Car Hacking: Security audits for connected cars

car hacking

Cars have gradually moved from being purely mechanical to becoming more and more sophisticated and with a higher percentage of electronics involved in their operation, not only in the interior or the infotainment system, but also for the control of some engine functions, to monitor parameters with sensors, and also to implement all the so-called ADAS and more recently ADS. For this reason, car hacking is becoming increasingly important.

New connected and autonomous cars are vulnerable to certain attacks, for this reason, knowing about car hacking and carrying out security audits on vehicles can be interesting to deal with. detect and cover security gaps that could be exploited by cybercriminals.

What is car hacking?

car hacking

El car hacking Cybercrime is a branch of cybersecurity that focuses on exploiting vulnerabilities in vehicle electronic systems. As cars become increasingly connected and autonomous, they also become more vulnerable to these types of attacks, since they are basically computer systems on wheels…

Attackers can access a vehicle's systems through a variety of methods, including:

  • Wireless Networks: Exploitation of vulnerabilities in the vehicle's Wi-Fi, Bluetooth, or cellular networks to gain remote access to the infotainment system and other connected subsystems.
  • Diagnostic ports: by physically accessing the OBD-II diagnostic port to manipulate vehicle systems.
  • Buses: such as the case of CAN, a standard in cars that can be vulnerable and that connects the different ECUs of the vehicle.
  • Vulnerabilities in software: exploitation of bugs or vulnerabilities in the vehicle's software, including the operating system, applications and communication protocols.
  • Other:There may also be weaknesses in RF-based vehicle locking systems that could allow doors to be opened for burglary, and even the vehicle to be started.

The targets of attacks Car hacking techniques are diverse and can range from stealing cars themselves by unlocking and starting them, to spying on their occupants (personal data, routes, current location, etc.), and even sabotage by manipulating vehicle driving systems or ADAS systems, which could lead to a fatal accident.

traffic accident vulnerability cyber attack

To get this, attack techniques The techniques used by cybercriminals, and the same ones used by ethical hackers to locate and try to reinforce the system, range from reverse engineering of software or hardware elements of a vehicle model identical to the one to be attacked in order to detect vulnerabilities and exploit them, to brute force attacks to gain access to password-protected services, reverse engineering, sniffing of communications traffic, through the injection of malicious code into vehicle systems, to others such as relay attacks, which intercept and retransmit wireless signals in order to open or start the vehicle, fuzzing, etc. In the case of autonomous cars, the problem may be even worse, since a vulnerability in the driving system could give the attacker the possibility of changing the destination route, moving the car remotely, and even causing an accident.

In addition, they are becoming increasingly important mitigation techniques, from implementing encryption on the CAN bus, to strengthening authentication systems, through other techniques such as monitoring networks and intruders, implementing firewall measures on networks and malware protection software, or even AI-based systems to detect attack patterns and predict threats.

Examples of real attacks

The real attacks on vehicles They offer us a valuable lesson about existing vulnerabilities and the techniques used, as well as warning us about potential problems in the future. Some of the most well-known cases include:

  • Jeep Cherokee HackIn 2015, security researchers demonstrated how they could remotely control a Jeep Cherokee via its infotainment system, taking control of the brakes, steering and engine. This case highlighted the vulnerability of internet-connected systems in vehicles.
  • Tesla Hack: Although Tesla has implemented strong security measures, there have been reports of hackers who have managed to unlock vehicles and access their systems. This underscores the importance of keeping security systems up to date and being on the lookout for new vulnerabilities.
  • Other:There have also been reports of attacks on other well-known models and brands such as BMW, Mercedes-Benz and Audi, which have also been subject to relay attacks, information theft, etc.

And if we count the possible rear doors that some manufacturers might implement in their units, then things get even murkier…

Legal aspects

legal aspects

Growing concerns about the security of connected vehicles have led to the implementation of new regulations and standards:

  • UNECE R155: United Nations regulation establishing cybersecurity requirements for connected vehicles.
  • ISO/SAE 21434: is an international standard that defines a cybersecurity management process for the vehicle development life cycle.

However, this is not the only legal aspect that is of concern for the future, as there are still challenges to be resolved as technology advances. And it is necessary that, just as they are subjected to safety tests such as Euro NCAP, there is also a need for cybersecurity testing before a model goes on sale.

The possibility of an autonomous vehicle being hacked and causing a fatal accident poses an extremely complex scenario from a legal standpoint. It is uncharted territory that challenges existing legal frameworks, which are mostly designed for human-caused accidents. That is, there are laws to prosecute crimes of murder, manslaughter, attack on public health, etc. But what happens in these cases? Who is responsible? Is it the vehicle manufacturer if it is discovered that they were aware of the security vulnerability and did not fix it? Could regulatory authorities who did not establish adequate regulations for security also be sued? What if the responsible cyber attacker cannot be identified?

Potential danger of CAN Bus

El CAN bus was designed for communication between automotive components, prioritizing speed and reliability over safety.This means that it lacks robust authentication, encryption or access control mechanisms. On the other hand, it connects to a wide variety of vehicle components, meaning that an attacker who compromises a single ECU (Electronic Control Unit) could gain access to the entire system. Added to this is the lack of fencing or segmentation between the systems that this bus interconnects, which allows the attack to spread.

If an attacker wants to take advantage of the CAN bus, he could inject false messages to manipulate vehicle functions, from engine control to braking systems, etc. As can be seen in the image, the CAN bus connects a multitude of electronic subsystems related to the engine, steering, brakes, lights, ADAS systems, airbags, etc., all of them critical.

Tools for car hacking

Finally, if you want to start researching car hacking and try it yourself, you should know that there are some very interesting tools in the market:

*Note: Some countries, such as Canada, are considering banning tools like Flipper Zero.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.