Vehicle Information Security

2023: Popular Chinese cars in Russia are stolen using a code that can be obtained from a dealer or bought on AliExpress

In mid-July 2023, it became known that Chinese-made cars popular in Russia can be stolen by a code that can be obtained from a dealer or purchased on AliExpress.

The head of the laboratory "Author's protection against theft" Andrei Kondrashov spoke about the problem. To bypass the protection of the vehicle, it is enough to have a VIN number. In this regard, Chinese machines are much less resistant to autopsy compared to European ones.

Chinese-made cars can be stolen by code

By the VIN number of the Chinese car, you can get the manufacturer's PIN code to access the immobilizer. This is a vulnerability, because it is enough to contact the dealer for code, and such codes are also sold on Aliexpress. By VIN, you can get a code for a specific car, - said Kondrashov.

The problem is relevant for almost all Chinese cars massively present on the Russian market. These are such popular brands in the Russian Federation as Haval, Tank, Geely and Chery, as well as the latter's Omoda and Exeed brands. In addition, it says that attackers can use specialized equipment that can extract code to access the immobilizer from the car's electronic blocks.

The Chinese reduce production costs and, despite numerous beautiful displays in the cabin, their standard protective system is imperfect in terms of theft resistance, "Kondrashov said.

The head of the laboratory "Author's protection against theft" added that among cars in the budget segment, Korean Hyundai Solaris and Kia Rio are most susceptible to theft. Often these models are stolen to repair cars in taxi companies, using weak factory protection. Car-sharing companies also give outsourcing car services that use used parts to repair cars damaged in accidents.^[1]

2021

Global Automotive Cyber ​ ​ Protection Solutions Market Valued at $2 Billion

In 2021, the global market for solutions for cyber protection of cars for the year is estimated at $2 billion. Such data analysts MarketsandMarkets released in early February 2022. The growth in sales of connected and semi-autonomous vehicles led to an increase in the use of electronic components in the car, and this increased the complexity of the vehicle architecture and software coding, the study notes.

As of March 2022, cars contain an average of about 100 million lines of code and are equipped with complex software (software) developed by automakers. To ensure the safety and security of the entire vehicle codebase, OEMs choose endpoint security solutions. Moreover, the trend of mobile labor, social media, and cloud synchronization is expected to impact spending on endpoint security solutions. In 2021, 80% of the cost of solutions for cyber protection of cars fell on software, the rest - on equipment.

Spending on information security of cars in the world in 2021 amounted to about $2 billion

In-vehicle cybersecurity software requires several security features, such as secure protocols, identity and access control, intrusion detection, and abstraction levels for cryptographic functions. This functionality is then used by functional electronic control units (ECUs) to protect communications and prevent blackstocks. Therefore, the software segment is expected to hold the largest share in the automotive cybersecurity market.

In 2021, Asia Pacific accounted for the largest share of the market in question, followed by Europe and North America. People's growing awareness of active and passive security and increased sales of mid-range and luxury vehicles are key drivers driving the Asia-Pacific automotive cybersecurity market. Some component manufacturers have moved their car factories to developing countries due to low labor costs, ease of doing business and availability of raw materials. Several prominent semiconductor companies also have their manufacturing centers in the Asia-Pacific region. This helps them maintain an effective supply chain for their products for automakers.

Growing sales of systems-equipped vehicles and significant growth in the ride-sharing industry are likely to drive increased demand for automotive cybersecurity solutions in the Asia-Pacific region. Component manufacturers in Japan and South Korea are focused on developing self-driving cars. This is expected to spur demand for appropriate cybersecurity solutions.^[2]

Creating a consortium to protect cars from cyber attacks

In mid-August 2021, it became known that in order to prevent theft and theft of data, automakers will check the software of their machines for flaws in the security system and exchange information on cyber attack trends. To do this, the Car Connected Cybersecurity Consortium has been created, which will include more than 90 members. Read more here.

2019

Popular Volkswagen and Ford models hacked

In mid-April 2020, the British magazine Which? accused manufacturers of two of Europe's most popular cars - Volkswagen and Ford - of being careless about cybersecurity. Read more here.

Stopping just 20% of cars during rush hour completely paralyzes traffic in the city

In the future, the number of self-driving cars will grow to 10 million, according to scientists from the Georgia Institute of Technology. This became known on July 30, 2019. Scientists fear that cybercriminals will be able to paralyze urban traffic by hacking only a small part of self-driving cars.

The main consequences of such cyber attacks on unmanned vehicles will be road accidents, as well as huge traffic jams, which will hit ambulances with wounded, sick and dying people.

Researchers simulated a situation in which hacking multiple self-driving cars could affect urban traffic in Manhattan (New York City area).

Stopping just 20% of cars during rush hour completely paralyzes traffic in the city, researchers say. The city will be divided into several sectors, which will allow you to move between neighborhoods, but it will no longer be possible to get to the other end. Hacking and forcibly stopping 10% of cars during rush hour will block the movement of ambulances. The results of the study also showed that such consequences can occur at any other time of the day.

Researchers recommend that self-driving car engineers link cars with multiple digital networks to prevent an attacker from accessing each car by compromising one or two networks^[3].

2018: "In terms of its vulnerability, cars resemble PCs of the early 90s." Why motorists should be wary of hackers

In 2017-2018, it is fashionable to speak publicly about "thinking" machines and the danger posed by robots that have come out of obedience or, as they are called, killer robots. There are even relevant legislative initiatives, such as the Campaign to Stop Killer Robots^[4]. Despite the obvious dubiousness of the danger of autonomous deadly weapons, prominent people are already opposing it. For example, astronomer Stephen Hawking, entrepreneurs Elon Musk and Stephen Wozniak, linguist Noam Chomsky and other equally well-known personalities signed a letter warning of danger.

Yes, it is quite possible that this threat will once arise, but most likely it will turn out to be just a harmless horror story. In fact, in our rapidly changing world there are other, less well-known, but much more real dangers generated by new technologies. One of them is the information insecurity of modern cars. This problem was discovered and opened in 2012 by two: in the past, an analyst at the National Security Agency, and at USA that time, a security engineer Twitter in Charlie Miller and at that time the head of IOActive, Chris Valachek. It was later revealed that the work was funded by the defence agency DARPA.

In parallel with two hackers, the problem of information security of cars was dealt with at the Center for Automotive Embedded Systems Security (CAESS), created jointly by the University of California, San Diego and Washington State University . [1] There are a number of useful articles on his website.

The previously unknown danger is generated by the vulnerability of telematic systems that modern cars are equipped with. Not some hypothetical, but a completely real external intrusion can deprive the driver of the ability to drive a car and make it a source of danger not only for those inside, but also for others. In recent years, we have witnessed terrorist acts involving stolen cars. Now imagine that the car is captured and under remote control of the attacker. And that's reality, not fiction.

The reason for the vulnerability lies in the process of active computerization of cars that began in the 90s. First of all, individual automation elements began to unite industrial controller^[5] in the CAN network^[6]secondly, a wide variety of telematic systems were proposed for communication with the outside world.^[7][8]

External accessibility to all systems from headlights to brakes has created an opportunity for a hacker attack on a car with all the ensuing consequences. The first report on the hacking of a car equipped with a telematic system was made in Forbes magazine in 2013.^[9] And in 2015, Wired published a sensational article^[10]shows very vividly from the video how Miller and Valachek captured Jeep Cherokee and, remotely driving it, did everything they wanted, despite the driver's attempts to stop this disgrace. They eventually drove the unfortunate one into a ravine. However, all this happened with the consent of the owner of the car, later he became the author of the article. For all its brutality, the experiment passed without violations, since Miller and Valachek classify themselves as ethical or white hackers (white hats). They reported the deed to Chrysler, as is customary in such cases, in 9 months so that it could carry out the necessary measures to recall the machines.

White hats are considered good guys because when systems are hacked, they follow accepted rules and recognize responsibility to the law.

Grey hats may have good intentions, but after discovering vulnerabilities, they do not always report them immediately. At the same time, they consider themselves good, and the law may be wrong.

Black hats are considered cybercriminals. They do not distinguish between legal and illegal, use the discovered vulnerabilities for personal or political purposes, but can simply for pleasure.

In its impact on public opinion, this and several other related publications can be compared with the famous book "Dangerous at Any Speed: The Designed-In Dangers of the American Automobile," published in the USA in 1965 by Ralph Nader, where the author revealed the safety problems of American models of those years. Under the influence of the book, the automotive industry around the world has noticeably reoriented itself, making safety one of the most important priorities.

Chris Valacek, left, and Charlie Miller

Prior to the work of Miller and Valacek, society had no idea that cars remained completely open to external influences - the more expensive, the more. Almost all manufacturers supply their products with telematic diagnostic systems with access by cell phone or by. Wi-Fi Y General Motors is OnStar, y Toyota is Safety Connect, y Ford is SYNC. Their profits are several billion and are projected to dollars increase by an order of magnitude in the next decade. A complete overview of existing telematic systems can be found link]. The type of vulnerability discovered by Miller and Valacek was called Jeep hack in memory of the fact that the subject of the test was Jeep Cherokee.

At Defcon 2015, Miller and Valacek provided a 92-page report where they systematized threats and ranked car models by degree of security. In his speech, Miller said:

In terms of their vulnerability, cars resemble PCs of the early 90s, when mass Internet connection began. The current cars remain preserved only because there are no those who know how to hack them

In the civilized world, they reacted seriously to possible threats, mass publications wrote about them, in particular the English Guardian^[11]. The most interesting articles on car-hacker are published in Wired. In 2016, the quite serious book The car hacker's handbook was published, its text is in the public domain.

Miller and Valachek focused on the vulnerabilities of telematics solutions of certain vendors. Car manufacturers took the Jeep hack threat seriously and made appropriate changes to telematics systems, ending the ability to externally control the car. The solution was easy because intrusion detection systems known as IDS/IPS can be used. Most telematic systems allow the necessary upgrade, and for the case when this is impossible, special protective devices have been created, their price does not exceed $150.

Vehicle Intrusion Protection Device

After the Jeep hack problem was resolved, another, much more serious one was revealed. It is associated with the imperfection of the standards by which CAN (Controller Area Network) networks are built. The idea of ​ ​ CAN was proposed in the mid-80s by the German company Robert Bosch, which conceived it as an economical means of combining controllers. The relevance of this task is understandable to anyone who has ever seen communication systems in automation objects. These are kilometers and kilometers of cable wiring, which entangle industrial facilities, power units, and even aircraft. The traditional method of connecting the controllers distributed across the object with harnesses of wires in terms of their technical complexity, price and weight parameters for such a mass product, which is a car, turned out to be unsuitable. An alternative solution was required to reduce the number of wires, so a CAN protocol was proposed for which any wired pair was sufficient. Switching to CAN saves a few kilograms of copper on each car and makes wiring easier.

Posting without CAN and with transition to CAN

The CAN protocol was created in 1983, and in 1993 it was adopted as ISO 11898 by the International Organization for Standardization and approved by government bodies in most countries of the world. It was created without assuming the possibility of a malicious intrusion into the network, so it does not even provide a theoretical ability to detect malicious actions addressed to CAN. As of 2018, CAN is an integral part of any vehicle.

The object of the CAN attack is the messaging system, the so-called frames. According to the logic of its operation, CAN is a reduced Ethernet. They are united by the need to detect and correct the consequences of collisions, that is, those cases when the transmitter accesses a medium occupied at that moment by another transmitter. In Ethernet, this is called Carrier Sense Multiple Access with Collision Detection (CSMA/CD).

In CAN, this mechanism is simpler - if a collision occurs, the transmitter tries again. Under normal conditions, a limited number of attempts are required to establish communication, but if the transmitter is "too intrusive" for some reason, it is transferred to passive. It is this type of action that is unprotected and can become the subject of an attack. That is, an attacker can reprogram an electronic controller (ECU) or engine control unit, or simply disable this or that controller. Without revising ISO 11898, this vulnerability cannot be ruled out, this is a minus. But there is also a plus. Unlike Jeep hack, implementation is possible only with direct contact with a car, it is impossible to harm remotely. For this reason, personal cars are less susceptible to threat than those at the box office or karshening, and these forms of use are constantly expanding.

For several years, a number of companies have emerged that professionally deal with the information security of cars, of the most famous are Trend Micro, as well as the young Argus^[12] and NNG^[13]

Notes