There’s a lot of talk in the auto industry about the “internet of vehicles” (IoV). This describes a network of cars and other vehicles that can exchange data over the Internet with the aim of making transportation more autonomous, safe and efficient.
IoV can help vehicles identify obstacles, traffic jams and pedestrians. This could help position cars on the road, potentially allowing cars to drive themselves, and make it easier to diagnose faults. This has happened to some extent with smart highways, where technology is used to manage highway traffic in the most efficient way. A more sophisticated IoV will require more sensors, software, and other technologies installed in the vehicles and surrounding road infrastructure. Cars have more electronic systems than ever before, from cameras and cell phone connections to infotainment systems.
However, some of these systems can also make our vehicles vulnerable to theft and malicious attacks as criminals identify and then exploit vulnerabilities in this new technology. In fact, it has been and is happening.
Bypass security Smart keys are meant to protect modern vehicles from theft. A button on the key is pressed to deactivate the car’s immobilizer (an electronic device that protects starting the vehicle without a key), allowing the vehicle to be driven.
But a well-known way to get around this requires a hand-held relay to trick the vehicle into thinking the smart key is closer than it actually is.
This involves two people working together, one in front of the vehicle and the other near where the key is actually located, such as outside the owner’s home. People near the house using the tool can pick up the signal from the smart key and forward it to the car.
Transit equipment for making this type of flight can be found on the internet for less than €100, with attempts usually made at night. To avoid this, car keys can be placed in a Faraday pocket or cage to block any signals emitted from the key.
However, a more advanced vehicle attack method is increasingly being adopted. This is a “controller area network (CAN) intrusion attack” and works by establishing a direct connection to the vehicle’s intercom, the CAN bus.
The main route to the CAN bus is under the vehicle, so criminals try to reach it through the lights in front of the vehicle. To do this, the bumper must be removed so that the CAN injectors can be inserted into the engine system. The thief can then send fake messages to trick the vehicle into believing they come from the smart key and disable the encryption keyset. Once they have reached the vehicle, they can start the engine and drive the vehicle.
Zero Trust Approach With the prospect of a possible vehicle theft pandemic, automakers are trying new ways to fix this latest vulnerability as quickly as possible.
One strategy is to distrust the messages received by cars, known as the “distrust method”. Instead, these messages should be sent and verified. One way to achieve this is to install a hardware security module in the vehicle, which works by generating cryptographic keys that enable data encryption and decryption, generation and verification of digital signatures in the vehicle. message.
This mechanism is increasingly being implemented by the auto industry on new cars. However, integrating it into existing vehicles is impractical due to time and cost, so many cars on the road are still vulnerable to CAN injection attacks.
Infotainment System Attacks Another security consideration for modern vehicles is the in-vehicle computer system, also known as the “infotainment system”. The potential vulnerability of this system is often overlooked, even though it can have dire consequences for the driver.
One example is the ability for an attacker to use “remote code execution” to send malicious code to a vehicle’s computer system. In one reported case in the United States, the infotainment system was used as an entry point for attackers, through which they could put their own code. This sent commands to the physical parts of the car, such as the engine and wheels.
An attack like this clearly has the potential to affect vehicle operation, causing an accident – so it’s not just about protecting personal data in the infotainment system. Attacks of this type can exploit many vulnerabilities such as the vehicle’s internet browser, USB protection device plugged into it, software that needs to be updated to protect against known attacks, and passwords. weak.
Therefore, all drivers of vehicles equipped with infotainment systems should have a clear understanding of the basic security mechanisms that can protect them from intrusion attempts. The possibility of a pandemic of vehicle theft and insurance claims solely due to CAN attacks is a frightening prospect. There must be a balance between the benefits of the Vehicle Internet, such as safer driving and increased likelihood of cars being recovered after they are stolen, with these potential risks.