There is a lot of talk in the automotive industry about the “Internet of Vehicles” (IoV). It describes a network of cars and other vehicles that can exchange data over the internet to make transportation more autonomous, safe and efficient.
Connected vehicles can help vehicles identify roadblocks, traffic jams, and pedestrians. It could help cars orient themselves on the road, potentially enable driverless driving, and provide easier troubleshooting. To some extent, this has already happened with smart highways, where the purpose of using technology is to manage highway traffic in the most efficient way.
More complex connected vehicles will require more sensors, software and other technologies in vehicles and the surrounding road infrastructure. Cars already contain more electronic systems than ever before, from cameras and phone connections to infotainment systems.
However, some of these systems may also leave our vehicles vulnerable to theft and malicious attacks as criminals identify and exploit vulnerabilities in this new technology. In fact, this has already happened.
Safely bypassing smart keys should protect modern vehicles from theft. Pressing a button on the key disables the car’s immobilizer (an electronic device that prevents the vehicle from being started without the key), allowing the vehicle to move.
But a well-known method of getting around this problem requires a handheld relay tool that can trick the vehicle into thinking the key fob is closer than it really is.
It requires two people to work together, one standing next to the car and the other close to where the keys are actually located, such as outside the owner’s house. People near the house use the tool to receive the signal from the key fob, which is then relayed to the vehicle.
Relay equipment used to carry out this type of theft can be found on the internet for less than £100 and is usually carried out at night. To prevent them, car keys can be placed in a Faraday bag or cage to block any signals from the keys.
However, more advanced methods of attacking vehicles are now increasingly being used. Known as a “CAN (Controller Area Network) injection attack,” it works by establishing a direct connection to the vehicle’s internal communication system, the CAN bus.
The main route to the CAN bus is under the vehicle, so criminals try to gain access to the bus through the lights on the front of the car. To do this, the bumper must be pulled apart in order to insert the CAN injector into the engine system.
Thieves can then send false messages, tricking the vehicle into believing the messages are from the key fob and disabling the immobilizer. Once they are in the vehicle, they can start the engine and drive the vehicle away.
Zero Trust Approach Given that vehicle theft may be epidemic, manufacturers are trying new ways to overcome this latest vulnerability as quickly as possible.
One strategy is to not trust any messages the car receives, known as a “zero-trust approach.” Instead, these messages must be sent and verified. One way to do this is to install a hardware security module in the vehicle, which works by generating keys that allow encryption and decryption of data, creating and verifying digital signatures in messages.
The automotive industry is increasingly incorporating this mechanism in new vehicles. However, integrating it into existing vehicles is not practical due to time and cost, so many cars on the road are still vulnerable to CAN injection attacks.
Another security consideration in modern vehicles is the on-board computer system, also known as the “infotainment system.” The system’s potential vulnerabilities are often overlooked, despite the potentially disastrous effects it can have on drivers.
One example would be an attacker being able to use “remote code execution” to deliver malicious code to a vehicle’s computer system. In one reported case from the United States, the infotainment system was used as an entry point for attackers through which they could insert their own code. This sends commands to the car’s physical components, such as the engine and wheels.
An attack like this clearly has the potential to affect the functionality of the vehicle, leading to a crash – so it’s not just a matter of protecting the personal data contained in the infotainment system. Attacks of this nature can exploit many vulnerabilities, such as the vehicle’s internet browser, USB dongles plugged into the vehicle, software that needs to be updated to prevent known attacks and weak passwords.
Therefore, drivers of all vehicles with infotainment systems should be fully aware of basic security mechanisms to protect them from hackers.
The prospect of vehicle theft and insurance claims flooding due to a CAN attack alone is a frightening prospect. The benefits of connected vehicles, such as safer driving and enhanced ability to recover cars if they are stolen, need to be balanced against these potential risks.
(This story was not edited by NDTV staff and was automatically generated from syndicated feeds.)