The average car is increasingly becoming a vehicle for the Internet; but does this also make it a vehicle for cybercrime? Security vendor Kaspersky Lab, in cahoots with Spanish digital media outfit IAB, reckons that software updates, in-car mobile apps and privacy are all areas which have ripe potential for the car crook to launch an attack.

Announcing the first 'Annual Connected Cars Study' which aims to provide an overview of the Internet car market, Kaspersky Lab and IAB hope that some unity can be provided to the pretty fragmented software ecosystem offered by car manufacturers currently.

In developing a proof of concept to analyse how safe it is to connect a car to the Internet, principal security researcher for Kaspersky Lab, Vicente Diaz, identified several likely attack vectors. The proof of concept, which was based on an analysis of the BMW ConnectedDrive system, revealed the following danger zones:

Stolen Credentials

Data needed to access BMW’s website could be stolen using traditional methods such as social engineering or keyloggers and could result in unauthorised third-party access to user information and, possibly, the vehicle itself by installing a mobile app to enable remote services before opening the car and driving off.

Mobile Applications

By activating mobile remote opening services on your phone a new set of virtual keys for your car are created which could give anyone who steals your smartphone instant access to your car. With the stolen smartphone it might then be possible to change database applications and bypass PIN authentication (if used) to make remote service activation a doddle.

Software Updates

A file download from the BMW website provides Bluetooth driver updates via USB. The research showed this file to be unencrypted, and unsigned. It also contained plenty of data regarding the internal systems of the car. The opportunity to run malicious code should not be underestimated, Kaspersky Lab says.

Communications

With some functions communicating with the SIM inside the vehicle using SMS,there is an opportunity to break into the channel and send fake instructions. A worst-case scenario, according to the report, could involve a criminal replacing BMW’s communications with their own instructions and services.

"Connected cars can open the door to threats that have long existed in the PC and smartphone world" Vicente Diaz warns, continuing "owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely." Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before, Diaz concludes.

Do you have a connected car, and if so have you thought about the security implications?

194 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...