical sign errors fixed. And be able to manipulate the situation physically if there is something needed.


In modern days of science and technology, your wheel can be bugged! Gone the days when you thought, popping the faceplate off the CD player, slapping a Club over the steering wheel, and locking the doors, it meant security. As vehicles’ electronic systems evolve, however, automobiles are starting to require the same protection as laptop computers and e-commerce servers. Currently, there’s nothing to stop anyone with malicious intent and some ­computer-programming skills from taking command of your vehicle to lock the system or cause malfunctions remotely. What if this is done while you driving at 180km/h? 
As vehicles fill up with more digital controls and internet-connected devices, they’re becoming more vulnerable to cybercriminals, who can hack into those systems just like they can attack computers. Almost any digitally connected device in a car could become an entry point to the vehicle’s central communications network, opening a door for hackers to potentially take control by disabling the engine or brakes.
After gaining access, a hacker could control everything from which song plays on the radio to whether the brakes work. While there are no reported cases of cars being maliciously hacked in the real world, researchers affiliated with the Center for Automotive Embedded Systems Security (CAESS—a partnership between the University of California San Diego and the University of Washington) demonstrated how to take over all of a car’s vital systems by plugging a device into the OBD-II port under the dashboard. It gets worse.

Researchers remotely take control of an unnamed vehicle through its telematics system. They also demonstrate that it’s theoretically possible to hack a car with malware embedded in an MP3 and with the code transmitted over a Wi-Fi connection. Such breaches are possible because the dozens of independently operating computers on modern vehicles are all connected through an in-car communications network known as a controller-area-network bus, or CAN bus. Even though vital systems such as the throttle, brakes, and steering are on a separate part of the network that’s not directly connected to less secure infotainment and diagnostic systems, the two networks are so entwined that an entire car can be hacked if any single component is breached. So the possibility now exists for platoons of cars to go rogue at the command of computer-savvy terrorists and crazed exes. But the truth is that hacking a car takes a lot of time, effort, and exceptional skills—the same resources automakers are using to programming the cars.


At Chrysler, where optional infotainment systems are integrated with hard drives and mobile internet hot spots, company spokesman Vince Muniga says a data breach of an individual automobile is “highly unlikely.” That doesn’t mean the company is ignoring the problem. “It’s an ongoing engineering issue,” he says. “You want to stay one step ahead of what these guys might do.” Rich Strader, Ford’s director of information technology security and strategy, says the automaker has been steadily strengthening in-vehicle systems, but the threat is always evolving. 

He says the difficulty with security is that “you can’t honestly say something is impossible.” Presently, automakers are beginning to take steps to secure networks the same way the information-technology sector now locks down corporate servers. “Just like the internet in its early days, car networks don’t employ very much security,” says Brad Hein, a programmer who accessed vehicle data from his Chevrolet Impala 2006 model via an Android phone using code he’d written. “As more people start to access car networks,” Hein says, “I expect that the auto industry will start beefing up the security.” That’s certainly happening at OnStar, the telematics system that’s already in more than 6 million vehicles. Eric Gassenfeit, OnStar’s chief information security officer, says his team has seen resources and staff grow “by an order of magnitude” over the past two years. So the battle between the hackers and the carmakers is on. Here are your car’s most vulnerable entry points and what automakers are doing to protect them:

TELEMATICS SYSTEM

A car’s telematics system is a vehicular communication network: Enabling technologies, applications, and general outlook on intelligent transportation, where traffic robots are part and parcels in tracking and identifying the cars on the road. The Telematics system can notify police in the event of a crash remotely, trace down or disable the system of a stolen vehicle when owner/manufacturer provides diagnostic information.

  Hackers gain access into the telematics system of the car in two fronts from, car maker or user. 
Hackers can gain access to the car telematics system either hack directly into the application software of the car or pitch a backdoor to the original manufacturing blueprint. A hacker could, for example, disable a car’s ignition or lock the system of the car the same way an anti-theft system would. It can easily cause a car accident if the vehicle's motion is at high speed.

To demonstrate this kind of hacking technique is not common and mostly is very exclusively remains within the intelligence community that has these type of cyberwar and capabilities. To master this capability a person must able to do reverse-engineering of an entire telematics system. Still, forward-looking automakers are already beefing up the security of external communications and in-car networks. OnStar, for example, has a “white list” of approved computers that are allowed to connect with cars.

MALWARE

A skillful hacker can deploy malware attached on music like Mp3 music CDs, DVDs, USBs and anything that can allow him to breach the security layer of the car's telematics system.  Once you connect the infected devices in the car, it can automatically download additional malware and link to other unauthorized file-sharing services. Little did you know this that there is a malware code that battles its way to your car’s central lock and to disables your brakes when activated.

As infotainment systems gain functionality and technologies evolve, carmakers are trying to shield their products from cyber threats and make them more vital components without jeopardizing vehicle integration. “We harden all our safety-critical systems,” says OnStar’s security chief Gassenfeit. GM’s newer cars, such as the 2011 Chevy Volt, verify any data sent between two systems the same way online retailers process credit cards.

UNAUTHORIZED APPS

Just as smartphone manufacturers have app stores in which thousands of programs developed by third-party companies are available for free download, carmakers are expanding their infotainment services through secure downloadable software. If a rogue app contains malware or a virus, however, it can infect your car without your knowledge. The carmakers are now attempting to be very strict in selecting which apps compatible or enter it onto their systems. Ford’s MyFord Touch and Toyota’s Entune, for example, allow only a handful of preapproved programs, while GM’s MyLink goes so far as to route all software through remote servers so that users won’t inadvertently install infected apps on their cars.

OBD-II


The researchers at CAESS wrote a program that searched for and exploited vulnerable communications points where vehicle systems interface. They installed that program onto the car’s telematics system through the OBD-II port. Once on the network, the program could control every system from the windshield wipers to the brakes. According to cyber security experts, this is the most direct way to hack a car, as it sends code directly to the CAN bus. Since most of the data sent into the vehicle systems had not been encrypted, leaving cars wide open for enterprising hackers. Now, carmakers are starting to adopt routine security protocols from the information-technology field, such as protecting files with digital signatures. “That's pretty much standard IT is now being applied to the automotive sector,” says Gassenfeit.

DOOR LOCKS

In most modern cars, the power-locking mechanism is connected to other vehicle systems so that doors can lock automatically when a car is put into drive and unlock if the airbags have been deployed or the keys are locked inside. That interconnectivity, theoretically, means that the locking mechanism can be breached to access other systems. If accelerating can engage a car’s power locks, a skilled hacker could use the power locks to force that car to accelerate. The Infotainment and onboard diagnostic systems are still linked by a physical connection to the module that controls functions such as steering and braking, but on some systems, such as Ford’s, that connection goes only one way. “The only thing we allow is for the real-time module to send messages in one direction,” says Ford’s Strader.

KEY FOB

It sounds like one of those warnings that shows up in chain e-mails every few months, except it’s true. A wireless key fob is supposed to unlock and/or start the car only when the person holding the key-fob is directly next to the vehicle or already sitting inside. However, Swiss researchers have found a way to intercept and extend the signal up to 30 feet with parts that cost less than $100. The setup doesn’t replicate the signal—it just extends its range so the car thinks the key fob is closer than it actually is. There’s not much a car manufacturer can do here. These hackers haven’t broken the key fobs’ encryption in any way—they’ve just extended its range with a radio repeater. So keep an eye out for anyone loitering in a parking lot and holding a homemade antenna.

CONCLUSION:

The new vulnerability comes as automakers are increasingly using software to control features and functions that have long been dominated by hardware, such as braking, gear shifting, and throttle control. It represents a seminal break from the mechanical hydraulic systems of the recent past, one that began with the introduction of electronically controlled fuel injection in the late 1960s. “Software is rapidly replacing hardware,” says Colin Bird, a senior automotive industry analyst at IHS Markit Ltd. INFO, +0.55% “More than 50% of a car’s value today is defined by software, and that is continuing to increase.”

There have been only a handful of successful hacks on vehicles so far, carried out mostly to demonstrate potential weaknesses—such as shutting down moving a car and taking control of another’s steering. But security experts paint a grim picture of what might lie ahead. They see a growing threat from malicious hackers who access cars remotely and keep their doors locked until a ransom is paid. Cybercriminals also could steal personal and financial data that cars are starting to collect about owners. Or they might get even more ambitious. 

Some experts warn of a day when millions of fully internet-connected vehicles will be at risk of being hijacked remotely. A mass hack could be catastrophic for the self-driving cars of the future, especially if those cars don’t have steering wheels or other backup systems to let drivers take manual control. Now the auto industry and lawmakers are rushing to meet these threats. Congress is proposing new standards that car companies must meet to guard against cyber attacks. Car makers are beefing up their software to make their vehicles tougher to hack, as well as reaching out to benevolent hackers to help them identify potential security flaws. 


Time

Time in Turkey:

Languages

Location

Recent Post