Scorpiones Group

Car hacking explained and best practice

Car hacking has become a recent concern for both driven and driverless cars.
Mainstream interest peaked in 2015 when a Cyber Security Specialist hacked a Jeep remotely to demonstrate security vulnerabilities.
He was able to access the car’s various electronic control units (ECUs) and manipulate dashboard functions, windshield wipers, and even the engine and brakes.

If a physical device is connected to the internet, it can be targeted with a cyber attack.
Thus, with tens of millions of connected cars on the road today – and hundreds of millions of them expected to be by 2020 – threats to the safety and privacy of motorists, passengers,
bystanders and private as well as corporate property already exist and are set to grow substantially.

While connectivity can be (and already is being) used to make us safer, more productive and entertained while in transit, it creates an attack surface through which to access the vehicle’s delicate Controller Area Network (CAN) bus.
Once inside, hackers may be able to send commands to the vehicle from a remote location in order to,
inter alia, steal private and corporate data, track individual vehicles or entire fleets and hijack non-safety and safety-critical functions – imagine losing the ability to steer or brake while speeding down a highway!

Looking forward, by 2020, virtually all manufactured vehicles will come with embedded, tethered or smartphone mirroring connectivity.
Already in the first quarter of 2016, cars accounted for one-third of all new cellular devices.
No longer a pipe dream of futurists, car connectivity has pervaded the automotive industry and recent whitehat hacks of both private cars and commercial vehicles prove the ever-present danger.

What can be compromised in our car?
Keys & Push To Start

Keys & Push To Start

  • Hackers trick the car into thinking the key fob is close by amplifying its signal with relay boxes.
  • This allows them to then unlock the car and push to start without ever having the keys.
Entertainment Systems

Entertainment Systems

  • If a car has a wi-fi hotspot, all you need is the IP address to compromise the system.
  • From there, hackers can move laterally to the car's various other computers.
Third Party Apps

Third Party Apps

  • Car-Linked apps can be compromised via the cloud service they use to communicate with the car.
  • Phishing attempts cause owners to unknowingly download malicious apps that hack their car-linked app.
On-Board Diagnostics System

On-Board Diagnostics System

  • The onboarding diagnostics system, or OBD-II, monitors car activity similarly to ac black box.
  • OBD-II plugins, or dongles, send this data to your phone via BlueTooth. Hackers intercept it en route.
USB Ports

On-Board Diagnostics System

  • A hacked phone that is plugged into your car's USB port can compromise your car's systems.
  • USB software updates that are sent via mail can be easily compromised and corrupted.

Suspect a hack? Here's what to do:
  1. Check for vehicle recalls or software updates.
  2. Contact your auto manufacturer or authorized dealer
  3. Update your system software.
  4. Purchase an OBD-II Lock
  5. Contact us for further protection.

Tags: Automotive Penetration Testing Car Hacking

Contact Us