At DefCon 2015, security researchers Chris Valasek and Charlie Miller made a presentation that made the attendees’ jaws drop. They showed how hackers could easily exploit the security vulnerabilities in a digitized vehicle and take over its various controls to track its location,turn its blinkers or lights on or off, adjust its radio’s volume, and even mess with its brakes or steering. To make things worse, these malicious individuals can do all of this remotely with nothing more than a simple cellular connection. Valasek and Miller made us aware of the intimidating truth in today's digital age: car hacking is the new carjacking
Carjacking has gone wireless
The crime of carjacking is not new. However, the crime of “wireless carjacking” is very much a product of the recent digital era. Back in 2013, Valasek and Miller had demonstrated how they could disable a car’s brakes and commandeer its steering wheel. But at the time, their hacks – and presumably the hacks of real hackers – had one limitation. The attacker would have to wire their computer into the victim vehicle’s onboard diagnostic port.
Just two years later, wireless carjacking or car hacking had entered the realm of possibility, allowing hackers to turn a car’s ignition off and on, kill its engine, and perhaps most disturbingly, disable its brakes – wirelessly and out of the driver’s control.
The dangers of internet-connected cars
Carmakers’ pursuit of technological excellence creates new vulnerabilities in their cars and amazing new opportunities for malicious hackers. Many modern vehicles from Chrysler, Honda, Toyota, Nissan, and other companies have multiple Internet-connected systems that enable phone calls, offer WiFi hotspots, help with navigation, automate emergency braking, and assist with lane-keeping.
The flip side is that anyone who knows the car's IP address can leverage a cellular connection to access its many controls remotely. All they need is a smartphone connected to a laptop. Using the phone’s cellular connection (3G or 4G), they could find a vehicle’s GPS coordinates, identification number, make, model, and IP address and replace the firmware code in its head unit with malicious code. This code would then allow them to compromise the vehicle’s physical components, such as its locks, wipers, engine, and wheels.
A skilled hacker could even take over a group of cars and their head units to create a wirelessly controlled automotive botnet that would let them simultaneously compromise hundreds of thousands of vehicles. As more automakers add wireless capabilities to their vehicles' internal networks, these risks will continue to grow in the coming years.
Unfortunately, digitized cars are not immune to potential data breaches, leaving drivers' personal information vulnerable. On the plus (ish) side, federal law enforcement agencies are hacking into these vehicles to find information about criminals and to solve many crimes. On the other, digitization also allows data thieves to pull personal data stored in these cars in addition to performing the remote functions we saw earlier. The fact is, even a single vulnerability could have a devastating effect on a huge number of digitized cars and ultimately on users, their personal information, and even their identities.
Thinking about the security of digitized cars
Thanks to researchers like Charlie Miller and Chris Valasek, not to mention an increasing push from lawmakers, automakers are slowly acknowledging the risks in future Internet-of-things targets like their vehicles. They are also adding new digital security measures to their products, including internal monitoring systems and segmented architectures to minimize the damage from successful hacks. Some carmakers are also focusing on safety right from the outset – vehicle design – to reduce attack points.
Others are implementing Internet-enabled updates to patch the hackable security flaws in their automobiles. This tactic should be a priority for all carmakers. Any manufacturer looking to add new Internet-connected features to their cars should automatically deliver over-the-air software updates to their cars. They should also segregate onboard entertainment and engineering networks and implement reliable intrusion-detection software to stop improper or malicious commands that would allow car hacking by threat actors.
Learn more about preventative measures to help prevent attacks on your vehicles.
Along with auto manufacturers, telecom companies and regulators are joining the effort to make Internet-enabled cars safer and more resistant to car hacking. But piecemeal efforts will not be enough to keep hackers out. Modern threat actors have many tools at their disposal to take advantage of vulnerabilities in vehicles’ digital systems, so a concerted effort is required from all stakeholders to develop cars that are both technologically advanced and safe for human use.
Packetlabs, Canada’s leading pen testing company, works with businesses in many industries to uncover vulnerabilities in their digital systems and fix them before adversaries have a chance to exploit them. Learn more about how Packetlabs can help secure your firm from the latest ransomware, malware, phishing, and other threats.
Have Questions? Need a Quote?
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications