Hacking cars has made big headlines in recent months. Back in July of this year, security researchers Charlie Miller and Chris Valasek won the attention of the information security community and beyond when they successfully hacked a Jeep Cherokee’s computer via its Uconnect infotainment system.
The duo was able to rewrite the automobile’s firmware, tamper with the vehicle’s stereo and air conditioning system, and then finally kill power to both the transmission and the brakes.
In the months that followed the researchers’ car hacking demonstration, three Chrysler Jeep owners have filed a class-action lawsuit against Fiat Chrysler and Harman International, the maker of the Uconnect system.
The plaintiffs, the number of which is expected to grow to one million persons, have accused both companies of having refused to respond to flaws pointed out to them by Valasek and Miller as early as August of last year.
Chrysler has since recalled 1.4 million vehicles and sent owners a USB drive with a patch for the Uconnect vulnerability. At the same time, members of the United States Senate have introduced new legislation, entitled the SPY Car Act, that would require automakers to adhere to certain standards of protection against privacy and hacking that would be developed by the Federal Trade Commission (FTC) and the National Highway Traffic Safety Administration (NHTSA).
All of these events are in part a reflection of the extent to which Miller and Valasek’s hacking demonstration has drawn our attention to the need to protect the application layer in connected cars. Traditionally, we have only directed our focus to firmware and machine-to-machine security approaches.
But as we have seen, by hacking the infotainment system, connected mobile applications, or the OBD2 port – a highly vulnerable physical port which is commonly used to run diagnostics on a connected car – attackers can successfully compromise critical vehicle systems and valuable user data.
Acknowledging these threats, application protection firm Arxan has published an infographic that explains the threats confronting connected cars today and how drivers can protect against these risks:
Research conducted by Frost & Sullivan in collaboration with the Center for Automotive Research (CAR) reveals that connected cars have 16 clear points of vulnerability. Attackers can use a number of means to exploit these vulnerabilities, such as NFC, Bluetooth and 802.11p – a wireless standard that enables Intelligent Transportation Systems.
As the above infographic shows, once a malicious actor has gained access to a vehicle, they can extract a snippet of binary code, reverse engineer the vehicle’s software, tamper with the code, and then subsequently deploy their tailored malicious software back to the vehicle.
To protect against these and other threats, it is recommended that users:
- Keep cars updated, such as by implementing the fix issued by Chrysler earlier this summer for the Uconnect vulnerability,
- Do not jailbreak cars or any devices located therein,
- Exercise caution when plugging devices into the vehicle’s on-board USB ports,
- Verify with the automobile manufacturer that all applications are hardened against some of the most common security threats.
Title image courtesy of ShutterStock