Cyber attacks on cars

The main articles are:

• Cyber attacks
• Autopilot (self-driving car)
• Vehicle-to-Everytning (V2X) 5G in car evolution

2023

A new method of stealing cars using Nokia phones has appeared in the United States

On April 23, 2023, it became known that USA a common type of theft appeared in, cars during which criminals use it phones NOKIA 3310 to interact transport with the tool control system.

This method of theft allows a thief, even without technical experience, to steal cars without a key in 10-15 seconds. Thanks to devices that can be bought on the Internet for several thousand dollars, the entry barrier for stealing even expensive luxury cars is sharply reduced.

In fact, the device does all the work for the hijacker. All the thief has to do is crack the front headlamp and rip out the car wiring. After that, the hijacker can connect the device to the CAN bus and send messages instructing the internal systems of the car to remove all locks, narrated by Ken Tindell, CTO of car cybersecurity company Canis Labs.

This method of theft applies to Toyota, Maserati, Land Cruiser and Lexus cars. On the Internet and in various Telegram channels, this technology is sold at prices ranging from $2,700 to $19,600. Despite its high prices, some modified NOKIA 3310 phones contain components for only $10 - a chip with CAN hardware and firmware, as well as another chip associated with CAN.

Illustration: securitylab.ru

The researchers called the attack CAN Injection (Controller Area Network, CAN). When attacked using CAN injection, thieves have the ability to send fake messages to the car system as if they came from a smart key receiver. These messages allow you to unlock the vehicle and turn off the immobilizer (anti-theft system) of the engine, allowing you to steal a car as a result.

After the device manufacturer reconstructed the messaging of a particular car, building each device would take only a few minutes. The whole job is to solder a few wires.

According to the researchers, the only correct solution would be to enter cryptographic protection CAN for messages. This can be done with an update. ON

The software is simple, and the only difficult part is the implementation of the cryptographic key management infrastructure. But since automotive platforms already use cryptographic solutions, this infrastructure either already exists, or it still needs to be built, noted experts.

As Ken Tindell reported, the problem is actively discussed with various automakers, and there is every chance that in subsequent generations of well-known brands access to the CAN tire will be implemented in a different way, or additional protection systems will be introduced, which will reduce the likelihood of car theft by this method.

Earlier this month, Ken Tindell also described a way to steal cars using a JBL Bluetooth speaker based on direct access to the system bus via headlamp wiring. The worst thing is that cars of many brands are subject to this method, since in almost all models the wiring is organized in a similar way. The first to sound the alarm was Eun Tabor, a cybersecurity researcher and automotive consultant at EDAG. Its Toyota RAV4 was prepared for theft for several days, gradually hacking into external electronic components^[1]

Cybersecurity expert discovers 4 critical vulnerabilities in Toyota systems in one week

cyber security An expert from USA Eton Zweare found 4 critical in vulnerabilities systems in one week. Toyota This became known on February 8, 2023. The specialist managed to hack the global supplier information management system. Toyota (G-SPIMS) More. here

Vulnerabilities in BMW, Mercedes and Ferrari systems allow you to remotely drive a car

Vulnerabilities in BMW, Mercedes and Ferrari systems allow you to remotely drive a car. This became known on January 9, 2023.

Errors affect Mercedes-Benz, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar and Land Rover, as well as fleet management company Spireon.

Spireon owns several brands of GPS vehicle tracking and fleet management, covering 15 million connected cars as of January 2023. The most dangerous errors were contained in Spireon systems and included:

• several vulnerabilities that allow you to inject SQL injections;
• RCE bypass vulnerabilities authentications that allowed full control of any vehicle.

According to analysts, with the help of these shortcomings, it was possible to get full access to the dashboard of the entire Spireon company, and then send arbitrary commands to all 15 million cars - open the doors, activate the horn, start the engine and turn off the starters.

The danger is that the attacker could track and turn off the starters of emergency vehicles, police, ambulances and law enforcement in major cities.

Access controls were discovered on Ferrari systems that opened access to JavaScript code for several internal applications. The code contained API keys and credentials that could allow an attacker to seize (or delete) their accounts. In addition, using a POST request, it was possible to establish superuser rights or become the owner of Ferrari.

The lack of access control could also allow a cybercriminal to create and delete accounts of staff back office administrators and then modify websites owned by Ferrari, including its CMS system.

An incorrectly configured single sign-on (SSO) system for all BMW and Rolls-Royce employees and customers allowed a hacker to access an internal dealer portal, request a VIN number and obtain all documents about the sale of the car.

Using an incorrectly configured SSO system at Mercedes-Benz, it was possible to create a user account on the site for car services and request tools and spare parts.

Experts also used this account to log into the Github Mercedes-Benz, where internal documentation and source code for the company's various projects were stored, including the Me Connect app used by customers to connect remotely to their vehicles.

Also, specialists managed to penetrate the Slack communication channel and impersonate an employee of the company, who, using social engineering, could increase his privileges in the Mercedes-Benz infrastructure.

Vulnerabilities in Porsche and Toyota systems allowed:

• remotely locate and send commands to Porsche cars;
• find out the name, phone number, email address and credit status of Toyota Motor Credit customers.

The flaws were discovered by cybersecurity researcher Sam Curry of Yuga Labs and reported them to automakers. As of January 9, 2023, all flaws have been fixed^[2]

2022

The Russian darknet began to offer services for remote hacking of cars

In December 2022, it became known that hackers on the darknet began to offer residents of Russia remote hacking of "smart" cars. In this regard, an increase in the number of car thefts is expected.

According to RIA Novosti with reference to the data of the NTI "Autonet," the cost of the "service" lies in the range from 45 thousand to 100 thousand rubles, depending on the region. Experts attribute the appearance of unprecedented proposals to a shortage of spare parts and suggest that the target audience is not ordinary hijackers, but garage car services.

Hackers on the dark web began to offer residents of Russia remote hacking of "smart" cars

The new method of hacking cars is actively gaining momentum in the shadow segment of the Internet, noted in the NTI "Autonet." Hackers offer remote hacking of the car itself, theft of on-board computer data and removal of mechanical parts.

In December 2022, experts found 12 similar ads on the "dark" Internet, while previously their presence was not recorded. At risk - both ordinary cars and cars of car-sharing services. In all likelihood, the tasks of remote hacking may be set by unofficial car services that are faced with a lack of parts for repair: as a result, they have to use stolen parts.

If the car is hacked in this way, it does not guarantee theft, experts say. However, a dangerous malfunction may occur on the road - for example, brake failure or loss of control.

According to forecasts of NTI "Autonet," in 2023 the number of thefts and hacks of cars in Russia will grow. The reasons are the inaccessibility of new cars and the shortage of components.

At the same time, in 2022, the number of car thefts decreased by 7% compared to last year. The favorites of the hijackers still include Korean cars: the first place is taken by Hyundai Santa Fe, the second - Kia Sportage.^[3]

A hole in the Hyundai mobile app allowed car thieves to easily take possession of cars

In early December 2022, it became known that the same bug in the regular operation of MyHyundai and MyGenesis mobile applications allowed hackers to remotely unlock and start Hyundai and Genesis cars, as well as several more brands of cars. Read more here.

Kaspersky Lab warned about the risks of using third-party applications for auto

Specialists Kaspersky Lab"" analyzed 69 third-party mobile applications for connected cars and identified the main threats that drivers may encounter when using them. This became known on May 25, 2022. Experts found that more than half (58%) of such programs, requesting accounts data of car owners, do not warn of possible privacy threats. The five automotive brands, the management of which is most often offered by third-party applications, include,,, and Tesla. Nissan Renault Ford Volkswagen

Mobile applications for connected cars allow drivers to remotely control the vehicle, for example, remotely start the engine, lock or unlock doors, and heat the interior. Most car brands have their own apps, but third-party ones have their advantages for drivers, as they offer additional features.

To secure data, some third-party developers suggest using a special program key (token) used for authorization instead of a username and password. However, if such a token is compromised, attackers will be able to access the user's car in the same way as if they used regular credentials. Thus, authorization tokens do not provide complete security, and the car owner risks losing control of his car. At the same time, only 19% of developers talk about risks openly, without trying to veil information using small print.

Also, Kaspersky Lab found that in every seventh (14%) application there is no information on how to contact developers or leave a review. This eliminates the possibility of reporting a problem or requesting additional information. The lack of contact details may be due to the fact that often such applications are developed by enthusiasts who, unlike official car manufacturers, are not obliged to take care of the safety of their users' data.

Kaspersky Lab experts note that 46 out of 69 applications are either free or offer to try demo mode. This fact, combined with the number of downloads - only from Google Play by May 2022, they had been downloaded more than 230 thousand times - gives an idea of ​ ​ how many car owners could potentially open up the ability for attackers to access their cars.

Шаблон:Quote 'author = commented Sergey Zorin, Head of Transport Systems at Kaspersky Lab.

2021

Panasonic has developed a cyber defense system for Internet-connected cars

The Japanese the corporation Panasonic intends to present, safety system preventing cyber attacks and seizing control over the connected. cars The solution is of particular relevance due to the massive spread of To the Internet autopiloted transport plug-ins and tools and their vulnerability to. hackers This became known on November 24, 2021. More. here

QRate and Innopolis University defended an unmanned vehicle using quantum cryptography

On May 12, 2021, it became known that the research and production company QRate and Innopolis University implemented a project to protect the autonomous control systems of an unmanned vehicle using quantum communications technologies. Read more here.

Internet cars vulnerable to cyber attacks

On February 25, 2021, Trend Micro Incorporated, a cybersecurity representative, announced the results of another major study on the safety of connected cars, a technology that is part of the Internet of Things. A study by Cyber ​ ​ Security Risks of Connected Cars describes several scenarios in which drivers may face attacks that threaten their safety and the safety of others.

To assess the risks of cybersecurity, Trend Micro researchers studied the attacks that have already been attempted. In recent years, many works on this topic have been published, but the company focused on remote attacks, as a result of which at least one electronic control unit in the car was hacked. In particular, the company used four well-studied cases:

1. In 2015, attackers discovered an easy way to send commands to Jeep cars of the American manufacturer Chrysler using Telnet technology through an unprotected port. This led to the recall of 1.4 million cars.

2. In 2016, it became known about the possibility of interfering with the computer system of the Tesla Model S car. This was discovered by experts from the Tencent Keen Security Lab, thanks to which the manufacturer fixed errors.

3. A year later, in 2017, the situation repeated itself with two Tesla models: Model S and Model X. The manufacturer again corrected the errors discovered by Tencent Keen Security Lab employees.

4. In 2018, Tencent Keen Security Lab managed to attack connected BMW cars.

The report reveals the scale of the cybersecurity risks studied. The researchers evaluated 29 real-world attack scenarios according to the DREAD threat model [1], which allows a qualitative risk analysis. Such attacks can be remotely carried out against victim vehicles and/or from them. Here are some examples:

• DDoS attacks on intelligent transport systems (ITSs) can disrupt communication with cars, and the risk of this is very high;
• open and vulnerable connected automotive systems are easy to detect, which increases the risk of abuse;
• more than 17% of all investigated attack vectors were at high risk: they require only a limited understanding of connected car technology and can be performed even by a low-skill attacker.

Our research shows that attackers have the ability to abuse connected car technology, "says Rainer Vosseler, threat research manager at Trend Micro. - Fortunately, the possibilities for attacks are limited, and criminals have not found reliable ways to monetize them. With the advent of UN regulations mandating that all connected cars have built-in cybersecurity solutions, and with the preparation of the updated ISO standard, it is time for industry stakeholders to ensure better detection and elimination of cyber risks, as the future is approaching in which connected and autonomous cars will be found everywhere.

By 2030, the number of connected cars will reach 700 million, and the number of autonomous vehicles will approach 90 million, "adds Trend Micro CTO in the Russian Federation and SNGMikhail Kondrashin. - In fact, at the beginning of 2021, each car is equipped with technologies for connecting to the network. Therefore, the question of their protection is relevant.

More than 125 million passenger cars with built-in internet connectivity are projected to be delivered worldwide between 2018 and 2022, and the direction of fully autonomous vehicles will continue to develop. Such progress will lead to a complex ecosystem that will include cloud solutions, the Internet of Things, 5G and other key technologies. The attack surface, which will potentially consist of millions of endpoints and end users, will also significantly increase.

As the industry develops, there will be numerous opportunities for monetization and sabotage for cybercriminals, hacktivists, terrorists national, states insiders and even unscrupulous operators, the report warns. In all 29 attack vectors examined, the overall risk of cyberattack success was estimated to be average. However, as applications SaaS are embedded in the electrical/electronic architecture of vehicles and cybercriminals create different monetization strategies, risks can increase significantly.

To mitigate the risks described in the study, the connected car security system must cover all critical areas to protect the end-to-end data supply chain. Trend Micro offers the following general recommendations for protecting connected cars:

• assess the risks of compromise as highly probable and use effective tools to alert, deter and mitigate the effects;
• Protect the end-to-end data chain over the vehicle's electronic network, network infrastructure, internal servers, and Vehicle Security Operations Center (VSOC)
• Draw conclusions from recorded attacks and use them to further strengthen protection and prevent reoccurrence.
• use security technologies - firewall, encryption, device management, application security, vulnerability scanner, code signature, IDS for CAN, AV for the head device, and others.

2020: Data security: In whose hands are the keys?

It is quite obvious that autonomous cars must be protected by the most modern means of support. cyber security As indicated in one study^[4]84% of respondents from among automotive engineers and IT specialists expressed concern that automakers do not have time to respond to increasing cyber threats.

To ensure the integrity of the client and his personal data, all components of connected cars - from hardware and software inside the machine itself to connection to the network and cloud - must guarantee the highest level of security. Below are some measures to help automakers ensure the safety and integrity of data used by self-driving cars.

• Cryptographic protection limits access to encrypted data to a certain number of people who know the valid "key."
• End-to-end security involves the implementation of a set of measures that allow you to detect a hacking attempt at each entry point to a data line - from micro-sensors to 5G communication masts.
• The integrity of the collected data is an important factor and suggests that information received from vehicles is stored unchanged until it is processed and converted into meaningful output. In the event of corruption of the converted data, this makes it possible to refer to the "raw" data and reprocess it.

To perform all critical tasks, the vehicle's central storage system must operate reliably. But how can automakers guarantee these tasks if the system fails? One of the ways to prevent incidents in the event of a main system failure may be to back up data in a duplicate data processing system, however, this option is incredibly expensive to implement.

Therefore, some engineers took a different path: they are working on creating backup systems for individual components of the machine involved in providing unmanned driving mode, in particular brakes, steering, sensors and computer chips. Thus, a second system appears in the car, which, without the obligatory backup of all data stored in the car in the event of a critical equipment failure, will be able to safely stop the car on the side of the road. Since not all functions are really vital (in an emergency, you can do without, for example, an air conditioner or a radio), this approach, on the one hand, does not require a backup of non-critical data, which means a decrease in costs, and, on the other hand, still provides a safety net in case of system failure.

As the unmanned vehicle project progresses, the entire evolution of transport will be built around data. By adapting machine learning algorithms to handle the vast amounts of data that autonomous vehicles depend on and implementing robust and operational strategies to ensure safety and protect them from external threats, manufacturers will at some point be able to develop a car that is safe enough to drive on the digital roads of the future.

Notes