Home Oto Top Remote Security Dangers in The Automotive Industry

Top Remote Security Dangers in The Automotive Industry

By: Samantha Isabelle Beaumont, Senior Software Security Consultant at Synopsys Software Integrity Group

Rilispedia.com – The automotive industry has increased the technological repertoire of vehicles in recent years, the intention being to remain compliant with legislation and industry standards, where consumers are drawn to the most convenience based modern vehicle features such as Bluetooth, near-field communication (NFC), and Wi-Fi. It’s important to understand that radio frequency (RF) technologies such as these do not come without risk.

Historically, vehicles weren’t built with cyber security considerations in mind; rather, only functional and passenger safety aspects. With the rise of automotive standards such as SAE J3061, and vehicle vulnerabilities being announced against a variety of automotive industry leaders, it’s becoming clear that there is a cyber security trend that needs to be addressed regarding transportation and vehicular safety. 

The term ‘automotive wireless’ is often understood to mean the technology supporting Wi-Fi hotspots in vehicles. While this is a possible attack vector, there is an array of RF technologies that could offer the potential for vulnerabilities in vehicles. Tire pressure monitoring systems (TPMS) are one such example. These electronic systems are designed to report tire pressure information in real time to the vehicle’s driver. In many countries, legislation is in place stipulating that newly manufactured or imported cars be fitted with TPMS systems — most of which use direct sensors that are part of the valve stem or banded to the wheel. Sensors transmit their own ID along with the tire pressure to the vehicles electronic control unit (ECU). Attackers have reported vulnerabilities in TPMS, allowing vehicles to be remotely hacked, tracked, and altered. 

Replay attacks

One example of RF technology is that of vehicle entry systems. Classic key fobs use RF signals to unlock and lock vehicles remotely, without any need for a physical key. A well-known attack strategy involving key fobs is the “Rolljam” replay attack. This takes place when an attacker is able to steal the unlock signal from a genuine request, jamming two legitimate unlock commands. Here, the second unlock request replays the first. If a system is unprotected, the attacker can re-use the legitimate unlock request to unlock the car once the driver is no longer in sight.

To mitigate such attacks, manufacturers can employ rolling codes which are signal techniques that modify the information sent to the vehicle upon each request. This ensures each request is unique; thus, only valid for the specific car only one time. 

Consumers are suggested to lock, unlock, and lock the car when exiting the vehicle. This good habit naturally invalidates the attack path an attacker would require for such an exploit. 

Relay attacks

There are additional passive key entry (PKE) smart keys which allow drivers to unlock and start their vehicle without requiring them to physically touch the car with the key. Whilst convenient, there are multiple security concerns regarding this technology. Relay attacks, for instance, can be carried out with inexpensive tools that can extend the key’s range. This allows an attacker the ability to open the vehicle’s door and start the engine from a much larger distance than the intended design.

In terms of a mitigation strategy, designers can decrease the expected allowed response time for valid signals and increase the sensitivity of in-vehicle receivers responsible for handling incoming door signals. While jamming is in no way a simple concept, return acknowledgments can and should be used to ensure the original signal sent to unlock has been received successfully before a new one can be processed. 

Consumers on the other hand, can store sensitive keys within a reasonably priced RF blocking containment unit to further reduce attack potential.

Mobile applications

Original equipment manufacturers have developed proprietary mobile apps that are able to perform many classic key fob features. They provide an added benefit to consumers by being able to control the vehicle’s ECU from anywhere. These applications provide unique potential for attackers as well. The potential for extended remote vulnerabilities is increased since the application offers direct commands like powering the vehicle’s engine on and off. 

Regarding mitigation, developers should deploy a system disallowing the installation of their secure applications on rooted or jailbroken phones. These devices are oftentimes used by attackers to bypass security mechanisms that are natively in place within mobile applications.

Additional methods to protect applications against unauthorized access include certificate pinning, application binary signing, and code obfuscation. Supplementary solutions include implementing physical presence checks and refraining from deploying custom encryption implementations without first verifying cryptography through an established and extensive review process. 

Summing it up

Whilst there are numerous actions that individual vehicle owners can take to ensure their vehicles remain as secure as possible under their control, the real security responsibility lies primarily with manufactures. The elements we’ve discussed here today are simply a starting point and many firms within the industry are already undertaking such activities. 

The road ahead holds an evolving attack surface and threat landscape. Despite security concerns and process constraints, the automotive industry has the tools to remain robust; it is just a matter of implementation.

Must Read

Telkomsel Berkolaborasi dengan CATCHPLAY+ untuk Tingkatkan Pengalaman Menonton Hiburan Digital Bagi Seluruh Pelanggan

Rilispedia.com - Telkomsel berkolaborasi bersama CATCHPLAY+ untuk meningkatkan pengalaman menonton bagi masyarakat dengan membuka akses lebih luas dalam menikmati hiburan digital berkualitas...

Cara Menggunakan Telegram Ad Platform untuk Meningkatkan Penjualan Bisnis Anda

Rilispedia.com - Sebagai pemilik bisnis, Anda mungkin pernah menghadapi berbagai tantangan dan rintangan dalam kinerja bisnis Anda selama pandemi Covid-19. Mulai dari...

Qlue Bersama Kemenparekraf Mendorong Pemulihan Industri Pariwisata Melalui Pemanfaatan Teknologi

Rilispedia.com - Qlue, penyedia ekosistem smart city terlengkap di Indonesia, siap berkontribusi dalam pemulihan industri pariwisata nasional. Sebagai salah satu sektor yang...

Manfaat Fitur Telegram untuk Kegiatan Belajar Mengajar

Rilispedia.com - Dengan semakin membaiknya situasi Covid-19 saat ini, metode belajar mengajar hybrid masih menjadi salah satu opsi belajar mengajar yang diterapkan...

PPKM Level 3 Diberlakukan, Berikut Aktivitas Seru Akhir Tahun di Rumah Saja

Rilispedia.com - Tak terasa beberapa minggu lagi kita sudah menyongsong tahun baru 2022. Namun dengan adanya pembatasan mobilitas dan aktivitas di ruang...