German researchers recently discovered a security flaw in BMW’s ConnectedDrive software by spoofing a mobile signal, intercepting all of the communications, and gaining access to the car’s computer system. Following this, it was announced that BMW had to recall and patch new cars affecting 2.2 million Rolls-Royce, Mini and BMW vehicles. This flaw, if not fixed, would have allowed hackers to open doors remotely and seize control of on-board systems for everything from the radio to air conditioning to online services.
In order to patch this security fault, BMW enabled the secure Hypertext Transfer Protocol (HTTPS), which adds a security layer to the standard HTTP to encrypt the communications. Although doing this solves one of the problems and means that communication is now encrypted, it’s still important to note that the problem is not completely fixed as data can still be intercepted. It could be argued that this is Info Security basics and the fact that BMW engineers missed this vital step, although shocking, is actually not all that surprising.
With consumer demand at an all-time high, and with software developers being pushed to release new software with the most up-to-date features, it seems that security is taking a back seat and remembering that encrypting everything and assuming that no network is secure, seems to be a distant thought.
This is particularly worrying as we prepare for more connected devices. It’s more important than ever to remember that security needs to be one of the main considerations, and not an afterthought, like in the case of BMW’s ConnectedDrive software. If you install Java on your computer, you will be greeted by a nice splash screen from Oracle telling you how 3 billion devices now run Java, which can include phones, parking meters, ATMs, set top boxes and more. Leaving aside the fact that Java is responsible for a high proportion of security patches; the wider trend is that we are seeing more insecure connected devices.
Cars are covered a lot in the media today, especially with new developments and, although security flaws have been pointed out in connected vehicles, a car does not have to be connected to anything to be vulnerable. In 2010, Yoshi Kohno from the University of Washington demonstrated that a car could be compromised by injecting malicious code via an Audio CD or the radio signal received by the car. His team were able to completely take over all of the on-board computers in the car and by doing so could track its location, listen to conversations and even apply or disable the breaks.
In the case of connected vehicles, the main issue is with the on-board computers that run software, which, even with the best will in the world, is vulnerable. Your car radio is not a transistor radio any more, it is a computer that uses a piece of code to decode the radio signal and play your music – this is vulnerable! By getting someone to tune into your station you can own their car; in much the same way that spyware gets you to go to an infected website to infect your computer.
We have already seen Sony’s PlayStation and Microsoft’s Xbox Live networks taken down as a result of huge Direct Denial of Service (DDOS) attacks recently. We need car manufacturers to get their act together to avoid being the next victims. Imagine if a group of attackers were able to infect all cars of a particular manufacturer in London and the malware activates itself when the car gets to a specific location or goes above a certain speed.
By doing this, the hackers could then ensure that, one day in London, all the cars stop! No one knows why, traffic comes to a standstill, buses can’t move and the city grinds to a halt. Then the new hacker group tells the media they did it and unless the car company pays them lots of money they won’t re-activate the cars. Will it take a circumstance like this for manufacturers to get the message? Imagine the economic impact, the political fallout and the consequences for that car manufacturer?
Car manufacturers are dealing with people’s lives every day and already have very robust test and threat models to trial their car’s safety features. This industry should therefore know better than to leave things to chance. You would have thought that if they can create lights that shine around corners, cars that drive themselves and that deploy lifesaving equipment in the event of an accident; surely they can secure the on-board computers in their cars?
The message to car manufacturers is clear. Please get your act together and secure all your software and software developers – take your foot off the pedal, slow down and build in security from the start, or you may well be the next victim.