This article will cover the general nature of cybersecurity in vehicles and its importance in keeping the vehicles safe from car hacking. Cars consist of many components that could be potentially vulnerable to cyber-attacks. The future of autonomous and electric vehicle infrastructure expands the attack surface that could leverage mayhem.
- On vehicle or near physical access attack surfaces
- Infotainment System
- Keyless Entry
- OBD II
- CAN Bus
This convenient technology is used to transmit data between two devices, such as the infotainment system and your cell phone. Typical infotainment to phone connections via Bluetooth would pose relatively minimal security concerns. Yes, someone could steal information, but could they take control of the vehicle? Probably not, unless the Bluetooth module had a vulnerability, and it communicated with the CAN. Typically a gateway is used as an intermediary to communicate with the CAN, which adds another layer of complexity. What if that Bluetooth device is connected to, let’s say, the OBD II port?
Many third-party companies produce OBD II / Bluetooth devices that provide a myriad number of solutions. These devices communicate with the CAN Bus via the OBD II port and provide the end-user with data through a Bluetooth connection to another device.
Those OBD devices, depending on their use case, could be used to inject malicious CAN messages into the vehicle. There have been vulnerabilities leveraged to attack a vehicle through OBD II / Bluetooth devices. Immobilization and engine shut-off, to name a couple.
Overall the attacks are relatively difficult, and the ability to affect many devices at once would pose a challenge. Bluetooth, in general, is limited to around a 30-foot connection. Additionally, you would most likely need a vulnerable device in between to manipulate CAN Bus messages effectively.
The OBD or On-Board Diagnostics is a system used to communicate with the vehicle’s network. This system allows technicians to read fault codes and diagnose issues within the vehicle. Since the port communicates with the CAN, it could be used to manipulate messages and affect a vehicle’s operation.
CAN messages are not standardized between OEM’s making these attacks a little more complex. Heavy diagnosis of the specific vehicle messages needs to occur through a CAN sniffer, then injection of malformed data catered precisely to what you may want to do. Although simply flooding the CAN with junk could produce erratic behavior as well.
OBD is another attack surface on a vehicle that could be utilized, but physical access is typically necessary. This poses challenges and generally limits the risk factor to a single-vehicle.
What about the big impact attack surfaces?
- External vehicle or remote access attack surfaces
- Web apps
- Mobile apps
- Charging stations
- OTA updates
- Telematics System
Since the introduction of connectivity to vehicles, attack surfaces in the automotive space have widely increased. Before connectivity, you pretty much needed to be at the vehicle to be a threat.
Fortunately, we have not had any major concerns as of yet. Vehicles today typically communicate through dedicated telecommunication infrastructure or local devices from its users. Over the air (OTA) updates are becoming common; manufacturers use this to push updates to many vehicles at once. Now think back to when ASUS had their automated software update tool breached.
Imagine if someone was capable of doing this to a manufacturer, it could be catastrophic. Fortunately, at the moment, this type of attack is not the work of a script kiddie in mom’s basement.
The Future of Car Hacking & Vehicle to Vehicle Communication
Great advancements in-vehicle technology are happening at a rapid pace. Vehicle to vehicle communication is one of those rapidly advancing things. The DOT has pushed to make it standard technology within vehicles. This technology will bring many great safety features to prevent car accidents, a critical issue in transportation.
The internet is a massive web of computer to computer communication that allows us to visit websites like ZEV Society. That massive web of connectivity allows anyone, from anywhere, to do bad things too.
When vehicle to vehicle communication becomes commonplace, that similar web will be created for our cars. This web will be of the most critical components in the vehicle, ensuring it drives safely down the road. Manipulation of this communication could pose a critical issue to drivers on the road.
This landscape rapidly increases when infrastructure is coupled in the communication network. What will validate communication sessions between a traffic light and a vehicle? What will stop a bad actor from creating a simulated traffic light at a congested intersection? Real-time validation of trusted certificates, maybe? We aren’t totally sure, but these guys tend to agree.
Fortunately, we have ever-advancing technology and security practices that will make attacking technology like this difficult. Security embedded into the development of vehicle components is a critical aspect that many manufacturers and suppliers are aware of. The future of cars and their connectivity will be an exciting and historical time.