Technology has greatly transformed the automotive industry, bringing both advancements and new challenges. The reliance on connectivity and software in cars has opened the door to cyber threats, making cybersecurity a crucial concern for the automobile industry.
With the increasing complexity of modern cars, there are now around 150 Electronic Control Units (ECUs) and an astonishing 100 million lines of code. Even simple functions like opening car windows require multiple software systems.
In this blog, we will delve into the fascinating world of automotive hacking and how it affects major companies like Hyundai, Mercedes, and BMW. Discover the various types of car attacks that must be guarded against and learn about the preventive measures necessary to ensure the safety of your vehicle.
What is Automotive Hacking?
Automotive hacking is when hackers compromise a vehicle's hardware, software, and communication systems. They gain unauthorized access and exploit vulnerabilities in communication networks and ECUs.
They aim to control critical vehicle functions, like steering, acceleration, and safety systems. It results in remote control of vehicles and sensitive data breaches.
Now these software are designed, built, and maintained by external suppliers and software teams scattered across the globe. Automobile companies perform rigorous testing. But, this complexity is one of the reasons why they should partner with security & testing platforms.
According to researchers, automotive hacking increased by 225% from 2018 to 2021.
Let's understand automotive hacking with the help of a recent Hyundai incident. In this incident, the Hyundai app bugs allowed hackers to unlock and start cars remotely.
Automotive Hacking: The Hyundai Issue
Hyundai and Genesis mobile apps allowed authorized owners to start, stop, lock, and unlock their vehicles. But, researchers found mobile app vulnerabilities affected car models made after 2012.
They extracted API calls for an investigation. They intercepted the traffic generated from these two apps. As a result, they found that the user account registration required an email address. It was there in the JSON body of POST requests. Then they noticed that MyHyundai did not need users to confirm their email address. So, they created a new account using one of the target's email IDs with an extra control character at the end.
The first approach we thought of was fuzzing the Hyundai user account registration. Immediately, we noticed that the server did not require users to confirm their email address. There additionally appeared to be a very loose regex which allowed control characters in your email. pic.twitter.com/twv0I92C0C— Sam Curry (@samwcyo) November 29, 2022
They sent an HTTP request to Hyundai's endpoint. It had the spoofed address in the JSON token and the victim's address in the JSON body. This process bypassed the validity check. So, they tried to unlock the Hyundai car used for the research to check if they could use this access to hack a car. The car opened a few seconds later.
Few More Instances of Automobile Hacks
Researcher Sam Curry tried to find out as many car vulnerabilities as possible. Let's take a look at a few of those instances-
1. Kia, Honda, Infiniti, Nissan, Acura
Researchers could remotely lock and unlock the cars by using only the VIN. They could also start and stop the engine, honk the vehicles, and flash headlights. It also involved a complete account takeover and PII disclosure. For Kia cars, they were also able to access the 360-view camera and view live images remotely.
By exploiting the improper SSO, they could access critical internal applications. It included cloud deployment services and internal vehicle-related API. They also gained access to company-wide internal chat tools and build servers.
3. BMW, Rolls Royce
They found SSO vulnerabilities that allowed them to access employee applications as employees. They could also access applications locked behind SSO on behalf of any employee. It included applications used by remote workers and dealerships.
For BMW, the researchers were able to access internal dealer portals. It was where one could ask for any VIN to recover sales documents.
Poor access control allowed them to create and delete employee administrator user accounts. They also accessed user accounts with the capability to change Ferrari-owned web pages. A full zero-interaction takeover of customer accounts and records was also possible.
They also identified that potential hackers could add HTTP routes on api.ferrari.com. It lets them view all existing rest connectors and secrets associated with them.
5. Jaguar, Land Rover
User account IDOR disclosed password, name, physical address, phone number, and vehicle information.
Types of Automotive Cyberattacks You Need to Prevent
1. Direct Attack
It is an intentional attack where the attacker gains unauthorized access to the vehicle. They also aim to gain control of the vehicle's functions, such as steering or acceleration.
2. Vehicle-to-Vehicle Worm
This attack involves the spread of malware from one connected car to the next. Attackers use WiFi, cellular, or vehicle-to-vehicle digital communication systems to do so. They exploit the vulnerabilities in the interconnectivity protocols used in vehicle-to-vehicle communication.
3. Home Base Attack
Since all connected vehicles communicate with the manufacturer, this attack targets centralized systems. It includes the manufacturer's corporate network, fleet management system, or control center. Attackers send viruses to millions of connected cars by compromising the home base.
4. WiFi Hotspots Attack
In this attack, the attacker exploits vulnerabilities in cars' WiFi hotspots. They infect hundreds of wifi-enabled vehicles as they pass within the range. Unauthorized access lets them gain control and intercept sensitive data of all vehicles.
5. Supply Chain Attack
The car manufacturing process relies on a vast network of software suppliers. However, this supply chain is susceptible to security breaches by malicious individuals. They can infiltrate various manufacturing, distribution, or installation stages, potentially introducing vulnerabilities or backdoors in the final products. These attacks can occur without the automaker's awareness.
6. Digital Application Attack
In this, the attacker targets the digital applications installed in the cars. They gain unauthorized access and control to manipulate data and disrupt vehicle functionality.
7. Mobile Device-to-Device Attack
This attack happens when someone pairs their virus-infected phone with the car. Attackers exploit vulnerabilities in the wireless connections between mobile devices and vehicles. It compromises the security and safety of the car.
How Can Appknox Help Secure The Automotive Industry?
Appknox is the ultimate plug-and-play security platform designed to safeguard the mobile app ecosystem deployed by automakers. With unparalleled power and effectiveness, Appknox can outsmart even the most intelligent hackers. Our comprehensive suite of automated tools and skilled penetration testers will fortify your application as part of your software development lifecycle.
With Appknox, automakers can integrate application security with their complex IT and Software systems and achieve 360° protection for their mobile app security posture.
Get Total Application Security with Appknox!
Ensure comprehensive application security by leveraging the power of automated solutions and the knowledge of skilled security professionals.
Automakers can protect their revenue and reputation from security threats with Appknox’s Vulnerability Assessment. Scan your mobile app's binary once and uncover all vulnerabilities in under 60 minutes. Discover Appknox VA →
Our automated security has successfully neutralized over 100,000 threats, but we believe in the power of human expertise. With Penetration Testing, automakers can easily request a manual penetration test through our convenient dashboard. Appknox's experienced security researchers will carefully analyze your applications to identify and eliminate potential threats.
Request a demo today to uncover how we transformed automotive global security outcomes with our solutions.
Frequently Asked Questions (FAQs)
1) What Are the Major Cybersecurity Vulnerabilities in the Automotive Industry?
The automotive industry faces a lot of cybersecurity vulnerabilities. It includes inadequate software security, weak authentication, and supply chain risks. It also contains insecure communication networks and a need for timely security updates. Attacks like GPS spoofing exploit these vulnerabilities and pose dangers to vehicle security.
2) What Are the Potential Consequences of Cybersecurity Breaches in the Automotive Industry?
Cybersecurity breaches in the automotive industry can have severe consequences for app developers. It includes reputational damage, which can destroy trust in their apps and reduce their credibility in the market. Other potential effects include legal and regulatory repercussions and financial loss. Security breaches also strain developers' relationships with automotive manufacturers and suppliers.
3) What Are the Key Security Considerations When Developing a Mobile App for Cars?
Key security considerations include strong authentication and authorization mechanisms. It includes securing data in transit and at rest with encryption and ensuring secure communication. Developers should also conduct regular security assessments and testing. They should stay up to date with security patches and updates. App developers can partner with a dedicated mobile app security platform.
4) What Steps Can Car App Developers Take To Prevent Unauthorized Access and Tampering With App Functionality?
They can ensure it by implementing robust authentication mechanisms, such as two-factor authentication. Other measures include securing data communication with encryption and conducting regular security assessments. Developers should also apply obfuscation techniques to prevent reverse engineering.
5) How Can Car App Developers Ensure Secure Communication Between the App and the Vehicle?
They can install protocols like Transport Layer Security (TLS) or Secure Socket Layer (SSL) encryption. App developers should also put in place secure communication channels. It would ensure the identity and authenticity of the vehicle through digital certificates.
6) How Can Car App Developers Stay Updated on the Latest Security Threats and Implement Timely Security Patches?
App developers should collaborate with a mobile app security partner like Appknox, who can install SBOM. It will let them maintain an inventory of all the components used in the software. They will also be able to identify exploitable vulnerabilities and install security patches. Additionally, performing regular penetration testing and vulnerability assessments will solve the purpose.