Why car thieves and threat actors target connected vehicles


Driverless vehicles first appeared in science fiction purely as a future technology. Today, the dream is rapidly becoming a reality, combining several technologies to assist or replace humans in driving a vehicle.

These intelligent self-driving vehicles can communicate with each other and surrounding infrastructure, which gives them the ability to anticipate oncoming traffic in blind spots, to beware of obstacles in the road around a corner, or to be able to avoid congestion ahead.

Connected and Autonomous Vehicles (CAVs) depend upon the generation and analysis of massive volumes of data, much of which is combined, shared, or made accessible to each other for the vehicles and infrastructure to become fully operational.

Modern vehicles roll off production lines with integrated connected systems that deliver most of the functionalities through a combination of technologies like cellular connections, in-vehicle Wi-Fi, Keyless Entry Systems (KES), USB, Bluetooth, Tyre Pressure Monitoring Systems (TPMS), DAB, Electric Vehicle (EV) charging, and so on.

From a security standpoint, this explosion of new technology, connectivity, and data results in a significant expansion of attacks and security threats. The attackers no longer need to rod the door or smash a window to access a vehicle. They can potentially manipulate the technology to gain access, both locally and remotely.

Car thieves are now using Software Defined Radios (SDR) to exploit KES’s weaknesses, launching man-in-the-middle or replay attacks to remotely unlock vehicles. Many attacks on connected vehicles have been disclosed by researchers, who have demonstrated how simple it can be to recreate attacks on production vehicles.

This post will explore some of the attacker motivations and potential consequences of these attacks in connected and autonomous vehicles.

1. Remotely control a vehicle

Researchers have successfully demonstrated that it is possible to hack connected vehicles from remote locations, allowing the attacker to control the radio, windows, brakes, acceleration, and steering. Interestingly, all attackers follow a similar pattern. They exploit a vulnerability in a cellular system and land on the vehicle’s infotainment system, which provides the driver with information such as service schedules, tire pressure, and oil levels in most vehicles. There is a necessary connection between the infotainment system and the Controller Area Network (CAN) within the main vehicle network connecting all the ECUs.

It is, therefore, possible in many vehicles to pivot from the infotainment system to the CAN bus and inject commands, spoofing signals that would appear to be coming from the braking system ECU or the steering system. There are three common weaknesses to all designs that are relevant to this attack objective: 1) there is no method for verifying integrity and authenticity of firmware and software; 2) there is a lack of boundary control/filtering of data flows, and 3) there is no device or message authentication.

2. Disable the vehicle

There are several ways an attacker could successfully disable the vehicle. One option is to exploit smart device/convenience applications that tend to provide functions such as turning on lights, opening and closing windows, and turning on Air Conditioning, each of which would allow an attacker to drain the car’s battery. Vulnerabilities have been found in a number of these applications, particularly with the authentication process.

For example, Nissan launched a convenience app allowing access to the vehicle. But when pairing the smart device to the vehicle, the only authentication details required was the Vehicle Identification Number (VIN), which is generally located at the bottom corner of the windshield, visible from the exterior.

Another way to achieve this objective is to take remote control of the vehicle. An attacker can craft and deploy malware such as ransomware to disrupt the vehicle. There is no documented ransomware attack on a vehicle, yet as most ECUs are embedded devices running mostly unpatched or outdated operating systems, this is a plausible scenario.

3. Remotely unlock a vehicle/theft

Unlocking the vehicle is one of the simplest and most common attacks on vehicles today. The Association of British Insurers (ABI) reported 16,000 claims in the quarter leading up to May 2019, equating to £108 million or £1.2 million a day. Attackers are using cheap and accessible technology such as SDRs to exploit known weaknesses in Keyless Entry Systems. In August 2020, researchers found 19 vulnerabilities in the Mercedes-Benz E-Class, which could enable attackers to remotely unlock the car door and start its engine.

By January 6th, 2020, 4118 thefts were reported in India from cheap electronic devices that enabled the thieves to bypass the engine control module, unlock the vehicle, start the engine, and access the vehicles’ computer. It is common for vehicle manufacturers to use symmetric keys between the key fob, entry system, and ignition keys. An attacker can compromise the symmetric key either through a brute force or man-in-the-middle attack by sniffing the radio frequency between the key fob and the entry system and then replaying it against the target vehicle.

4. Create a safety hazard

An attack on a vehicle could deliberately or accidentally create a safety hazard for the vehicle’s occupants. These attacks may be indirect, such as distracting the driver with warning messages and adjusting the infotainment unit’s volume, or direct, such as adjusting throttle position or steering position when the vehicle is in motion. As we become dependent on accurate and timely in-vehicle safety messaging for things like traffic jams, emergency stops, roadworks, or broken down vehicles, it will impact our driving behavior, and over-dependency could lead to greater consequences of DoS attacks.

5. Track or monitor the vehicle

The modern vehicle holds and has an increasing potential to hold a great deal of personal data. Already, location, destinations/journeys, travel times, driving style/behavior, contacts, messages, music preferences, and even web-browsing activity are often captured. Increasing use of cameras for monitoring inside and outside the vehicle and microphones for voice control and hands-free creates opportunities for attackers to spy on the occupants to extract rich pattern-of-life data.

6. Use the vehicle as a weapon

The most sinister attackers may look to remotely control a vehicle to drive into a crowd of people, similarly to terrorist attacks already seen in Nice, Berlin, and other cities. Autonomous Vehicles could potentially enable this style of attack to be executed remotely and at scale.

7. Distribution of illicit goods

Autonomous vehicles, by their nature, do not require a driver or any passenger to travel around a road network, so the transportation of illicit goods can be considerably de-risked. This is a similar concept to the use of drones to transport drugs, particularly into secure locations like prisons.