Connected cars are vulnerable due to the radios that link them to the outside world. For example, consider cellular data links, such as the one in the Mercedes M-class SUV that my family owned for a while, allow for remote access to more than diagnostics: Using the system, called mbrace, an authorized M-B support center can unlock the doors via that link. Owners can use the M-B mobile app to
Start your vehicle from anywhere, and heat or cool the interior of your vehicle to the last set temperature. You can also remotely lock or unlock, sound the horn or find your vehicle via the Mobile App or website.
Nearly all high-end car manufacturers offer remote access systems, also referred to as telematics. Other popular systems with door-unlock capability include General Motors’ OnStar, BMW’s Assist, Hyundai’s BlueLink and Infiniti’s Connection. Each represents a potential attack vector, as do after-market add-ons.
It’s been a busy summer for automotive hackers, and the latest development is bad news for luxury-car owners: Good-guy digital security researcher Samy Kamkar just revealed that BMW, Mercedes-Benz, Chrysler, and aftermarket Viper connected-car systems are all theoretically vulnerable to the same hack that allowed him to remotely control functions in OnStar-equipped vehicles.
Consider yourself warned. The Federal Bureau of Investigation released a public service announcement, “Motor Vehicles Increasing Vulnerable to Remote Exploits.” The PSA says:
Vulnerabilities may exist within a vehicle’s wireless communication functions, within a mobile device – such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi – or within a third-party device connected through a vehicle diagnostic port. In these cases, it may be possible for an attacker to remotely exploit these vulnerabilities and gain access to the vehicle’s controller network or to data stored on the vehicle. Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems.
The PSA continues,
Over the past year, researchers identified a number of vulnerabilities in the radio module of a MY2014 passenger vehicle and reported its detailed findings in a whitepaper published in August 2015. The vehicle studied was unaltered and purchased directly from a dealer. In this study, which was conducted over a period of several months, researchers developed exploits targeting the active cellular wireless and optionally user-enabled Wi-Fi hotspot communication functions. Attacks on the vehicle that were conducted over Wi-Fi were limited to a distance of less than about 100 feet from the vehicle. However, an attacker making a cellular connection to the vehicle’s cellular carrier – from anywhere on the carrier’s nationwide network – could communicate with and perform exploits on the vehicle via an Internet Protocol (IP) address.
In the aforementioned case, the radio module contained multiple wireless communication and entertainment functions and was connected to two controller area network (CAN) buses in the vehicle. Following are some of the vehicle function manipulations that researchers were able to accomplish.
In a target vehicle, at low speeds (5-10 mph):
- Engine shutdown
- Disable brakes
In a target vehicle, at any speed:
- Door locks
- Turn signal
- Radio, HVAC, GPS
(The whitepaper referenced above is “Remote Exploitation of an Unaltered Passenger Vehicle,” by IOActive Security Services.)
How can you protect yourself — and your vehicle? The FBI offers four excellent suggestions – read the PSA for more details on them:
- Ensure your vehicle software is up to date
- Be careful when making any modifications to vehicle software
- Maintain awareness and exercise discretion when connecting third-party devices to your vehicle
- Be aware of who has physical access to your vehicle
To those I would add: Choose security over convenience, and if possible, disable the remote-access capabilities of your vehicle. You may not be able to prevent every possible attack — some of those systems can’t be turned off, and if a hacker is able to get physical access to the vehicle’s ODB-II diagnostics port or other electronics, all bets are off. You can live without being able to use a mobile app to start your car, or without the manufacturer preforming remote engine diagnostics. Heck, our ’91 Honda doesn’t even have a clicker, we have to open the door with a key. Be safe!