Locks and Security News: your weekly locks and security industry newsletter
17th April 2024 Issue no. 701

Your industry news - first

We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.

Future electronic auto security threats

Vehicle technology continues to evolve at a rapid rate; vehicles that can sense their surroundings,that can avoid accidents, that can communicate with the outside world and even with other vehicles on the road are all becoming more commonplace. The industry in general agrees that this is the way of the future, but could it be possible that in striving for this more convenient, connected world, vehicle manufacturers could also be creating the next loopholes for criminals to exploit?

Even within dedicated security systems such as immobilisers, much of what is being implemented by manufacturers has already been compromised by criminals. Outside of the automotive environment, computer hackers are capable of defeating the multi-layered defences of major blue-chip corporations such as Sony. As vehicle technology starts to incorporate the connectivity that allows criminals access to the on-board software, it becomes inevitable that hackers will turn their attentions towards new attacks on these systems.

To find out more about such potential threats, SBD talked to Karsten Nohl - renowned 'white-hat hacker' who recently presented on the weaknesses of transponder cryptography at the 2010 ESCAR Conference, aiming to help manufacturers uncover their system flaws and improve their technology before the criminal hackers can exploit these weaknesses.

SBD: How long do you think new vehicle security systems have 'immunity' for before thieves work out how to exploit them?

KN: An analysis lab takes somewhere between two and six weeks to analyse any modern car model and discover its vulnerabilities. Car manufacturers, on the other hand, can take from months to several years to be able to fix issues. This dynamic of fast attack and slow defence means that thieves teaming up with electronic geeks can pretty much take whatever car they want. Compare that to other security industries; Pay TV, for instance. Hacking a Pay TV system takes upwards of half a year and requires highly specific expertise. Once hacked, the operator responds by sending out new cards within weeks. It feels wrong that the security technology in televisions is several generations ahead of that in luxury cars, doesn't it?

SBD: How close are we to thieves being able to remotely hack into our cars?

KN: Cars are about to be interconnected through mobile networks with other cars, roads, service stations and virtual service centres. Navigation systems are the first systems to have gone that step towards distributed car intelligence. As long as interconnectivity is in non-critical infotainment services, hacking threats are low.

Judging from the interdependence of different functions inside our cars, the core systems will inevitably be connected to the outside world at some point, which would then greatly amplify the abuse potential for today's vulnerabilities. The car manufacturer will then be exposed to the problems of the current flaws and they would be advised to consider these threats before they happen and create a stable technology base for mobile applications.

SBD: Is there anything that Vehicle Manufacturers can do quickly and easily to lessen the risk?

KN: My understanding of the car development process is that components are manufactured by external suppliers according to functional specifications. Security flaws arise from the interaction of several such components that were developed in isolation.

Best practice in security testing would mandate "hacking tests" on the finished product to discover and fix these side-effects that are typical in complex systems. You could say that this final step of quality assurance is currently outsourced to the car thieves.
SBD: Do you think that enough consideration is given to the future threats from thieves?

KN: I'm not convinced that car manufacturers have a strong enough incentive to spend the money to curtail car theft. The main cost is taken by insurers, who may be giving thought to theft risks but don't control the technology enough to make a real difference in car security.

SBD: Can anything be done to predict what thieves will do next?

KN: As cars use more standardised technology already in use in other communication environments, they are attracting an ever larger number of security researchers and hackers from other fields. This is not necessarily a bad situation as it helps to uncover flaws that have accumulated over years. Cars will almost certainly become less safe and secure in the short-term before they evolve towards better designs. I just hope that the trend towards external control of car functionality can be delayed until after this evolution has occurred.

SBD expect that this evolution towards better security protection against hacking attacks it not likely to happen for a number of years. Vehicle hacking is not considered a threat by vehicle manufacturers at this present time, and so there is limited pressure to develop better electronic security.However, SBD believe that the threat of hacking will increase in the near future as developments in car technology connect vulnerable and vital systems to networks and infrastructure outside of the vehicle - just as Karsten suggests.

You can learn more and explore the possible hacking routes that a thief may exploit to overcome the security of the vehicle, in SBD's latest report due for release in August, Can thieves control my car? - Hacking attacks on vehicle security systems. This report also gives an insight to the level of control that an attacker may exert over a vehicle, and analyses the successful hacking attacks performed by research organisations over the past few years.

By leveraging our expertise you can future-proof and overcome actual theft methods that would threaten your vehicle. From CAD review of system layouts to comprehensive review of the security systems fitted to the complete vehicle, our flexible services ensure that you remain one step ahead of thieves. Click here to learn more about how SBD can help you provide an effective response to the latest professional theft methods.

To register your interest in the report Can thieves control my car? - Hacking attacks on vehicle security systems or to discuss your specific vehicle security challenges, contact Kavitha at [email protected].

6th July 2011