Next on the Hacker Horizon - Your CAR!

Jordan Kadlec

 In what seems to be a never ending cycle, another security threat needs to be brought to the public's attention. This summer, several threats have been posed to the automotive industry. So much so that the world's largest automakers have decided to establish an Information Sharing and Analysis Center (ISAC). The ISAC is tabbed as "a secure, industry-wide clearinghouse for intelligence about cyberthreats for vehicles in their networks."

"Is it dire right now? I wouldn't say so, but now is the time to form the ISAC so the infrastructure is there..." said Denise Anderson, chair of the National Council of ISACs. "You don't want to be caught unprepared. Health care is being heavily targeted right now, in the past they weren't."

In a time where we seem to react instead of prevent threats, the ISAC is a great starting point for the automotive industry. However, there have already been several attacks on this industry.

Over the last couple of months, there have been remote lock hacks, an OnStar hack, an encrypted key fob hack and a remote wireless hack that prompted Fiat-Chrysler Automobiles (FCA) to recall 1.4 million vehicles.

Remote Lock Hack

Digital security researcher Samy Kamkar recently revealed a $30 device that can copy the coded signal from just about any car's remote key fob, allowing you to lock or unlock the car at whim. Most remotes use rolling codes to communicate with the car - meaning that the remote sends a different coded signal every time you push the button. This is meant to prevent bad guys from copying the remote's code to create a dummy remote. While this may seem like a good way to prevent the device that can copy the coded signal, most automakers don't set an expiration date for the previously used codes.

That's where Kamkar's device comes in. The device can be hidden underneath the targeted car so when the owner pushes the remote unlock button, the device detects the remote signal and jams it, which then prevents the car from hearing the signal.

Below is what the device looks like:

remote key hack

OnStar Hack

Samy Kamkar released another vulnerability in OnStar which he has tabbed as OwnStar. Ownstar, when attached to a General Motors (GM) OnStar-equipped vehicle, executes a man-in-the-middle attack between that vehicle and the OnStar RemoteLink app. It allows a hacker to enjoy the full suite of RemoteLink capabilities, including unlocking doors, tracking the car's whereabouts, and starting the vehicle remotely.

According to Kamkar, the vulnerability doesn't lie in the vehicles. Rather, it's an exploitable flaw in the RemoteLink app's code that allows him to take control of the cars. Kamkar has alerted GM of this exploit and an updated version of the RemoteLink app is now available for all phones.

Encrypted Key Fob Hack

Three researchers have found a security loophole in the Megamos Crypto transponder, the in-car electronic device that confirms the key or keyless transponder present inside the car is genuine before allowing the car to start. Megamos Crypto transponders are found in the number models shown below:

Megamos-Crypto-key-fob-cars-list

 

The Megamose has been tabbed as uncrackable - the 96-bit code exchanged between the key and vehicle means there are billions of possible combinations, making random guesses virtually impossible. However, hackers have discovered a way to listen to the radio communication between the key and car. They only need to hear the communication twice to be able to narrow the number of guesses to just over 196,000. With modern computers, hackers were able to build a "brute force" system that takes less than 30 minutes to figure out which one of the 196,000 combinations works for a certain car. Once the proper code is found, making a duplicate key that works like the original is easy.

FCA Recall

In July 2015, Fiat-Chrsyler recalled 1.4 million cars in the U.S. to fix a software vulnerability that could allow a hacker to remotely control the car over the Internet. A few days before the recall, an article was released claiming two cybersecurity experts had broken into a Jeep Cherokee's computer via the vehicle's Sprint data connection and were then able to infiltrate the vehicle's powertrain, sending the car into a ditch with a reporter inside. Chrysler said it will ship customers a USB stick they can plug into the car to complete the update themselves and that it had already patched a hole on the Sprint network to block such exploits.

Read the first-hand experience from the reporter who was driving the compromised Jeep, here.

We can compare the use of computers in cars to the development in our use of personal computers. Hacking exploded when the Internet evolved, making it easy to access computers via networks. Wireless connections mean your car is no longer a closed system. The only thing standing in the way of people hacking your car now is a standardized piece of software. This is certainly a concern that needs to be addressed sooner rather than later with the ISAC.

Share this:

Entrepreneur Link

Share

    

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all