The automotive industry is abuzz with discussions about the ‘internet of vehicles’ (IoV), a concept that envisions a network of cars and other vehicles exchanging data over the internet to enhance transportation safety, autonomy, and efficiency. The IoV has the potential to help vehicles identify roadblocks, traffic jams, and pedestrians, improve their positioning on the road, and even enable driverless cars. While this technology is already being implemented in some form through smart motorways, a more sophisticated IoV will require significant investments in sensors, software, and other technologies for both vehicles and road infrastructure.
The Dark Side of Connectivity
Modern vehicles are equipped with more electronic systems than ever before, including cameras, mobile phone connections, and infotainment systems. However, this increased connectivity also makes them more vulnerable to theft and malicious attacks. Criminals are already exploiting vulnerabilities in these new technologies, and the situation is becoming increasingly dire.
Security Risks: Smart Keys and CAN Injection Attacks
One of the most significant security risks facing modern vehicles is the potential for thieves to bypass their security systems. Smart keys, designed to protect vehicles against theft, can be compromised using handheld relay tools that trick the vehicle into thinking the key is closer than it actually is. This is typically done by two individuals working together, one near the vehicle and the other near the key’s actual location. To counter this, car owners can store their keys in Faraday bags or cages that block the signal emitted by the keys.
A more sophisticated method of attack is the ‘CAN (Controller Area Network) injection attack’, which involves establishing a direct connection to the vehicle’s internal communication system, the CAN bus. Thieves can gain access to the CAN bus through the vehicle’s lights, requiring them to remove the bumper and insert a CAN injector into the engine system. Once inside, they can send fake messages that disable the immobilizer, allowing them to start the engine and drive the vehicle away.
Mitigating the Risks
To combat these vulnerabilities, manufacturers are adopting a ‘zero trust approach’, where messages received by the vehicle are not trusted by default and must be verified. One way to achieve this is by installing a hardware security module that generates cryptographic keys for encrypting and decrypting data, as well as creating and verifying digital signatures in messages. While this mechanism is being implemented in new cars, it’s not practical to retrofit it into existing vehicles due to time and cost constraints, leaving many cars on the road vulnerable to CAN injection attacks.
Infotainment System Vulnerabilities
Another potential vulnerability lies in the onboard computer system, or ‘infotainment system’. Attackers can exploit this system using ‘remote code execution’ to deliver malicious code to the vehicle’s computer, potentially affecting the vehicle’s functioning and even causing a crash. Vulnerabilities can be exploited through the vehicle’s internet browser, USB dongles, outdated software, and weak passwords. Therefore, it’s essential for drivers to understand basic security mechanisms to protect themselves from hacking attempts.
Balancing Benefits and Risks
The possibility of an epidemic of vehicle theft and insurance claims due to CAN attacks alone is a concerning prospect. There’s a need to strike a balance between the benefits of the IoV, such as safer driving and enhanced ability to recover stolen cars, and the potential risks associated with increased connectivity. As the automotive industry continues to evolve, it’s crucial that manufacturers and drivers alike remain vigilant about the security risks and work together to mitigate them.
