Whether it’s turning the music up a little, or turning down the AC – when you’re in your own car, you’re the driver in all senses of the word. Well, usually. Now, with the recent boom in connected cars, cybercriminals may soon be a backseat driver, only they’re not executing commands from the back row. They have the capability to remotely track you as you drive, or even take control of the settings all due to this recent explosion of connected cars — and vulnerabilities within those cars that have yet to be addressed.
Our Advanced Threat Research (ATR) team addressed these vulnerabilities in preparation for this year’s DEFCON, a cybersecurity conference held annually in Las Vegas, that brings together the best and the brightest to poke and prod new technologies and discover and document vulnerabilities. Vulnerabilities in connected cars are a particularly severe issue, especially as internet-connected and semi-autonomous vehicles begin to become commonplace.
The first vulnerability explored, which our team disclosed before DEFCON, allowed a test ransomware attack. The simulated ransomware attack didn’t disable the car, it made being around the car a chore by playing a popular 80’s song at full volume until the target paid the ransom.
Another newly-discovered (and fixed) vulnerability found by our research team allowed them to make their way within into the car’s navigation system. There, they were able to find the web address the car used to check in with its manufacturer for navigation. As it so happens, the manufacturer no longer owned the domain — enabling our team to set up a honeypot site for any car that wanted to check into the manufacturer’s site. Our ATR team was surprised to see a number of cars check in. Not only that, but a number of vehicles gave their geographic location, their current navigation destinations, the GPS coordinates of waypoints and even the name of those waypoints.
That’s not all. Our team was also able to execute code through the S-Gold 2 (PMB 8876) cellular baseband chipset — a device used in a car to communicate with either the internet or a manufacturer’s intranet (an intranet being, essentially, a private internet). Obviously, our ATR team notified the relevant manufacturers of these issues, and a fix has been issued.
All of these vulnerabilities may sound concerning, but their public disclosure is actually good. Since we’ve notified Nissan and BMW of the S Gold 2 vulnerability, we have been told that a free fix has been issued to their dealers, which is available now to all affected customers in U.S. and Canada. It’s important both manufacturers and their drivers become aware of these issues, and take the necessary steps to keep their vehicles secure. To help keep your vehicle safe as a driver, follow these security tips:
- Do your research before you buy. Conduct a quick scan online to see if any security issues have been reported with a car and its technology. That way, when looking to purchase your next car, you’ll be educated on the issues and buy with security in mind.
- Check online notices. When made aware of vulnerabilities, manufacturers will notify the public, as well as make them aware of incoming fixes. Therefore, scan technical service bulletins or notices on a company site so that if a vulnerability does pop up with your existing car, you can learn what to do to help your vehicle stay secure.