Auto manufacturers are asleep at the wheel when it comes to security

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
And rising car thefts suggest the criminals are taking advantage


Cars are getting smarter every year but their increasing computational power isn’t being backed up by good IT security practices – hacking them is child’s play.


That’s the conclusion of a series of speakers at the Kaspersky Security Analyst Summit. These security researchers have demonstrated how easy it is to introduce software into vehicles to steal data, take control of vital functions, get around alarm and electronic key systems and even crash the car.


“Most cars these days are essentially computers running on four wheels,” said Stefan Tanase, principal security researcher at Romanian network testing shop Ixia.


“The only difference is when you have a problem with computer it won’t affect your physical security, but a car can put your life in danger and automotive security is something that the industry needs to take seriously.”

It gets worse
In a separate presentation Marc Rogers, head of information security at Cloudflare, detailed a number of ways in which basic manufacturing mistakes left car drivers vulnerable to hacking.

The average time from conception to a finished vehicle coming out of the factory is between four to six years, he said. But most Linux distros used in vehicles become outdated sooner than that and he said that vulnerabilities had been found in car code that were more than ten years old.

The current generation of controller area networks in cars is hopelessly out of date and isn't designed to be secure, he said. Data traffic is unencrypted and access to the CAN is easy using mandated data ports in vehicles.

Keys are another area of weakness. Some electronic keys have a pitifully small number of combinations, but more worrying is the use of signal amplification technology. There is kit available online for around $60 that can pick up the signal from keys and copy them to the car, unlocking them and disabling the alarm system.

All cars sold in the US these days also have to have tire pressure measurement systems installed as standard, and the signal is unencrypted. A suitably programmed Raspberry Pi can use the signal to track cars, but more worryingly can be used to crash the engine control unit that controls keyless entry.
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top