The security flaws affecting connected cars

cars

If we imagine a world where the only cars that are on the highways are all smart cars, then we can rest assured that driving will be a lot safer. These cars are able to communicate between themselves to avoid collisions and can take alternative routes if they detect that there has been an accident ahead.

They are also unable to jump red lights as they receive orders which impede them from doing so. In fact, it’s possible that in the future we’ll see that traffic police needn’t even have to raise their arm to stop the cars, as this can be done remotely. The Internet of Things has arrived with the mission to save lives in the automotive industry.

The National Highway Traffic Safety Administration (NHTSA) in the United States estimates that the technology based on these cars could prevent more than half  a million accidents and more than one million deaths each year in the United States alone. General Motors has already announced that vehicle to vehicle technology will be launched on the Cadillac in 2017.

However, the fact that these cars are able to communicate with one another is a worry for security experts, as they could be prey for cyber-attackers.

The problem arises when someone is able to listen in on these communications between the cars to guess where the vehicle is. This has already been demonstrated by the security expert Jonathan Petit at the Black Hat Europe conference.

Just one month ago this investigator showed that a simple laser pen was able to confused a smart car, making it think that there was an object in front of it when it reality there was nothing. Now he explains how these cars can be tracked easily.

smartcar

Connected cars use a Wi-Fi range to be able to communicate from hundreds of meters. This helps them to avoid collisions with one another as they have a complete map of all cars in their proximity. The difference between them and smart cars, which draw up outlines of their surroundings by using the LIDAR which is placed on the roof of the car, connected cars don’t see those around them, but rather detect them.

The information sent from car to car is encrypted and is only related to their position and speed. They don’t send information such as the registration plate, but each message has a digital signature so as to avoid false messages and misunderstandings that could provoke accidents.

Petit took advantage of this digital signature to carry out his tests, at the University of Twente in the Netherlands. He placed two sniffing stations in different points around the campus, which were dedicated to collecting the information from this network. He also parked a V2X vehicle (vehicle-to-everything) on the campus, which was able to collect all information that came from a connected car, be it with another vehicle or object.

Fifteen days later, the vehicle had transmitted more than two and a half million messages and the sniffing stations had detected nearly forty thousand, just 3% of the total. With this information and the digital signatures, he was able to identify the vehicles, predict where they were situated on the campus with a precision of 78%, and even guess where they were with a 40% success rate.

traffic

Petit and the group of investigators from the University of Twente believe that governments or cybercriminals could use this system on a larger scale to be able to monitor all of the cars within a city. “The thieves could wait until police cars are out of a determined area to commit a theft”, explained Petit.

It’s as easy as that to compromise the security of connected and smart cars using this technique, which allows someone to guess the location, speed, and direction of the car.

Considering that the stations currently cost around $550 (€511), Petit thinks that for the moment the only way to carry out this attack would be with a Raspberry Pi and a Wi-Fi radio.

For some experts, one of the possible alternatives would be the every message is signed off with a pseudonym which changes every five minutes in the hope that the cybercriminal wouldn’t be able to identify the car and track it.

Petit has explained that this modification would only imply an additional cost of 50% for the attacker, who would only need to install more stations.

That said, for now there is no reason to panic. This security expert is working with Ford, General Motors, and other manufacturers in the development of strategies so that connected cars are safer. In a few years we will be able to enjoy the advantages of these cars with the security guarantee that we deserve.

The post The security flaws affecting connected cars appeared first on MediaCenter Panda Security.

Leave a Reply