We love our cars. They allow us to explore, are an expression of our individuality and surround us with a bubble of security and comfort. Or do they? The latest research from Privacy4Cars has cast doubt on how our sense of security in our cars might be a fallacy – vehicle hacking is the latest tool in the armory of operators who focus on cyber vulnerability. The hack exploits Bluetooth connectivity and targets a car’s infotainment system. Using readily available and inexpensive software – and hardware the hackers can access stored contacts, call logs, text logs, and in some instances even full text messages without the vehicle’s owner/user being aware. Victims are under threat when they sync their mobile phones to their in-car infotainment systems using Bluetooth.
However, the linkage might be taking place without the express intent of the device’s owner.
The hack – which has been called CarsBlues is estimated to threaten tens of millions of car owners across the globe.
The vulnerability was discovered by Privacy4Cars founder Andrea Amico during development of the Privacy4Cars app in February 2018.
Amico, a vehicle privacy and cybersecurity advocate, notified the Automotive Information Sharing and Analysis Center (Auto-ISAC), an organization established by the automotive industry to share and analyze intelligence about emerging cybersecurity risks. Amico worked for months with Auto-ISAC to help its affected members understand how an attacker might access information stored in automotive infotainment systems.
Amico commented that both industry and consumers need to be aware of the threat. “Now that we have completed our ethical disclosure with the Auto-ISAC, we are turning our focus to educating the industry and the public about the risks associated with leaving personal information in vehicle systems,” said Andrea Amico. “The CarsBlues hack, given its ease to replicate, the breadth of situations in which it can be performed against unsuspecting targets, and the difficulty in detecting the exploitation, is a clear indication that industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems.”
Vehicle hacking – Fact not fiction
The movie industry thrives on fictionalizing threats – such as taking control of motor vehicles remotely – but is it all a complete fiction? Not according to Joe Fabbre, a Director with Santa Barbara, California-based Green Hills Software, which makes operating systems software for vehicles with a focus on security.
“That’s Hollywood sensationalizing it, but that is not really that far-fetched,” said Fabbre. “There are very skilled hackers out there who can beat through a lot of medium and low levels of robustness in terms of security that is present in a lot of cars today.”
Patching the vehicle hacking problem
A year ago, automotive manufacturer Fiat Chrysler was so alarmed at the results of a hacking demonstration that featured their Jeep Cherokee that the company sent USB sticks with security patches to 1.4 million owners.
Hackers Charlie Miller and Chris Valasek were able to compromise a Jeep Cherokee over the Internet to disable its transmission and control its steering and brakes.
Chrysler has taken the threat so seriously that they launched what is called a ‘Bug Bounty’. Awarding White Hat hackers $1,500 when they alert the automaker of potential software security vulnerabilities. Tesla already runs a bounty program and has paid as much as $10,000 to hackers who reported software vulnerabilities.
Automobile manufacturers are aware of the vulnerabilities of their vehicles and have now taken steps to ensure that they can provide patches – wirelessly, without requiring owners to visit a dealership. This may raise other security issues. How comfortable are consumers with swapping out the threat of hacking with a manufacturer who has access to their motor vehicle operating systems? The choice may now be out of their hands. Autonomous vehicles and the ever more popular concept of connected cars are placing buyers in a situation where they no longer own a car – they own a device which can be remotely accessed – and their personal data is at risk.
Automotive manufacturers are taking the threat extremely seriously – and they have every reason to. In 2017 Tesla sent patches to all X models after Chinese security researchers were able to access the X models’ brakes remotely, as well as opening doors and the trunk – as well as syncing the lights to the in-car entertainment system – making them blink in time to music being played.
As carmakers continue to load their vehicles with the technology that consumers are now demanding there will be an increased threat of vehicle hacking. However, automotive manufacturers are taking the threat seriously. Not all are onboard as yet – but the trend towards remote patching of operating systems seems to be the wave of the future. The threat of hacking still remains – and the custodians of personal data are now the automotive companies. Are cars safer than ever before – the answer is undoubtably yes. Is our data safer than ever before? The answer is undoubtably no. Cyber threats continue to pose a challenge. As we become a more connected society those threats will not disappear – they will only evolve. There simply is no speed limit to the threats on the information highway.