Car Hacking | Report reveals security flaw in immobilizers

Over 100 models at risk from wireless attacks; study was hidden for two years

A security flaw in Volkswagen, Volvo and Fiat cars could allow hackers to remotely start and steal vehicles without having a key, a report has revealed.

The report, titled ‘Dismantling Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobilizer’, was recently released after a Volkswagen court injunction blocking its publication was lifted after two years.

Cars are only supposed to start if the key is present in the car. But the report says anti-theft systems on some models can be hacked – allowing the car to be simply driven away.

Report authors Roel Verdult, Flavio Garcia and Baris Ege wrote: “We were able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes.”

The hackers were able to eavesdrop on the signals sent between the cars’ immobilizers and their keys.

Cars from Porsche, Ferrari, Audi, Bentley, Lamborghini and Alfa Romeo are among those that use the same transponders that the experts hacked.

Car hacking: could it happen to you?

The researchers are calling for their findings to be taken into account by car companies that use radio-frequency identification (RFID) technology, so necessary security measures can be put in place. But unlike a recent security flaw discovered on the Tesla Model S, the latest security risk cannot be fixed by a simple software upgrade.

The researchers who uncovered the flaw believe their findings should be made public and used as an incentive for car manufacturers to increase their cyber-security efforts.

The manufacturers, on the other hand, prefer to keep the discussion under wraps.

Volkswagen Group of America, along with 12 other car manufacturers, is lobbying for car technology to fall under the protection of the Digital Millennium Copyright Act in the US. If successful in its efforts, research of this nature would become illegal.

In a statement, Volkswagen said: “In this connection, Volkswagen does not make available information that might enable unauthorized individuals to gain access to its vehicles.

“In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”

 

You can download the full report here

 

 

Credit: Simon Davis

Researchers Hack Car via Insurance Dongle

Small devices installed in many automobiles allow remote attackers to hack into a car’s systems and take control of various functions, researchers have demonstrated.

 

Researchers at the University of California in San Diego analyzed commercial telematic control units (TCU) to determine if they are vulnerable to cyberattacks.

TCUs are embedded systems on board a vehicle that provide a wide range of functions. The products offered by carmakers, such as GM’s OnStar and Ford’s Sync, provide voice and data communications, navigation, and allow users to remotely control the infotainment systems and other features.

Aftermarket TCUs, which connect to the vehicle through the standard On-Board Diagnostics (OBD) port, can serve various purposes, including driving assistance, vehicle diagnostics, security, and fleet management. These devices are also used by insurance companies that offer safe driving and low mileage discounts, and pay-per-mile insurance.

Researchers have conducted tests on C4E dongles produced by France-based Mobile Devices. These TCUs, acquired by the experts from eBay, are used by San Francisco-based car insurance firm Metromile, which offers its per-mile insurance option to Uber.

Aftermarket TCUs are mostly used for data collection, but the OBD-II port they are connected to also provides access to the car’s internal networks, specifically the controller area network (CAN) buses that are used to connect individual systems and sensors.

“CAN is a multi-master bus and thus any device with a CAN transceiver is able to send messages as well as receive. This presents a key security problem since as we, and others, have shown, transmit access to the CAN bus is frequently sufficient to obtain arbitrary control over all key vehicular systems (including throttle and brakes),” researchers explained in their paper.

The experts have identified several vulnerabilities in the Mobile Devices product, including the lack of authentication for remotely accessible debug services, the use of hard-coded cryptographic keys (CVE-2015-2906) and hard-coded credentials (CVE-2015-2907), the use of SMS messages for remotely updating the dongle, and the lack of firmware update validation (CVE-2015-2908).

In their experiments, researchers managed to gain local access to the system via the device’s USB port, and remote access via the cellular data interface that provides Internet connectivity and via an SMS interface.

In a real-world demonstration, the experts hacked a Corvette fitted with a vulnerable device simply by sending it specially crafted SMS messages. By starting a reverse shell on the system, they managed to control the windshield wipers, and apply and disable brakes while the car was in motion. The experts said they could have also accessed various other features.

Corvette hacked via insurance dongle

The remote attacks only work if the attacker knows the IP address of the device or the phone number associated with the SIM card used for receiving SMS messages. However, researchers determined that Internet-accessible TCUs can be identified by searching the web for strings of words unique to their web interface, or by searching for information related to the Telnet and SSH servers. Thousands of potential TCUs were uncovered by experts using this method.

As for the the SIM phone numbers, researchers believe many of them are sequentially assigned, which means an attacker might be able to obtain the information by determining the phone number for one device.

Researchers have reported their findings to Mobile Devices, Metromile, and Uber. Wired reported that Mobile Devices developed a patch that has been distributed by Metromile and Uber to affected products.

Mobile Devices told the researchers and the CERT Coordination Center at Carnegie Mellon University that many of the vulnerabilities have been fixed in newer versions of the software, and claimed that the attack described by experts should only work on developer/debugging devices, not on production deployments.

However, researchers noted that they discovered the vulnerabilities on recent production devices and they had not found the newer versions of software that should patch the security holes.

This is not the first time someone has taken control of a car using insurance dongles. In January, a researcher demonstrated that a device from Progressive Insurance used in more than two million vehicles was plagued by vulnerabilities that could have been exploited to remotely unlock doors, start the car, and collect engine information.

White hat hackers demonstrated on several occasions this summer that connected cars can be hacked. Charlie Miller and Chris Valasek remotely hijacked a Jeep, ultimately forcing Fiat Chrysler to recall 1.4 million vehicles to update their software. Last week, researchers reported finding several vulnerabilities in Tesla Model S, but they applauded the carmaker for its security architecture.

In July, senators Ed Markey and Richard Blumenthal introduced new legislation, the Security and Privacy in Your Car (SPY Car) Act, in an effort to establish federal standards to secure cars and protect drivers’ privacy.

 

 

Credit:  Eduard Kovacs

Tesla’s Site And Twitter Account Hacked

 

Looks like it’s going to be a rough Saturday for Tesla’s IT department: they’ve just had both their website and Twitter account hijacked.

Update, 3:50 P.M: Tesla CEO Elon Musk’s personal Twitter account was seemingly hijacked briefly around this time, as well.

The first signs of the hijacking popped up around 1:52 P.M. pacific, when a tweet from the account declared that it was now under the control of its attackers, and the account’s name was changed from “Tesla Motors” to “#RIPPRGANG”.

A few minutes later, the account began promising free Teslas to those who followed certain accounts or to those who called a certain phone number. A quick search suggests that the number belongs to a computer repair shop in Illinois, and was presumably tweeted out to flood the number’s owner with calls. We’ve censored the number in the above screenshot for obvious reasons.

At nearly the same time, Tesla’s website was edited to declare that it’d been hacked by the same attackers. As of 2:15 p.m., the site had been taken offline — but in the hours since, it’s returned with the hijacked page multiple times. Its Twitter account, meanwhile, still seems to be hijacked. (We’ve avoided linking directly to any of the hacked sites in the off chance that the sites themselves were made to compromise the user’s security.)

Update: At around 2:45 P.M pacific, or roughly an hour after the Twitter account was compromised, it was restored. Tesla’s site is still offline.

It’s not unusual for a high-profile Twitter account to get hijacked — many of the most followed accounts in the world have fallen at one time or another. Taylor Swift’s account, for example, was hacked just weeks ago. That both Tesla’s Twitter account and the website were hacked simultaneously, though, points to an issue beyond a one-off Twitter security failing.

It’s unclear if the hack compromised the security of Tesla’s own servers, or if the site hijacking is a result of something like DNS/domain redirection. We’ve reached out to Tesla for comment here.