A Blog by Jonathan Low

 

Jan 12, 2023

How Hackers Exploit the Vulnerabilities of Cars' Electronics, Remote Services

Automakers have followed tech companies' lead and made convenience the priority while relegating cybersecurity to afterthought status. 

But a growing number of 'relay attack' car thefts using telematics and other remote services - including wifi and Bluetooth - have created a security problem which could lead to higher rates of theft, accident - and insurance costs unless the companies take action. JL

Jonathan Gitlin reports in ars technica:

If you purchased a new car in the past few years, it contains an embedded modem to offer connected services. But these systems are a security nightmare. In 2015 researchers remotely disabled a Jeep Cherokee while it was being driven via the infotainment system. Since then, security flaws have been found in cars' Wi-Fi networks, NFC keys,  Bluetooth, and third-party telematics systems. Armed with a vehicle identification number, hackers were able to access the remote services for cars including unlocking the cars and starting engines. It was also possible to take over a user's account with a VIN. Digital license plates are also exploitable.

If you purchased a new car in the past few years, chances are good that it contains at least one embedded modem, which it uses to offer some connected services. The benefits, we've been told, are numerous and include convenience features like interior preheating on a cold morning, diagnostics that warn of failures before they happen, and safety features like teen driver monitoring.

In some regions, connected cars are even mandatory, as in the European Union's eCall system. But if these systems sound like a potential security nightmare, that's because they often are. Ars has been covering car hacks for more than a decade now, but the problem really cemented itself in the public consciousness in 2015 with the infamous Jeep hacking incident, when a pair of researchers proved they could remotely disable a Jeep Cherokee while it was being driven, via an exploit in the SUV's infotainment system. Since then, security flaws have been found in some cars' Wi-Fi networks, NFC keys and Bluetooth, and in third-party telematics systems.

 

Toward the end of 2022, a researcher named Sam Curry tested the security of various automakers and telematics systems and discovered security holes and vulnerabilities seemingly wherever he looked. Curry decided to explore the potential holes in the auto industry's digital infrastructure when he was visiting the University of Maryland last fall after playing around with an electric scooter's app and discovering that he could turn on the horns and headlights across the entire fleet. After reporting the vulnerability to the scooter company, Curry and his colleagues turned their attention to larger vehicles. 

Curry said:

We brainstormed for a while and then realized that nearly every automobile manufactured in the last five years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.

The researchers found extensive problems with 16 OEMs, telematics services like LoJack, new digital license plates, and even Sirius XM radio.

Remote services

Armed with nothing more than a vehicle identification number, the hackers were able to access the remote services for cars from Acura, Honda, Infiniti, Kia, and Nissan, including locating and unlocking the cars, starting or stopping the engines, or honking the horns. It was also possible to take over a user's account with a VIN, and in Kia's case, the researchers could even access live parking cameras on a vehicle.

Genesis and Hyundai vehicles were similarly exploitable, albeit with an owner's email address instead of a VIN. Porsche vehicles were also susceptible to a telematics vulnerability that allowed Curry to locate a vehicle and send it commands.

Telematics exploits

The telematics company Spireon—which provides services like LoJack—had multiple security holes that allowed the hackers to gain "[f]ull administrator access to a company-wide administration panel with [the] ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware," Curry said. As a proof of concept, Curry and his colleagues "invited ourselves to a random fleet account and saw that we received an invitation to administrate a US Police Department where we could track the entire police fleet," he said.

Digital license plates recently approved for use in California were also exploitable. Curry discovered that he could gain super admin access and manage all user accounts and devices, including tracking the cars and changing the messages displayed on the e-ink license plates.

Corporate back-ends

Mercedes-Benz, BMW, and Rolls-Royce were all hacked via single sign-on vulnerabilities that allowed access to corporate networks and employee or customer personally identifiable information (PII). Ford's telematics API was susceptible to a hack that also revealed customer PII, while insecure direct object references allowed the hackers to find PII for Ferrari, Jaguar Land Rover, and Toyota Financial customers.

Finally, leaked Amazon Web Services keys gave the hackers access to satellite radio provider Sirius XM, with the "ability to retrieve all files, including (what appeared to be) user databases, source code, and config files."

More detailed descriptions of each vulnerability are documented on Curry's blog.

At least the holes should be patched now

The somewhat encouraging news is that the hackers' discoveries resulted in the affected companies fixing their flaws. Ars reached out to the companies for comment.

"Honda is aware of a reported vulnerability involving SiriusXM connected vehicle services provided to multiple automotive brands, which, according to SiriusXM, was resolved quickly after they learned of it," said a spokesperson for Acura and Honda. "Honda has seen no indications of any malicious use of this now-resolved vulnerability to access connected vehicle services in Honda or Acura vehicles."

A BMW spokesperson told us that "the BMW Group is continuously monitoring its system landscape for possible vulnerabilities or security threats. Additionally, we are also working closely with external security experts on a regular basis. The vulnerability mentioned in the SamCurry.net article [has been] known since the beginning of November 2022 and has been processed according to our security standard operating procedures (e.g., Bug Bounty Program). The addressed vulnerability issues were closed within 24 hours, and no data has leaked. Customers, employees, or vehicle-related IT systems were therefore not affected nor compromised."

Concerning the Ford telematics exploit, a company spokesperson said, "These issues were fixed after being reported through our bug bounty program."

A Hyundai and Genesis spokesperson said, "Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention. Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts—for either Hyundai or Genesis—were accessed by others as a result of the issues raised by the researchers.

"We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai/Genesis account and vehicle as well as the specific web-script employed by the researchers were required to be known," the spokesperson continued. "Nevertheless, Hyundai and Genesis implemented countermeasures within days of notification to further enhance the safety and security of our systems. Separately, Hyundai and Genesis were not affected by a Sirius XM authorization flaw that was recently disclosed. We value our collaboration with security researchers and appreciate this team’s assistance."

A Mercedes-Benz spokesperson told us, "We take every vulnerability report very serious. Two months ago, in November 2022, an external researcher (Sam Curry) contacted us regarding an improperly configured authorization management in some Mercedes-Benz applications that allowed the researcher to get access to these applications. The reported vulnerability is fixed, and the identified vulnerability did not affect the security of our vehicles."

A Porsche spokesperson said, "The safety and protection of the car software in our vehicles is always a top priority for Porsche. We permanently monitor our systems. We take any indications of vulnerabilities very seriously. Our top priority is to prevent unauthorized access to the systems in our vehicles by third parties."

A spokesperson for Reviver said, "We were recently contacted by a cybersecurity researcher regarding potential application vulnerabilities in the auto industry. Our team immediately investigated this report, met with the researcher, and, out of an abundance of caution, engaged leading data security and privacy professionals to assist."

"We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future," the Reviver spokesperson continued. "Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections. Cybersecurity is central to our mission to modernize the driving experience, and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles."

That proposed cybersecurity labeling program for connected cars is looking like a better idea all the time.

0 comments:

Post a Comment