Connected cars but are they secure?


Kaspersky Lab and IAB, Spain, has announced the launch of the First Annual Connected Cars Study, an interesting research. The main objective of this study is to provide an overview of the connected car market, combining all available information to answer some burning questions and bring some unity to the highly fragmented software ecosystem currently offered by manufacturers.
In a press release, Kaspersky said motorists can no longer ignore safety concerns about the communications and Internet services included in the new generation of “connected cars”. This is much more than just helping to park your car safely; it now encompasses access to social networks, email, smartphone connectivity, route calculation, in-car apps, etc. These technologies offer great advantages to drivers, but they also bring new risks to today’s users. That’s why it is essential to analyze the different vectors that could result in cyber-attacks, accidents or even fraudulent maintenance of the vehicle.
Privacy, updates and smartphone apps for these cars could be turned into three separate attack vectors for cybercriminals. “Connected cars can open the door to threats that have long existed in the PC and smartphone world. For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab.
Kaspersky Lab’s proof of concept, based on analyzing BMW’s ConnectionDrive system found several potential attack vectors:
Stolen Credentials: Stealing the credentials needed to access BMW’s website – using familiar means like phishing, keyloggers or social engineering – could result in unauthorized third-party access to user information and then to the vehicle itself. From here it is possible to install a mobile app with the same credentials and potentially enable remote services before opening up the car and driving it away.
Mobile Application: If you activate the mobile remote opening services, you effectively create a new set of keys for your car. If the application is not secured, anyone who steals the phone could gain access to the vehicle. With a stolen phone it would be possible to change database applications and bypass any PIN authentication, making it easy for a cyber-attacker to activate remote services.
Updates: Bluetooth drivers are updated by downloading a file from the BMW website and installing it from a USB. This file is not encrypted or signed, and is found with a lot of information about the internal systems running on the vehicle. This could give a potential attacker access to the targeted environment, and could also be modified to run malicious code.
Communications: Some functions communicate with the SIM inside the vehicle using SMS. Breaking into this communication channel makes it possible to send ‘fake’ instructions, depending on the operator’s level of encryption. In a worst-case scenario, a criminal could replace BMW’s communications with his/her own instructions and services.
So, next time you drive your connected car, make sure that your car is virus free.


Leave a Reply

Your email address will not be published. Required fields are marked *

About Thinking Aloud

“Thinking Aloud” reflects the emerging trends and varied outlook of the rapidly evolving internet and communication sector. An IAMAI publication, this is a part of the market education initiative of the association.

Read More

Internet & Mobile Association of India,

28, 1st Floor, Okhla Industrial Estate, Phase – III, New Delhi-110020 (India)
Call: +91 011-46561690