×

Irish Information Security Forum

Are We Exposed to Bad Actors Leveraging Vulnerabilities in Modern Cars?

 

Modern cars are no longer just mechanical marvels; they are sophisticated computers on wheels, integrating software components, GPS, software mechanicals, microphones, cameras and various connectivity features like bluetooth, cellular, Wifi, satellite etc. While these advancements bring numerous benefits, they also have introduced significant privacy and security vulnerabilities that bad actors can exploit. 

 

In recent news, the U.S. has announced that it is planning to ban Chinese and Russian technology in cars primarily due to national security concerns. Modern cars collect and transmit a vast amount of data, including location, driving habits, and personal information. The U.S. fears that Chinese and Russian technologies could be used to collect sensitive data compromising the privacy and security of U.S. targets and also is concerned that it could be exploited to launch cyberattacks, disrupt vehicle operations, or even take control of vehicles remotely.  Although there are currently few Chinese or Russian vehicles on U.S. roads, the ban is seen as a proactive step to prevent potential threats before they become widespread.

 

 

The Rise of Connected Vehicles

 

Today's vehicles are equipped with a plethora of digital systems, including infotainment units, telematics, and advanced driver-assistance systems (ADAS). These systems rely on software and connectivity to function, making them susceptible to cyberattacks. The integration of GPS for navigation and tracking further expands the attack surface.

 

Comon Vulnerabilities

 

  • Electronic Control Units (ECUs): ECUs manage various subsystems in a car, such as braking, steering, and engine control. Hackers can exploit vulnerabilities in these units to gain control over critical vehicle functions.
  • In-Vehicle Infotainment (IVI) Systems: These systems are often connected to the internet and other devices via Bluetooth or Wi-Fi. Vulnerabilities in IVI systems can allow attackers to access personal data or even take control of the vehicle.
  • Telematics Systems: Used for fleet management and vehicle tracking, telematics systems can be compromised to manipulate vehicle data, track movements, or disable vehicles remotely.
  • Keyless Entry Systems: Wireless key fobs are convenient but can be intercepted using relay attacks, allowing thieves to unlock and start vehicles without physical access.

 

Real-World Examples

 

  • Jeep Cherokee Hack (2015): Security researchers demonstrated how they could remotely control a Jeep Cherokee's steering, brakes, and transmission by exploiting vulnerabilities in its Uconnect infotainment system.
  • Tesla Model S (2020): Researchers found a way to exploit the car's keyless entry system, allowing them to unlock and start the vehicle without the owner's key fob.

 

Potential Consequences

 

The implications of these vulnerabilities are far-reaching. Beyond the theft of vehicles, attackers could cause accidents, disrupt traffic, or even use compromised vehicles as weapons. The personal data stored in vehicle systems, such as contact information and travel history, also poses serious privacy risks to individuals.

 

Mitigation Strategies

 

  • Software Updates: Manufacturers must provide timely updates to patch known vulnerabilities. Vehicle owners should ensure their cars' software is always up-to-date.
  • Encryption: Implementing robust encryption protocols for data transmission between vehicle systems is a sensible step to prevent unauthorized access.
  • Intrusion Detection Systems (IDS): Just like any modern IT systems, cars software and networking systems should be monitored for unusual activities and alert the driver or manufacturer of potential breaches.
  • Public Awareness: Educating consumers about the risks and encouraging them to follow best practices, such as being cautious with third-party apps, password setting etc, and knowing how to closeff or disable unwanted options or data leaks.

 

 

As vehicles become more connected and reliant on software integrations and updates from manufacturers the potential for cyberattacks increases. Continuous vigilance and proactive measures are essential to protect against bad actors.

 

 


References

(1) US moves to ban Chinese, Russian tech from autonomous cars. https://www.dw.com/en/us-moves-to-ban-chinese-russian-tech-from-autonomous-cars/a-70302814.
(2) Rising Security Weaknesses in the Automotive Industry and What It Can .... https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/rising-security-weaknesses-in-the-automotive-industry-and-what-it-can-do-on-the-road-ahead.
(3) Modern cars: A growing bundle of security vulnerabilities. https://www.helpnetsecurity.com/2021/12/14/modern-car-vulnerabilities/.
(4) Cyberattacks On Vehicles Pose A Threat To Drivers And ... - Forbes. https://www.forbes.com/councils/forbestechcouncil/2021/12/10/cyberattacks-on-vehicles-pose-a-threat-to-drivers-and-manufacturers/.
(5) Security vulnerabilities in major car brands revealed. https://www.malwarebytes.com/blog/news/2023/01/security-vulnerabilities-in-major-car-brands-revealed.
(6) Modern Vehicles Present Unique Threats and Vulnerabilities to the .... https://www.usni.org/magazines/proceedings/2022/february/modern-vehicles-present-unique-threats-and-vulnerabilities.
(7) Vehicle hacking: A history of connected car vulnerabilities and .... https://www.infosecinstitute.com/resources/scada-ics-security/vehicle-hacking-a-history-of-connected-car-vulnerabilities-and-exploits/.

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

Sponsorship of IISF Opportunity
(your logo & profile link here)

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy  - Sponsorship  - Cybersecurity News Index  - Cybersecurity Resources  - X  - Produced by
LinkedIn Twitter