A hacker recently explained to online magazine Motherboard that he could stop the engines of countless cars all over the world, provided they were travelling at less than 20 km/h. Previously he had hacked the car apps iTrack and ProTrack, both of which are also used by companies to monitor and manage their vehicle fleets. Along the way, several tens of thousands of user accounts revealed personal and vehicle details to the resourceful hacker. The focus of his attack, however, was to interfere remotely with vehicle electronics, which he summed up thus: “I can influence traffic worldwide.”
Digital car theft
At the end of August, two thieves in London stole a Tesla worth 100,000 euros in a matter of seconds. Using technology they bought on the dark net for just 100 euros, they used the relay attack method to hack the keyless door system. A relay attack uses small devices to pick up signals from key fobs at a distance and then transfer them to a car 100 metres away, for example. In this kind of attack, one perpetrator generally remains near the car with one of these devices, while an accomplice with a second device will scan a house for the key, for example. When he has located the signal from the key he transfers it to the box near the car, that is then unlocked. The German Automobile Association ADAC conducted an investigation that analysed more than 300 cars of various makes and models with keyless systems, i.e. wireless keys. It showed that most of the cars could be opened using the relay method and then driven away.
Anything digital is vulnerable to attack; even tyre pressure sensors are being hacked. Crooks send incorrect tyre pressure values to the car’s on-board electronics which then stops the car, generally in a remote location. The drivers are then tricked or assaulted and the cars stolen.
Attacks on cars via the Cloud
In the next few years, the number of fully connected cars will increase significantly. Experts predict that by 2025, every new car worldwide is likely to have internet access. Fully connected means that cars cannot only communicate with one another but also with their surroundings, like traffic lights for example. In this context, increasingly more functions will be outsourced to the Cloud. But the Cloud systems create quite different attack surfaces in the background. Already, every new car registered in Europe automatically establishes a connection to the E-Call emergency call system and therefore is not only connected to the internet but also to Cloud computers. With the new attack possibilities that are emerging, traffic infrastructure is also coming under the spotlight, as the following example shows.
A team of Israeli security researches developed an attack to fool vehicle sensors with spoofed traffic signs of the kind used, for example, in driver assistance systems. This was done using a drone, which projected an image of the traffic sign onto a wall that was then recognised and interpreted by the driver assistance system’s cameras. This allowed the researchers to get the vehicle to accept incorrect speed limits, as they demonstrate impressively in this video. In their report they also describe various options for eliminating this problem, for example through QR codes on traffic signs.
Data protection an additional problem
Quite different conflicts arise for drivers, vehicle owners and passengers due to the large volumes of data that is produced in connected cars. According to Management Consultancy McKinsey, these cars collect about 25 GB of data per hour when driven. The data includes information about driving habits or the weight of the car’s occupants. In addition, the vehicle systems also capture data on weight increases or the number of children, and even financial information, say the consultants. However, McKinsey warns that the issue of whom this data belongs to, who may access it and how it is processed is a grey area. Often, dealers and manufacturers attempt to enforce ownership rights in the purchase contracts, but data privacy activists are very critical of this development.
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.