Jakub Jirsk - Fotolia
As the number of electronic systems in cars has increased, they have become more vulnerable to cyber attack, according to Stephan Gerhager, chief information security officer at Allianz Germany.
“I started a research project into these vulnerabilities because, as insurers, we wanted to understand how vehicles are protected from criminals,” he told the European Identity & Cloud Conference 2017 in Munich.
As a result of the research project that was inspired by the highly publicised remote hacking of a Jeep Cherokee by security researchers Charlie Miller and Chris Valasek in 2015, Allianz is working with car manufacturers to improve the security of vehicles’ electronic systems.
Modern vehicles typically have 100 or more electronic control units (ECUs) interacting with each other for the functioning of sensitive systems such as braking and other safety features.
But rarely do these systems have any form of identity management, authentication or encryption, the research has revealed.
“The challenge for auto makers is to bring all these things together on a layer above the base layer [which is optimised for speed], but there is still a lot of work to be done in this regard” said Gerhager.
By accessing the Can bus, attackers are able to send commands to the various other systems that sit on the Can bus, which is one of the main ways car systems communicate with each other.
Just by overriding one of the car’s sensors or inserting a fake sensor, Gerhager said attackers are able to get around safety systems to operate the brakes and steering systems at speed.
Read more about car cyber security
“Anyone who is on the Can bus can talk to anybody else on the bus because there are no authentication mechanisms to help confirm the source of any command or signal, and it also means that it is easy to carry out denial of service [DoS] attacks on those bus systems by blocking all communications.
Another challenge to cyber security for vehicles is the fact that some of the software used nowadays runs into billions of lines of code, Gerhager said, which means there bound to be flaws that can be exploited.
“But unlike popular business applications, there is no regular and automatic software security updates,” he said.
Gerhager’s researchers were able to build an inexpensive electronic device to connect to the car to “sniff” internal commands using the open source Wireshark packet analyser software. Once commands have been captured, they can be replayed to issue commands to the car’s various systems.
Allianz has worked with the German police on investigations into car theft gangs that used dongles that plug into cars to put some cars into “repair mode”, which enabled them to pair the car with a new key.
The researchers have also advised some car makers to remove detailed repair guides from the internet because they were able to use these documents to breach the cars’ internal communication systems.
Remote access to modern cars through Bluetooth is also a potential route into the car’s systems, said Gerhager, as are the wireless communications used to lock and unlock car doors.
“Attackers can either jam signals to trick car owners into thinking they have locked the car door or where signal sequences are repeated in quick succession, only the first signal is allowed to go through while the subsequent ones are jammed and recorded for later use,” he said.
The researchers have also been able to capture wireless key signals which enabled them not only to access the vehicles, but start the engines and drive away as no physical key was required.
Gerhager believes that to solve these and other common security issues, the basic infrastructure of all modern cars will have to be updated and changed. “But this will take years, and that is why we really have an issue at the moment,” he said.
However, he said some manufacturers such as Tesla are ahead of others because they have developed their own IT system, made some provision for security updates, use a closed system with no third-party software, and they allow for over-the-air software updates.
On a positive note, he said all the big car makers are aware of the most common vulnerabilities and have begun looking at ways of separating user functions from the internal car functions.