Under The HoodThe RKS system performs the same functions as a standard car key, but without the physical contact. An RKE is essentially a key fob with a short-range radio transmitter

www.intsights.com

Under The Hood Cybercriminals Exploit Automotive Industry’s Software Features

Under The Hood: Cybercriminals Exploit Automotive Industry’s Software Features

Table of Contents34455566789999

10

IntroductionHacker Motivations for AttackDark Web ForumsVehicle Attack Vectors

CAN-BUSAttacking Can-BUSRemote Attack VectorsRemote Keyless SystemsTPMS SystemsCar ApplicationsGPS SpoofingInfotainment ApplicationsCellular AttacksPhysical Attack Vectors

Defending Forward: Predictions and Conclusion

2


Introduction

The automotive industry is undergoing a transformation, as manufacturers pivot to focus on connectivity. Car manufacturers offer more software features to consumers than ever before, and increasingly popular autonomous vehicles require the use of integrated software. Cloud connectivity and wireless technologies have become widespread, and users across the world expect everything to work in a safe, reliable, and smart way.

The growing emphasis on software and connectivity in the automotive industry adds a new challenge: Cybersecurity. The pressure to deliver products as fast as possible puts a big strain on vehicle security capabilities, manufacturing facilities, and automotive data.

Hackers began to exploit vulnerabilities in automobile hardware and software around 2010. Industry leaders have since come to understand that cybercrime threats to cars were not as far-fetched as originally thought.

This report summarizes the cyber threats facing manufacturers in the automotive industry while highlighting some of the methods cybercriminals use to infiltrate automobile infrastructure.

3


Hacker Motivations for AttackThe two main things that affect hackers’ motivations, regardless of their skills and knowledge, are the cost-effectiveness of the attack and the value of the information.

Vehicle attack surfaces are typically more difficult to penetrate than banks or retail stores, for example. That said, the automotive industry still has numerous attack vectors, just as any other industry: phishing, credential leakages, leaked databases, open ports and services, insider threats, brand security, and more.

Dark Web ForumsIn our research, IntSights discovered easy-fo-find online shops that sell car hacking tools on the clear web. These online shops sell services that disconnect automobile immobilizers, as well as services that sell code grabbers and forums that give bad actors a complete tutorial on how to steal vehicles. The most relevant sources IntSights found for car hacking are Omerta.cc and Dublikat. These forums contain offers to buy code grabbers and tutorials for relay attacks. Additional forums that contained relevant information for car hacking are Sindikat and Nulled.to, although to a lesser degree.

Other sources include Russian websites that provide services for car hacking:

• Carmasters.org, Autoteamsforums.ru, and ffffff.ru provide services to help disconnect immobilizers.

• forum.grabbs.org is an online shop that sells code grabbers.

• Migalki.pw shows how to scam automotive vehicles and teaches hackers how to steal them.

• Chipadla.ru provides a service for different types of firmware jailbreaking and hacking into Engine Control Units (ECUs).

4


Vehicle Attack VectorsCars have multiple hardware and software outlets. A modern vehicle contains tens of thousands of hardware components and millions of lines of code, combining to form a large and versatile attack surface. The following are common attack vectors hackers use to infiltrate automobile hardware and software systems:

CAN-BUSMost of the vulnerabilities on the CAN protocol were found in the higher layers of the OSI model because the CAN protocol’s structure was not security oriented when it was initially developed. As a result, it is easy to manipulate. By abusing the CAN protocol, a hacker can gain full access to control all the vehicle’s functionalities, which can result in severe physical damage to the passenger and the vehicle.

The protocol does not have any encryption features, opening the door for “manin-the-middle” attacks. Once attackers are in the network, they can easily study and analyze the behavior of the network, especially since the communication broadcast and all the components in the network are exposed to all the messages sent. Once attackers have analyzed the network, they can map the different types of messages and their IDs, enabling them to later inject CAN messages and operating ECUs as they please.

Injecting CAN messages into the network affects another security flaw found in the protocol regarding a proper authentication mechanism. In CAN-BUS, there are no identifiers that can distinguish the origin of the message. This allows the attacker to send messages in the network that are not identified as unusual traffic, which could then be blocked. Besides manipulating ECUs to facilitate unauthorized actions in the car, a hacker can perform well-known attack techniques, like DDoS attacks, which can crush an ECU and stop it from functioning. This kind of attack takes advantage of the lack of security features in the structure of the CAN protocol.

Attacking CAN-BUSMany manufacturers divide their CAN networks into three parts, isolating the more important ECUs from the rest of the network. When hackers are planning an attack vector, they need to understand exactly how this division is made, and if they want to manipulate the isolated ECUs, they need to find a way to bypass the gateway. To the best of our knowledge, the most difficult part of the process is in accessing the CAN-BUS network. Once the hacker has access to the network, manipulating the messages is done the same way, regardless of the car’s brand, by exploiting the vulnerabilities in the CAN protocol, as described above.

It’s important to emphasize that each attack vector depends on the car’s hardware and software. The next step is to reverse engineer the car format of communication. You can try to search for documentation regarding a specific manufacturer or do it yourself by analyzing messages the system sends and receives. If you want to manipulate a component that is part of the CAN network, you will need to purchase a tool to help you analyze and map the different types of messages, and subsequently inject custom messages into the network. These tools are offered for sale on the dark web.

5


Potential Threat Vectors

Remote Attack VectorsMost cars have several remote access points, and, within a certain radius, an attacker can potentially connect to them. The exact number of remote access points varies by manufacturer, and can include Wi-Fi, Bluetooth, Remote Keyless Entry (RKE), and others.

The biggest challenge for hackers attempting to exploit remote access points is the required proximity to do so. Attacking a moving car can be near impossible if the hacker needs to physically connect to it. However, there are ways to bypass this problem: attacking a car via a cellular network, breaking into its Wi-Fi access points, or breaking in via the manufacturer’s backend system, to which many modern cars are connected. While these methods are more difficult, since they require hacking into very secure networks, they still broaden the scope of a car’s attack surface.

The following are examples of remote access vectors cybercriminals exploit to successfully hack automobiles.

Remote Keyless System (RKS)The Remote Keyless System (RKS) includes Remote Keyless Entry (RKE) and Remote Keyless Ignition (RKI), which can start a car remotely. The RKS system performs the same functions as a standard car key, but without the physical contact. An RKE is essentially a key fob with a short-range radio transmitter that “talks” with the car to open or lock it. This technology has existed since the 1990s. Recent developments have made it more secure and added the ability to start the engine, open the trunk, and more. The primary attack method hackers use to infiltrate an RKS is code grabbers, devices that allow car thieves to intercept the communication between the key and the car, and mimic or duplicate its operation. The dark web makes life easier for car thieves who want to obtain these code grabbers, as they are readily available for purchase. It has also fostered a community in which hackers can discuss recent developments, such as new key protection mechanisms, and help each other solve access problems.

6


These hacking tools are being sold on numerous dark web platforms: cybercrime forums, black markets, and, in some cases, dedicated online stores. Some of these tools allow the buyer to break into any car, regardless of its manufacturer.

One of the more notable tools is the “RollJam” tool, developed by the hacker Samy Kamkar in 2015. This device has been offered for sale for as low as $32, which makes it very affordable and lowers the barrier to entry for many hackers.

Some other relatively inexpensive tools that target RKE systems include Panda DXL, Grabos Panda, and Code Grabber. Some of the more sophisticated tools are sold for as much as $1,900.

TPMS SystemsSince 2008, the U.S. government has mandated that each newly manufactured vehicle needs to have a built-in tire pressure monitoring system (TPMS) that provides real-time tire pressure diagnosis. The TPMS examines a set of parameters that can best reflect the tires’ condition. The system examines this data using two subsystems: Indirect TPMS and direct TPMS.

Indirect TPMS - This method measures the tire’s pressure indirectly by receiving information from various sensors, the main one being the Anti-lock Braking System (ABS) that gives information about the rotation speed of the wheel against the tire forces. These sensors can give the system an estimation of the amount of air pressure in the wheel.

Direct TPMS - This method measures the tire pressure by using electronic sensors that are physically installed in the wheel and report the pressure to the vehicle’s computer. Many TPMSs can diagnose the pressure at each location, in either driving or parking mode.

One of the main concerns of security researchers regarding TPMS is the wireless communication used by the ECU of the TPMS and other components of the car. The wireless communication is internal, between the sensor module that is physically placed on the tire (part of the direct TPMS) and the display unit, which presents the information to the driver.

Even though the wireless communication within the TPMS is internal, the metal shield in the car does not block all of the radio frequency signals, so a hacker standing 40 meters from the car with a powerful antenna can read TPMS messages.

7


A hacker can exploit the TPMS and execute the following actions:

1. Send false messages to the TPMS - A hacker can deceive the system by giving it different parameters. This way, it can send out TPMS messages that say the tire pressure is in a good state for a long period of time, so that drivers will never know the real status of their wheels, which can cause serious damage.

2. Crash the TPMS - This action has a similar purpose as the previous action. However, crashing the TPMS will alert the driver to a faulty sensor.

3. Track the driver’s location - TPMS messages send out an ID that is unique for each wheel of the car. This information can be read using an off-the-shelf receiver. However, in order to complete the operation, the hacker would need to translate that ID number to the car he is trying to locate, and this information can be difficult to determine.

Car applicationsAs technology in cars progressed and more car manufacturers combined Android, Apple or other proprietary operating systems into their cars, it was only a matter of time before developers began integrating apps. Connecting apps to a car’s user interface is an attractive feature for buyers – but with this development came a wealth of security issues tied to the operating systems.

Many vendors are now selling products that provide remote communication with cars via an application installed on the driver’s mobile device. This can be achieved either by plugging in a physical component to the car, or by installing a running service in the car’s operating system that can communicate with a mobile application. The remote connection between the application and the car can be transmitted using Bluetooth, Wi-Fi, or other wireless protocols.

Depending on the application’s privileges, an attacker can use this vector to execute all sorts of actions on the car. In a research report published by Argos, the researchers were able to take a legitimate application that was connected to a drive log, reverse engineer it, and map all the different CAN messages that can be sent from within the application. This enabled them to shut down the engine just by manipulating the app.

The main advantage of this vector is that it allows hackers to attack a target remotely, without the need to be in the physical vicinity of the car. This can be done in the following ways:

1. Malicious apps: An attacker can create a malicious application that imitates the original app but gives the attacker control of any vehicle connected with the app.

2. Application’s connection to the cloud: Another vector using an application is to attack it from the server side that can communicate with the application connected to the car. In addition to the service running in the car, the application often sends back information to the backend servers in the company. A breach into the company’s servers can facilitate such an attack by enabling a hacker to manipulate the information being sent to vehicles from the company’s servers.

3. Infecting mobile devices: A hacker can install a malware on the driver’s mobile device and use it as a pipeline to open the original application that can connect to the car. Infecting the devices can be done by conducting common attack vectors, such as phishing campaigns, fake apps, infection through vulnerabilities on apps, etc.

4. Account hijacking: Hackers have been able to break into a user’s account by brute-forcing their credentials, or by simply extracting them using phishing mechanisms. Application servers that do not use two-factor authentication – and worse, use identifiers that are easy to find on a person, such as a user’s phone number, full name, or vehicle identification number (VIN) – make the hacker’s job much simpler. This vector can be used to steal the information that is stored on the server, such as driving history, locations, and home address, to invade the user’s privacy.

8


GPS spoofingThough there are not yet documented examples of hackers using this exploit, it could prove to be a threat in the future. Researchers at Virginia Polytechnic Institute and State University found a way to manipulate the navigation app by sending the driver to a different location than the one intended. The researchers built a toolkit that helped them operate this attack, consisting of the following devices: a HackRF tool that created a false GPS signal, an antenna connected to the HackRF tool, and a Raspberry Pi that operated as a central server.

Infotainment applicationsThe applications running in a car’s infotainment system provide different kinds of services, including media streaming, web surfing, and the dash camera’s display of reverse parking on the head unit. These applications can be interfaced by outsourced applications that connect to the car either remotely or physically (i.e., music applications that can be integrated with the audio system and the head unit of the infotainment system). In some cases, these applications are the main targets in an attack, but they can also simply serve as an obstacle a hacker faces on the way to core ECUs in the CAN network.

A hacker needs to find a way to manipulate these applications, either by bypassing them or extracting sensitive information from them. Either way, this requires finding a vulnerability that allows elevated privileges for the hacker. Many manufacturers use open source code libraries or off-the-shelf software for these applications. This approach allows the hacker to look for known exploits or unpatched systems to exploit.

Cellular attacksCellular networks are becoming more widespread within new car system architecture. Many cars now have an installed SIM that connects to a cellular network. The manufacturer uses this connection to either extract real-time information from the car in motion or update the firmware of its applications. This vector first appeared in 2015 when Chris Valasek and Charlie Miller demonstrated at DefCon how they were able to hack a car by interacting with the cellular network connected to it. The two researchers were able to find multiple attack vectors that allowed them to stop engines, initiate the brakes, and manipulate other vehicle functions over a cellular connection. They exploited the fact that the cellular connection talks directly with the Telematics transceiver, which has a connection to an array of sensors in the car, including the main ECU.

Physical attack vectorsAs opposed to the remote access points in a car, physical access to a car for cyberattacks is limited to OBD port and USB access. The OBD port allows the hacker to connect to the OBD-II computer, which can perform all sorts of diagnostic actions on the car. Researchers have shown ways to inject CAN messages to the CAN-BUS system via the ODB port.

The second physical entry point into a car is the USB port. If this port has a connection to some part of the CAN network, the driver can connect it to a phone for charging purposes or for integrating music with the infotainment system. Car owners can use the USB port for other reasons, including to update software, firmware or, navigation applications. By sending a malicious update to these applications, an attacker can execute code on the applications running in the car.

9


Defending Forward: Predictions and ConclusionAs cars grow increasingly connected and manufacturers incorporate more software features, attack surfaces will continue to grow and security challenges will multiply. The following are some trends we expect to see grow in both frequency and stature in the coming years:

Software-based attacks As the physical hardware of motor vehicles is a challenging target that requires malicious intent and specialized tools, we should expect to see more software attacks against infotainment systems, charging stations, and mobile apps. Every piece of software that can influence a vehicle’s performance will increasingly be targeted given the number of attack vectors for software versus hardware.

Wireless technologies - Wi-Fi, Bluetooth, NFC, Cellular Cars become more connected with each passing day. Most wireless technologies today are relativity secure as an industry standard, but their implementation and connectivity with the outside world are what make them an ideal attack vector. The ability to use the wireless spectrum as an entry point into the car network is the driving factor behind attacks that leverage the wireless spectrum, be it Keyfobs, infotainment systems, car diagnostics systems, or wireless tire pressure sensors.

Vulnerabilities and patch management By embedding more and more software products into cars, manufacturers force users to keep software updated, especially if they are using off-the-shelf or third-party software. It is a real challenge to the car industry to update each piece of software in a timely manner. The life cycle of a security vulnerability in a car is much longer than on any standard desktop PC, and a disclosed vulnerability can live on for months and years before all affected cars will be properly patched, although the general number of discovered critical vulnerabilities appears to be in decline.

In an ever-increasing digital climate, it is vital that businesses take the necessary precautions to avoid cyberattacks. Since cars are primarily attacked using remote access, security teams are often not able to detect when and where their systems have been compromised, leaving inknowing drivers susceptible. A comprehensive external threat intelligence solution can monitor for threats developing across the clear, deep, and dark web, giving automotive security teams the ability to shut down attacks at the source and mitigate the risk of a cyberattack levied against vehicles operating systems and networks.

10

Under The HoodThe RKS system performs the same functions as a standard car key, but without the physical contact. An RKE is essentially a key fob with a short-range radio transmitter

Documents