The average car is increasingly becoming a vehicle for the Internet; but does this also make it a vehicle for cybercrime? Security vendor Kaspersky Lab, in cahoots with Spanish digital media outfit IAB, reckons that software updates, in-car mobile apps and privacy are all areas which have ripe potential for the car crook to launch an attack.
Announcing the first 'Annual Connected Cars Study' which aims to provide an overview of the Internet car market, Kaspersky Lab and IAB hope that some unity can be provided to the pretty fragmented software ecosystem offered by car manufacturers currently.
In developing a proof of concept to analyse how safe it is to connect a car to the Internet, principal security researcher for Kaspersky Lab, Vicente Diaz, identified several likely attack vectors. The proof of concept, which was based on an analysis of the BMW ConnectedDrive system, revealed the following danger zones:
Data needed to access BMW’s website could be stolen using traditional methods such as social engineering or keyloggers and could result in unauthorised third-party access to user information and, possibly, the vehicle itself by installing a mobile app to enable remote services before opening the car and driving off.
By activating mobile remote opening services on your phone a new set of virtual keys for your car are created which could give anyone who steals your smartphone instant access to your car. With the stolen smartphone it might then be possible to change database applications and bypass PIN authentication (if used) to make remote service activation a doddle.
A file download from the BMW website provides Bluetooth driver updates via USB. The research showed this file to be unencrypted, and unsigned. It also contained plenty of data regarding the internal systems of the car. The opportunity to run malicious code should not be underestimated, Kaspersky Lab says.
With some functions communicating with the SIM inside the vehicle using SMS,there is an opportunity to break into the channel and send fake instructions. A worst-case scenario, according to the report, could involve a criminal replacing BMW’s communications with their own instructions and services.
"Connected cars can open the door to threats that have long existed in the PC and smartphone world" Vicente Diaz warns, continuing "owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely." Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before, Diaz concludes.
Do you have a connected car, and if so have you thought about the security implications?