Every time I read that a new vulnerability was revealed on a vehicle with high tech, I love my older car a just little bit more. Human Safety, to me, is above all else in the great schema of things. That is why security vulnerabilities related to automobiles are the most frightening.
Recently, at RSA, researcher Charles Henderson showed that he could still control his car a year after he sold it; via an app on his phone. Dealers apparently know this, and although Charles did not mention the vendor of the car, it should be assumed that the flaw exists in all vendors. This is bad, people. Having a stranger being able [ remote unlock, track, remote start, etc . ] your car breaches all three sides of the Confidentiality, Availability and Integrity triangle. For this instance, Research done showed that factory resets do not revoke App access I do not believe that there exists any present legislation that would govern this. So really, you do not and or will you ever own your car.
This is not the first time, nor is it an isolated incident. Last year, Troy Hunt wrote an amazing blog about how you could control any Nissan Leaf vehicle simply by knowing the VIN.
Going even further back, Samy Kamkar hacked GM’s Onstar system. This hack was especially scary, because it gave the attacker all the control that OnStar would have. GM took five years to fully address the issue.
Wired’s Andy Greenberg participated in an hacking experiment to remotely kill a jeep while it was moving. This could not have taken place without all of the tech available in the newer models.
These cited examples clearly demonstrate that Automotive manufacturers are not employing secure development practices in the code that automates vehicle functions or App Development. Having an older car with less tech does minimize the the exposure plane to some of the more advanced hacks mentioned. At present, that is my solution. I don’t need to remotely start my car, or turn on its AC from my phone. I don’t require OnStar or any other service to do so either, despite their scary commercials.
Besides the awareness that myself + our fellow InfoSec professionals bring to the subject, there is work being done at Utah State College to build in Security and raise awareness to this problem.
Stay safe, friends!
Oh, there has been some work to rate the ‘hackability’ of cars: