adimas - Fotolia

Half of vehicle cyber vulnerabilities could give hackers control, study shows

Half of vehicle vulnerabilities could allow cyber attackers to take control of a vehicle and 71% are easy to exploit, according to a three-year study by IOActive

Half of the cyber vulnerabilities found in leading vehicle manufacturer could give attackers full or partial control of a targeted vehicle, a study has revealed.

Almost three-quarters of the vulnerabilities could be exploited without much difficulty or are almost certain to be exploited, according to research by cyber security firm IOActive.

The research is based on real-world security assessments and three years’ worth of data and active vulnerabilities, detailed in a whitepaper entitled Commonalities in Vehicle Vulnerabilities.

The whitepaper includes analysis on the general issues and potential solutions to the cyber security issues facing connected vehicles, which form a subset of the internet of things (IoT).

The paper also provides metadata analysis of real-world private vehicle security assessments, conducted by IOActive’s Vehicle Cybersecurity Division since 2013.

According to IOActive, the whitepaper combines insights gleaned from 16,000 man hours of combined research and services, as well as other publicly available research.

One of the key findings of the report is that 50% of the vulnerabilities uncovered would either be considered “critical” because they would draw media attention and have a severe effect on the vehicle; or “high impact” because of the effect on the vehicle and they could be a regulatory violation.

The “high impact” finding would also result in a compromise of components, communications or data that causes complete or partial loss of control over the vehicle.

Some 71% of the vulnerabilities uncovered were categorised as “medium” or above in relation to the likelihood of them happening.

At best, this means that an attacker could exploit the vulnerability without much difficulty. At worst, the vulnerability is almost certain to be exploited and knowledge of the vulnerability and its exploitation are in the public domain.

Read more about the IoT

By combining the impact and likelihood, the paper said 22% of vulnerabilities sit in the “critical” camp, which means they are easy to discover and exploit, and can have a major effect on the vehicle.

The research revealed that 27% of vulnerabilities can be used to gain control area network access (CANbus) and if a hacker can achieve that, they can control the vehicle.

A further 8% could provide control over the engine control unit (ECU) or disable the ECU (1%), which would allow the hacker to control everything, including all normal functionality, as well as potentially allowing them to add functionality. 

Some 55% of vulnerabilities are related to the network, which includes all network traffic, such as Ethernet, web and mobile/cellular.

Attackers are most likely to focus their efforts on the points where data enters the vehicle, such as: cellular radio, Bluetooth, Vehicle to Vehicle (V2V) Radio, on-board diagnostics equipment, Wi-Fi, Infotainment Media, Zigbee Radio, and companion apps, the research revealed.

Engineering issues and design flaws

Engineering problems, the report said, are the root cause of three of the top eight vulnerabilities, and they are also the most difficult to remediate.

In some cases, the report said, vulnerabilities stemming from design-level issues are impossible to fix, as the system is “insecure by design”.

The report also found that problems with deployment mechanisms, process and testing cause a number of vulnerabilities, such as back doors, information disclosure, hardcoded credentials and vulnerability dependency.

Fortunately, some of these can be easier to remediate and the majority of critical impact vulnerabilities can be remediated with simple fixes, the report said, such as patching code to remove a buffer overflow.

“The days when a rogue street urchin wielding a coat hanger was the main threat to vehicle security are long gone,” said Corey Thuen, senior security consultant at IOActive and author of the whitepaper.

“As the report shows, we have uncovered a number of ‘hair-on-fire’ vulnerabilities that could easily be exploited at any moment. Manufacturers really need to wake up to the risks they face in the connected world,” he said.

The majority of cyber security vulnerabilities are not solvable using bolt-on systems, said Thuen, instead relying on sound engineering, software development practices and cyber security best practices.

“The most effective cyber security work occurs during the planning, design and early implementation phases of the products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” he said.

Thuen warned that failing to address security at the early development stages could be very costly in the long-run, leading to loss of consumer confidence or even product recalls, which some vehicle manufacturers would find difficult to recover from.

Read more on Hackers and cybercrime prevention