In an age where it seems like there’s a daily news story about a data breach, there was always at least one place where we felt safe: our cars. But, as our vehicles become increasingly smarter and an extension of our mobile phones, users’ security and privacy is being threatened.
Yes, with the expansion of our technology in use, our vulnerability surface increases dramatically. Ultimately, this is yet another vulnerability to consider for your safety and security. As we grow in our technology and dependence thereon, that inherently expands the opportunity for bad actors to take advantage of the dependence. Luckily, there are relatively simple measures you can take to protect yourself.
The vulnerabilities of modern cars
However, the difference with car vulnerability is you’re not just talking about your personal data being compromised, but rather the influence over your car. At the same time, driving could affect your immediate physical safety. In terms of privacy, the onboard computers of used, rented, or crashed/totaled vehicles can contain sensitive residual data from previous drivers such as contact and calendar details, unencrypted videos, etc.
The lack of one single “gatekeeper” is a substantial issue for modern car vulnerability. In addition, the patchwork of various technologies being meshed together means not only is there not one single overseer of that technology but also that protocols are set without security in mind. Why? Because they need to be able to communicate with each other easily.
In addition, we see the same vulnerabilities that you have with your phones and computers: protocol vulnerability. The difference is that the bad actors could have access to electronic control units (ECUs) which communicate to access and control the subsystems in a car, such as your braking or navigation system. The hacker could access the vehicle information resulting in an influence on the vehicle, such as the alert systems within the car. Still, it could also access personal information such as home addresses or phone IPs.
Techniques hackers use to compromise a car
Unfortunately for the victims, the access control points available to hackers are plentiful: applications, WiFi, or Bluetooth. Case studies have found little or no code to prevent the electronic unlocking of doors, lack of encryption of username or password credentials, and an ability to incorporate mobile trojans to compromise the apps. Hackers can install infected apps, malware, or malicious code within the vehicle system with this easy access.
The wireless key fobs used to lock/unlock and start the ignition on many cars are convenient but vulnerable to attack. A key fob works by transmitting a wireless signal on a specific frequency, which the car’s receiver interprets as an instruction. These signals can be intercepted with readily available tools and can be impersonated by an attacker to gain unauthorized access to the vehicle or even steal it.
A traditional replay attack works by intercepting and recording the wireless signal from the key fob and then mimicking the signal to gain access. The frequencies used by most vehicles and key fobs modulate, so they aren’t the same every time, which mitigates these kinds of replay attacks, but there are more advanced techniques to circumvent the modulation.
A roll jam attack is a technique where an attacker intercepts and records the signal from the key fob but blocks it from reaching the car. Typically the car’s owner will attempt to unlock the car again, which allows the attacker to capture the subsequent frequency in the modulation sequence. Of potentially greater concern is the follow-on vulnerability with the car’s lack of security, which is the user’s phone, usually connected to the vehicle via WiFi or Bluetooth. Without adequate security protocols on the phone, the user could be granting backdoor access to personal and/or financial information.
How users can protect themselves
Similar to best practices for your phone and computer: ensure your smart system is continually updated. Users can check for updates online by looking up the smart car make and model. You should also sign up for manufacturer updates, so you are automatically notified when they report issues and updates.
Users should also only use official apps from legitimate sources to prevent possible attacks. When selling a smart car or returning a rental, always be sure to wipe all the sensitive data stored on the vehicle’s onboard computer. Installing antivirus software and using a VPN on your mobile device are also baseline yet essential defense mechanisms. Finally, always ensure your WiFi connection is secure without using default passwords.