Saturday 31st July 2021

Remote security dangers in automotive

Published on October 10th, 2019

Automotive vehicles have increased their technological repertoire over the years with the intention of remaining compliant with updated legislation or standards, in addition to a focus on increasing customer interaction and enjoyment of newer, more modern vehicles via the implementation of technologies such as Bluetooth, near-field communication (NFC), and Wi-Fi.

Such radio frequency (RF) technology adoptions are not without risk; as automotive vehicles historically were not built with cyber security considerations in mind, only functional and passenger safety, says Samantha Isabelle Beaumont, senior software security consultant at Synopsys.

In today’s modern era of cyber security concerns, with the rise of automotive standards such as SAE J3061 and vehicle vulnerabilities being published against numerous automotive industry giants, it is clear that there is a cyber security trend in relation to transportation and vehicular safety. To compromise one, will impact the other.

When customers come across the term ‘automotive wireless,’ it is typically construed as the technology which only handles Wi-Fi hotpots in modern vehicles. Whilst such features are a potential breach point for attackers, there are a host of RF technologies which introduce the potential for vulnerabilities in automobiles. Here are some examples:

Tire pressure monitoring systems

Tire pressure monitoring systems (TPMS) are an electronic system designed to report real-time tire pressure information to the driver of the vehicle. TREAD Act and NHTSA legislation stipulates that all newly manufactured or imported US cars be fitted with TPMS systems, most of which use direct sensors that are either part of the valve stem or banded to the wheel.

These sensors transmit their own ID along with their pressure, temperature and other data to the vehicle’s electronic control unit (ECU). This legislation also defines the designated dash-mounted warnings for the driver to reduce traffic accidents occurring due to low pressure tires. Historically, attackers have reported vulnerabilities in TPMS which allow vehicles to be remotely hacked, tracked and altered – allowing attackers the ability to change the TPMS data on the fly.

Vehicle entry systems

Classic, yet modern key fobs use RF signals to remotely unlock and lock vehicles without the need for a physical key. ‘’Rolljam’’ is an example of a replay attack by which an attacker can steal the unlock signal from a genuine request jamming two legitimate unlock commands. Here, the second unlock request replays the first. In an unprotected system, an attacker is able to re-use the legitimate unlock request, thus enabling them to unlock the car when the driver leaves.

Alternatively, passive key entry (PKE) smart keys allow a user to unlock and start their vehicle without the need to physically touch the car with their keys. Such systems are implemented in ways where vehicles are started by a smart key and will check for the smart key presence on ignition.

Whilst convenient, this also raises several security issues: relay attacks utilise inexpensive tools which can extend the range of the key fob to a much larger range, limited only by the timeout of the vehicle. This allows the attacker to open the car door and start the vehicle from a much larger distance than the designers intended.

Finally, original equipment manufacturers (OEMs) have developed proprietary mobile applications which are able to perform many features of a classic key fob. They also provide the added consumer benefit of being able to control their car ECU globally and even from the comfort of their own home. Such applications provide unique opportunities for attackers. They greatly increase the potential for extended remote vulnerabilities since these applications are typically able to send direct commands such as powering on and off a vehicle’s engine.

Reflection: Are there solutions available?

Despite these concerns, automotive is a robust industry. Attacks can and do have existing solutions which are often implemented into newer-age vehicles; or retrofitted onto older models. Here are several key examples of real-world recommendations and solutions addressing the most common and simplistic methods to deploy:

Samantha Isabelle Beaumont

Replay attacks

Manufacturers can employ rolling codes which are signal techniques that modify the information sent to the vehicle on every request. This allows each request to be unique, and thus are valid for the car only once. Additionally, consumers are suggested to lock, unlock and lock the car upon exiting a vehicle as a good habitual routine; hence, naturally invalidating the attack path an attacker could use to exploit the vehicle.

Relay attacks

Designers can decrease the expected allowed response time for valid signals and increase the sensitivity of the in-vehicle receiver responsible for handling incoming door signals. It’s important, however, to note that jamming is not a simplistic concept. In addition, return acknowledgements can be utilised to ensure the original signal sent to unlock had been received successfully before a new one is processed. On the other hand, customers can easily store their sensitive keys within an inexpensive yet fashionable RF blocking containment unit to store keys in whenever possible.

Mobile applications

Developers can deploy a system disallowing the installation of their secure applications on rooted or jailbroken phones as such devices are often used by attackers to bypass security mechanisms in place on mobile applications natively. Certificate pinning, application binary signing, and code obfuscation are further methods which can protect the application secrets and make it more difficult for an attacker to use the mobile application as a remote entry point to the vehicle. Supplementary solutions include implementing physical presence checks and refraining from deploying custom encryption implementations without verifying the cryptography via an established and extensive public review.

Whilst there are numerous actions that individual vehicle owners can take to ensure their vehicles remain as secure as possible under their control, the real security responsibility lies primarily with manufactures. Implementing the activities noted above are simply a starting point, and one in which many within the industry are already undertaking. Whilst the road ahead holds an evolving attack surface and threat landscape, the automotive industry is aggressively standing up to attackers.

The author is Samantha Isabelle Beaumont, senior software security consultant, Synopsys

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow