Tag Archive for: cars

IoT Hack Enables Cybercriminals to Steal Cars

/in


In a new fashion for stealing cars, automotive security experts have discovered that cybercriminals can hack into a vehicle’s control system through the headlight. The control system is managed by the controller area network (CAN) bus, an Internet of Things (IoT) protocol that allows devices and microcontrollers to communicate with each other within the car.

By manipulating the electronic control unit (ECU) in a Toyota RAV4’s headlight, attackers could access the CAN bus and gain control of the car. This approach, as described in a blog post by Canis Automotive Labs CTO Ken Tindell, is a unique way of car hacking that had not been seen before. Once connected through the headlight, the attackers could gain access to the CAN bus, responsible for functions like the parking brakes, headlights, and smart key, and then into the powertrain panel where the engine control is located.

Even though car hacking is not a new issue, this method of attack highlights the vulnerability of IoT protocols like the CAN bus and the need for improved security measures in automotive systems.

Diagram showing how ECUs in a RAV4 are wired together with CAN bus

Connecting ECUs in a RAV4 using CAN Bus Wiring (via Canis CTO blog)

Tindell cautions that this form of CAN injection will compel manufacturers to reconsider the security of their vehicle control networks. “As a car engineer, your focus is on addressing a variety of challenges such as minimizing wiring, enhancing reliability, and reducing costs. Cybersecurity may not always be at the forefront of your mind.”

A Case of Stolen Toyota RAV4 in London

Ian Tabor, an automotive security consultant, woke up to discover that his parked Toyota RAV4 had been tampered with in London. The car’s front bumper and left headlight had been disturbed, and the same areas were later found to be tampered with again.

Unfortunately, he didn’t…

Source…

Cybersecurity market for connected cars to grow to $4.14B by 2026

/in


Cybersecurity services for connected cars is expected to grow to over $4 billion by 2026. (Photo by Alex Wong/Getty Images)

ResearchAndMarkets.com on Friday estimated that the global external cloud automotive cybersecurity services market will grow from $1.74 billion in 2021 to $2.12 billion in 2022 at a compound annual growth rate (CAGR) of 21.8% — and by 2026, this market will grow to $4.14 billion with a CAGR of 18.3%.

The main types of security in external cloud automotive cyber security services are endpoint, application, and wireless network security. The different vehicle types include passenger cars and commercial vehicles.

ResearchandMarkets added that the number of connected cars will propel the growth of the external cloud automotive cybersecurity services market in the years ahead. Connected cars are vehicles that can access the internet to connect with other vehicles through an in-built connectivity system. Some of these features have been around for several years, but will grow in use as the auto industry moves more to autonomous and electric vehicles.

On the security protection front, the automotive industry needs to adopt a defense-in-depth strategy when it comes to security, said Ted Miracco, chief executive officer at Approov.

Miracco said many of the recent breaches have had a single point of failure, such as exploiting user credentials or API keys that have allowed anyone to unlock cars. Implementing zero-trust systems that verifies not only the user, but also the device, and the authenticity of the application creates an appropriate layered approach to security that can prevent these kinds of attacks, said Miracco.

“We see a bumpy road ahead for the automotive sector,” said Miracco. “We consistently find secrets (including API Keys) hidden within automotive applications on both iOS and Android. Traditional approaches such as code obfuscation have proven unreliable and we need to deploy additional capabilities to secure these vehicles. As more companies use mobile devices to unlock vehicles, we see an uptick in theft and this will impact consumers, insurance companies, and law enforcement.”

Dan Benjamin, chief executive officer at Dig Security, said when…

Source…

SiriusXM hack unlocks, starts cars

/in


Curry, who works for New York-based Yuga Labs, a blockchain-based software development company, is known in cybersecurity circles for his interest in automobile telematics.

In September 2022, a hacker reached out to Curry to show him how he had breached Uber’s backend systems and compromised the ride-hailing service’s Amazon and Google-hosted cloud environments where the company stores its source code and customer data.

The automakers and SiriusXM said no mishaps resulted from the potential security breach.

“Honda is aware of a reported vulnerability involving SiriusXM connected vehicle services provided to multiple automotive brands, which, according to SiriusXM, was resolved quickly after they learned of it,” Jessica Fini, a Honda spokeswoman, said in a statement. “Honda has seen no indications of any malicious use of this now-resolved vulnerability to access connected vehicle services in Honda or Acura vehicles.”

In a statement, SiriusXM Connected Vehicle Services said that “the issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised, nor was any unauthorized account modified using this method.”

Hyundai spokesman Ira Gabriel told Automotive News that the automaker worked with third-party consultants to investigate the vulnerability as soon as Curry and his team brought the security issues to their attention.

“Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers,” Gabriel said.

To hack a Hyundai, Gabriel said one needed the email address associated with the account, along with the VIN and the script, or code, used by the hackers.

Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of its systems, he said.

Curry told Automotive News that he thought automakers could make their smartphone applications more secure through standardization, but they each take separate approaches in developing their applications.

“This is a really complicated issue, but I’d like to…

Source…

74% say connected cars and EV chargers need cybersecurity ratings

/in


74% say connected cars and EV chargers need cybersecurity ratings

Aurich Lawson | Getty Images

Almost 3 in 4 people think that connected cars and electric vehicle chargers should be rated for their ability to resist cybersecurity threats. That’s the finding from a survey conducted last week by BlackBerry to see whether people consider Internet-connected devices (also known as the Internet of Things) to be secure from hacking threats.

The survey was commissioned in response to a new White House initiative announced on Wednesday. The Biden administration plans to launch a labeling program for IoT devices in 2023, similar to the EnergyStar ratings that tell consumers how much electricity a TV or appliance will use.

The White House wants the National Institute of Standards and Technology and the Federal Trade Commission to come up with a basic set of security standards so that Americans can tell at a glance whether that new speaker or washing machine is in danger of joining a botnet or getting hit with ransomware.

Perhaps alarmingly for Ars readers, only 54 percent of the 1,008 people surveyed said they are concerned about Internet-connected devices in their homes being hacked. And just 32 percent said they own IoT devices that they do not let access the Internet due to security concerns. But 82 percent agreed that a cybersecurity rating like EnergyStar would make them feel more informed about connected devices.

BlackBerry also asked, “Do you think a cybersecurity/’star rating’ system should be extended to connected cars and electric vehicle charging stations?” Overwhelmingly, respondents did, with 74 percent agreeing with that statement.

There’s no indication yet that the White House, NIST, or the FTC plan to include connected cars or EV chargers in the new labeling scheme, but there’s probably a better chance of that happening than every connected car being fitted with a physical kill switch to disconnect it.

Source…