Hacking Cars. PHOTO: Cybercrime Magazine.

Hacking Into Cars: New Techniques Emerge

Automakers respond with cybersecurity to plug the gaps

David Braue

Melbourne, Australia – Aug. 20, 2021

It has been six years since security researchers Charlie Miller and Chris Valasek, who famously hacked a Jeep Cherokee, told an audience at the Black Hat 2015 conference how they managed to pull it off — and it seems carmakers everywhere were listening.

The secret to their hack, it turned out, was that a method Jeep thought would be extremely secure — generating a random WPA2 password to protect the car’s Wi-Fi network with one of millions of possible passwords — turned out to be extremely simple to hack once they understood how the password was generated.

That password, they realized, was created using a method based on the default system time plus a few seconds during which the car’s Wi-Fi service was booting up.

That startup routine, it turns out, took around 32 seconds — leaving researchers with just a few dozen passwords to try out, and leaving the car’s inner workings exposed to manipulation that allowed the hackers to remotely control the air-conditioning, radio, windshield wipers, and transmission.

The Jeep hack has become a high-water mark in hackers’ efforts to compromise vehicles that have become increasingly high-tech and, in recent years, increasingly connected — both providing them with interesting new features and opening them up to exploitation in ways that were unthinkable even a decade ago.

Cybercrime TV: Breaking Into A Car At DEF CON 2021

If you can’t hack it, then…

Israeli security research firm Upstream Security, which has been tracking reports of automobile hacking for many years, identified 633 public reports of automotive cyber incidents over the past decade, noting in its 2021 Global Automotive Cybersecurity Report that last year alone saw over 200 automotive cyber incidents and the discovery of 33 new automobile-related CVEs (Common Vulnerabilities and Exposures).

Most frequently targeted were servers, keyless entry systems and mobile apps, with 77.8 percent of incidents conducted remotely — meaning that your car could potentially be compromised by someone who isn’t even inside it.

Even more frightening was the finding that 55 percent of hacks were conducted by malicious-minded black-hat hackers who were aiming to disrupt business, steal property, and demand ransoms from people whose personal safety depends on the continuous safe operation of their vehicles.

True to form, hackers have proven remarkably creative in thinking up new ways to hack vehicles — including, late last year, a concerning hack in which a Wi-Fi-equipped drone flying over a Tesla car was able to hack the car without interaction from anyone in the car.

Plugging the gaps

Yet for all the high-profile hacking demonstrations, carmakers haven’t been standing still. Given the opportunity to hack a connected car at this year’s Black Hat 2021 conference, for example, attendees were unable to compromise the system and ended up trying to break into the car the old-fashioned way — using a coat hanger to manipulate the door lock system.

Yet while automotive systems may be able to avoid casual hacks, the continued success of focused security researchers — and, inevitably, the myriad malicious-minded hackers working to break into car security as you read this — is keeping the industry on tenterhooks.

Mobile security firm BlackBerry — which owns the QNX real-time operating system used in a range of automotive systems and last partnered with Amazon to expand its reach — has spent much of 2021 managing this tension after no fewer than 14 QNX products were found to be vulnerable to the significant BadAlloc vulnerability identified by Microsoft’s Section 52 security team.

This month, the Cybersecurity & Infrastructure Agency (CISA) released a formal advisory about the risks of BadAlloc, encouraging developers of QNX-based systems — which include automotive systems in an estimated 200m cars as well as many healthcare devices — to “patch affected products as quickly as possible.”

“BlackBerry QNX RTOS is used in a wide range of products,” the advisory notes, “whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions.”

Reflecting the level of concern about security issues in embedded systems, no less than the US Nuclear Regulatory Commission issued its own security advisory about the risks of the QNX Vulnerability.

Connected vehicles, it increasingly appears, are falling victim to an industry-wide problem around the insecurity of Internet of Things (IoT) devices — which was recently quantified in a new research study that found IoT-specific malware attacks had increased by 700 percent over the course of the COVID-19 pandemic.

While the majority of these devices are office devices like 3D printers and barcode readers, devices like automotive multimedia systems were also targeted in the mix — reiterating the ongoing risk to carmakers as hackers continue to poke and probe their systems.

The participants in this year’s Black Hat trial may have had to resort to coat hangers but, based on increasing reports of automotive insecurity, increasingly effective hacking techniques suggest that they may soon be able to compromise their systems without even leaving their desks.

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.