Is it time we start worrying about hackers getting a free ride in your car?
With a growing number of cars getting on board the Internet of Things (IoT) bandwagon, hackers have been able to gain access not just into your laptops and mobile devices, but also to your dashboard.
Recently researchers have uncovered a number of different vulnerabilities in newer models of cars as growing number of cars can be classed as part of the IoT.
The team from the University of California at San Diego announced that it was possible to compromise thousands of vehicles by hacking into monitoring devices used by insurance firms and fleet management solutions to track vehicle location, speed and behaviour.
All that you need to do is send an SMS message to the car.
The hackers can then gain access to the car transmit commands to the car’s control area network (CAN), thereby hijacking the vehicle.
Automobile vulnerability gained prominence following news that Jeep Cherokee and then General Motors (GM) vehicles could be remotely compromised.
The attack was possible due to existing vulnerabilities in Uconnect, the system on Fiat Chrysler cars, that connects it to the internet and the OnStar RemoteLink system on GM vehicles, which too was vulnerable to attacks thereby allowing attackers to track the vehicle and unlock it.
According to Dick O’Brien of Symantec, even as the automotive industry brings more new technology to cars, there would be more and more incidents of hackers trying to gain access into automobiles.
“Symantec believes it is likely that we are going to see more hacks such as these. To date, incidents have been confined to proof-of-concept attacks performed by security researchers.
“However, as the technology moves into the mainstream, attacks in the wild cannot be ruled out,” he said in a recent blog post.
Neil Campbell, Dimension Data’s Group General Manager, Security has a grimmer warning.
According to him hackers have suddenly started putting not just the system they hack into, but human lives at risk.
Following the Fiat Chrysler Automobile incident he said, “The hack indicates two things. Firstly, the Internet of Things is going to create – and indeed has already created - far more opportunities for hackers to both invade privacy and, in cases like this, escalate the risk from damage to ‘soft’ targets, such as reputation and revenue, to actions that place human lives at risk.”
Secondly, many well established industries that have not yet had to deal with IT security as a serious threat will be massively underinvested in IT security technologies, services and processes.”
Predicting that there would be many more examples like the Jeep incident, he says, “What’s more interesting is that we’re seeing end-users becoming popular cybercrime targets.
“That’s because workers are becoming more accustomed to having real-time access to corporate data, and as a result are also becoming targets of criminals who can then access everything that their victim can and even take control of that person’s identity.”
Listing three different broad categories of attacks Symantec’s O’Brien says “over-the-air” hacks is the most dangerous, where attackers succeed in compromising a vehicle from a remote location.
Hackers can also gain access through physical attacks, where the attacker needs to tamper with the vehicle before compromising it.
These, he argues, are usually easier to perform.
“In many vehicles, there is little protection to the CAN bus and Electronic Control Units (ECUs) connected to them. In order to perform such an attack, the attacker would need to find and gain access to the targeted vehicle, in addition to running the risk of being caught in the act.”
The third possibility is hacking into mobile apps and support tools that enable some remote control functionalities over the vehicle.
These he says can be easily patched without the need for an upgrade to the vehicle’s own software.
Meanwhile, Campbell has called upon industry stakeholders to join hands to make the system more secure.
“With the IoT trend driving innovation and connectivity within their product or service range, industries that are running up against these kind of exposures for the first time will need to engage more closely with industry bodies and IT security services providers in order to come to grips with the risks they’re facing.”