Is Your Car Secure? Perhaps Not.
We’ve all probably heard the stories about people hacking the internet of things. Breaking into our toasters, washing machines or expresso makers and indeed any other device which is ‘internet enabled’. Indeed the problems these devices generate by being online seem to far outweigh the advantages.
After all what’s the point in having your toaster internet enabled? To order more bread, emergency crumpet supplies or maintain your bagel supplies at a certain level? Hardly important stuff and personally I couldn’t imagine anything worse than having an army of electrical devices having the ability to order stuff to my house!
Having said that, you might argue that lying awake at night worrying if your toaster has been hacked by a Russian cyber criminal gang might be a bit paranoid too. At least right up to the point when the police come to investigate why thousands of pedophiles are connecting to an IRC server hosted on your internet connection.
The problem is that however trivial the device sounds, anything internet enabled can potentially act as a either a host or a portal to attack anything else online. The device is sometimes irrelevant it’s merely your internet connection and IP address that is important. Although they can also be used to sniff personal details and steal more than bandwidth too. Each and every device that you have in your home which is connected to the internet is potentially a threat to your privacy and anonymity online.
However there’s always one device that’s increasingly becoming internet aware that worries me a lot and that’s our cars. It concerns me for a variety of reasons, firstly I am a lot more worried about someone stealing my car than I am my refrigerator. Secondly the idea that anyone has remote access in any form to a metal device which I hurtle down the motor ways at 80 miles an hour somewhat worrying.
It seems that I have even more cause for concern as a recent study group determined at the last Kaspersky Security Analyst Summit last month. In the workshop the y demonstrated how simple it is to introduce software into modern internet enabled cars to steal data, take control of functions, bypass alarms and key systems even crashing the car.
Frankly I can think of tons more things to worry about having my car hacked than all the other internet enabled crap sitting in our living rooms and kitchens out together. Someone accessing my car is very scary indeed, after all even having your computer hacked doesn’t put you into actual physical danger.
Automotive security is important and it doesn’t seem to be taken seriously by most manufacturers. One of the researchers involved bought a car and ran through a serious of attacks to see how difficult it would be to hack into. They found it surprisingly easy, even turning the car into a war driving machine with a built in facility to spot and log into open Wi-Fi connections.
One of the attacks involved was actually found on a car hacking site, a piece of code which claimed to give root access to all the car’s control systems. The researcher installed the code easily using the car’s USB port which was configured to auto-run any code it found. Instantly the researcher had full access to the car’s infotainment system.
This revealed a surprising and slightly disturbing non-documented feature of the car. It had previously crawled and downloaded his address, book, email list, SMS messages and even the list of last visited locations. All of these details were stored and recorded in clear text within the car’s data storage.
There were lots more facets to the investigation including extensive control and manipulation of the car’s built in Wi-Fi system. There were some even more worrying research into the feasibility of controlling the automatic braking software although nothing conclusive was created.
Safety and privacy issues were not the only concern and one of the more practical problems of car security is the potential for theft. Keys were considered a huge area of weakness, with many electronic keys have extremely small number of combinations. Although the biggest potential threat in this area is the technology known as signal amplification technology. Indeed there is a kit available online which only costs about £50 which can pick up the signal from car keys and copy them to the car directly – both unlocking the car and disabling the alarm system.