• United States



Car hacking news: Ransomware threat could reach auto dealerships

Aug 18, 20155 mins
Data and Information SecurityMicrosoftSecurity

You may not have heard the worst scenario in this summer of car hacking, as one security expert has a very scary scenario.

It would be a heck of time to be shopping for a new set of wheels. The theme of digitally beating up cars continued with two teams of security researchers at the 24th USENIX Security Symposium.

After two years of having their research suppressed by Volkswagen and a UK court, Flavio Garcia, Roel Verdult, and Baris Ege were finally able to present their research (pdf) at USENIX. The researcher paper details “how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.”

Also at USENIX, University of California at San Diego researchers revealed (pdf) how to hack a Corvette’s brakes by sending text messages to a OBD2 dongle known as a telematics control unit (TCUs); it’s not only Corvettes, though, as security researchers told Wired that the same technique could be used to “wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency.”

You might recall that at the start of this year, Progressive Insurance Snapshot devices were said to be riddled with security flaws which attackers could exploit to hack vehicles.

So far in the summer of car hacking, Charlie Miller and Chris Valasek remotely attacked and sent a Jeep into a ditch before urging you to patch your Chrysler, Ram, Durango or Jeep; Chrysler then recalled 1.4 million vehicles. The National Highway Traffic Safety Administration opened an investigation into Harman Kardon, and there was a class action lawsuit filed against Fiat Chrysler Automobiles and Harman International.

Even Senators started pushing SPY Car Act legislation and a “cyber dashboard.”

Samy Kamkar came out with “Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars.” His $32 RollJam device can break into most garages and cars. Kamkar said, “If you’re using a remote to unlock your vehicle, then you’re vulnerable.” After Kamkar’s OwnStar, General Motors had to patch its OnStar RemoteLink app, which can locate, unlock, and remotely start GM vehicles.

Tesla was quick to patch its Model S after security researchers hacked the car’s software and presented “How to Hack a Tesla Model S.”

After Miller and Valasek proved that vehicles can be remotely attacked in real life and not just the movies, I thought they made a great case for going old school and steering clear of ‘smart’ and ‘connected’ vehicles. Now Bloomberg’s Leonid Bershidsky also suggested “keeping it simple.” Basically, he votes for driving a “dumb” car.

“The more microprocessors a car has, the greater the attack surface,” Bershidsky wrote on BloombergView before adding that The Tesla Model S has 62 processors, about as many as top-flight BMWs, Mercedes, Audis and Lexuses do.” He suggested:

So if you drive a scratched Ford with 80,000 miles on it, you might be able to console yourself with the thought that you’re not worth the trouble. Wealthy people have more to worry about: They’re more likely to have expensive cars, or covetous enemies who won’t be above hiring hackers to commit what could be a perfect, undetectable crime. For everyone, not worrying about car hacking is like living with a “12345” e-mail password: For a long time nobody cares enough to break it, then suddenly it’s too late and your account is sending out virulent spam.

Large-scale ransomware attacks on cars?

As if car hacking scenarios aren’t scary enough, Andy Rowland, Head of Customer Innovation, Energy, Resources and Automotive at BT, warned about how multiple-vehicle hacking scenarios could affect drivers even if they don’t drive the most recently hacked car in the news. He wants us to think bigger, as in infections starting at auto dealerships or manufacturing plants. Rowland wrote:

The worse-case [sic] scenario is that multiple vehicles could be infected from a single source, and the manufacturer is then held to ransom. The infection could start in multiple ways: with a compromised app that drivers download, or through a batch of components that have embedded malware that is not detected when the vehicles are manufactured, or even with social engineering — for example, dropping a few USB sticks outside a franchised workshop, so that malware gets onto diagnostic PCs, which then infects all of the vehicles brought in for servicing that week.

Tesla stocks could double?

Whether you are in the market for a new shiny car with all the connectivity bells and whistles or sticking with a “dumb” car, Morgan Stanley is advising for you to buy Tesla stock. Morgan Stanley analyst Adam Jonas believes Tesla is an overweight stock, meaning he believes it is a better value for the money than others. Bloomberg reported that Jonas “increased the price target for Tesla to $465 from $280 (the stock is currently at about $243). The key reason behind this is what he calls ‘Tesla Mobility, an app-based, on-demand mobility service’.”

Tesla, according to Morgan Stanley, has the five critical attributes to be a high-performing shared autonomy firm: vehicle design and engineering, leadership in connected car, autonomous cars and software expertise, battery/electric powertrain expertise and proprietary infrastructure network. Yet it seems like the biggest reason Jonas is hot for Tesla stock is because of a non-answer answer he got when interviewing Elon Musk.

Uber had previously said it would buy all of Tesla’s autonomous cars if the vehicles were ready by 2020, but Jonas asked:

Is this a real, I mean, forget the 2020 for a moment, but is this a real business opportunity for Tesla? Supplying cars to ridesharing firms, or does Tesla just cut out the middleman and sell on-demand, electric mobility services directly from the company on its own platform?

After Musk replied with, “I don’t think I should answer,” Jonas said, “Sometimes you can tell more from the non-answer than from the answer.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.