Hackers use DAB radio as back door into connected car

The fear that malicious hackers can remotely take control of a computing device is not new. Tabloid press have previously warned that hackers could take control of your computer and literally blow it up. Even as far back as 1980 it was possible to make a Sharp MZ80K catch fire by writing code to activate/deactivate the cassette relay switch until it ignited – though computers were not connected in the same way as today.

However, the idea that the vehicle you are travelling could be hijacked by hackers is much more frightening. Two groups of respected security researchers recently undermined the security of connected vehicles, as reported here. In one attack, hackers took over a vehicle from ten miles away and made it come to a sudden and unexpected halt on a freeway.

This is quite important when you consider that: "Over 40 million cars will have sophisticated autonomy in 2035,” according to IDTech Research. Imagine if all these vehicles were taken over and stopped simultaneously – it would be carnage.

To take over the vehicles the hackers undermined security systems using the ‘back door’, rather than direct attacks on the vehicle system:

  • NCC subverted the DAB-based car infotainment system in order to take over critical vehicle systems, such as steering and brakes.
  • IOActive also focused on the infotainment system, sending data via the SIM to take control.

These aren’t the only examples in which hackers have subverted the security of connected solutions by undermining associated systems that sit beside them. One prominent hacker, Chris Roberts, recently claimed he took control of a plane’s guidance systems by hacking its in-flight entertainment system and making it fly to the left. Similarly, credit card data for millions of Target customers was stolen when hackers managed to subvert the retailer’s HVAC system to get inside.

Chris Valasek, Director of Vehicle Security Research at IOActive in his Defcon 2015 paper warns that the auto industry isn’t engaging with these potential threats. “The ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe,” he warns.

Infotainment systems aren’t the only potential “remote attack” surfaces vehicle hackers are exploring. A white paper presented by researchers Miller and Valasek at the Black Hat conference explores many more, including:

  • Passive Anti-Theft Systems
  • Tire Pressure Monitoring Systems
  • Remote Keyless Entry/Start
  • Bluetooth
  • Radio Data System
  • Telematics/Cellular/Wi-Fi
  • Internet/Apps
  • Park assist
  • Cruise control
  • Collision prevention
  • Lane keep assist

Take a look at the list and realize that while some of these attack vectors are only visible in vehicles, others can be seen as held in common with other IoT solutions.

Miller and Valasek say manufacturers should focus on securing remote endpoints and designing products so components handling safety critical features are separated from those with remote functionality. They also advise building attack detection systems into cars, and (by inference, at least) other connected solutions.

"I don't expect automakers to produce perfect cars," Miller told a US government panel in May. "I want as many researchers as possible looking at this code. I want to trust the safety of this vehicle."

In such a complex threat environment you’d imagine manufacturers of connected systems would welcome the work of security researchers. After all, it’s got to be better that weaknesses are identified and manufacturers warned so threats can be patched before they are exploited.

Unfortunately not every car manufacturer is so welcoming of white hat hackers in the way that IT companies are. Google, Microsoft and other big technology firms frequently offer 'bug bounty' rewards if threats are exposed to them. United Airlines offers up to one million free Air Miles to those who successfully find flaws in its systems. 

It’s an inconvenient truth that as the number of connected devices proliferates, the number of potential security weaknesses will also increase.  How should industry react?

Perhaps the best example is how Mastercard, handles security. The MasterCard DigiSec Lab teams spend their days attempting to identify weak points in the security of any system or device used to make payments. The company recently opened up its labs to collaborate with others: “Amid an ever-growing threat from cyber-crime, it is increasingly important that we share our knowledge, tools and solutions,” the company says.

The threat is growing more complex but in conjunction with user education, a commitment to timely security updates, robust security out of the box - even regulation - there’s a chance to avoid making things worse while trying to make them better.

The industry needs to open up to the threat, recognize vulnerabilities will be exploited and understand hackers will figure out how to get inside every connected solution – even a connected thermostat. This is the challenge of the connected opportunity and we must cooperate to face up to it.

Read more about security with Orange Business

Jon Evans

Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.