July 7, 2014
Kaspersky Lab and IAB Spain, the association representing the advertising, marketing and digital communication sector in Spain, announce the launch of the First Connected Car Study, a pioneering research project in the world.
The main objective of this study is to offer a perspective on the situation of the connected car market, bringing together all the available information, solving frequently asked questions and understanding the high fragmentation existing among manufacturers. Vicente Díaz, senior malware analyst at Kaspersky Lab, has been responsible for analyzing, through a proof of concept, the security of these cars connected to the Internet.
In a connected car, you cannot ignore issues related to security in communications and services derived from the Internet and that are included in the new generation of “connected” cars. We are not talking now about parking assistance, but about access to social networks, email, smartphone connectivity, route calculation, applications that run in the car, etc. The inclusion of these technologies implies a series of advantages, but also new risks that the user did not have to face until now. For this reason, it is necessary to analyze the different vectors that can cause a possible attack or fraud and even an incident in the operation of the vehicle.
Privacy, updates and smartphone apps for these cars can be the three attack points that cybercriminals can focus on to carry out their attacks successfully. “Connected cars open the door to threats that already existed in the world of PCs and smartphones, but adapted to this new environment. In addition, the data privacy problem also reaches the automobile segment with giants like Google, which have already colonized some of the models in the report with their search technology. The risks that the users of these connected cars can suffer range from the theft of passwords, opening doors, access to remote services, locating the car and even the physical control of the vehicle », Diaz points out.
The proof of concept carried out by Kaspersky Lab, based on the analysis of the BMW ConnectedDrive system in particular, has found different potential attack vectors:
– Theft of credentials: The theft of user credentials to access the BMW portal, whether through phishing, keyloggers or social engineering, would allow a third party to access user and vehicle information. From here, the mobile application could be installed with these same credentials, which, if remote services were activated, could enable the opening of doors, for example.
– Mobile app: In case of having the remote opening services activated, the mobile becomes the keys. If the application is not well secured, it could be an attack vector in the event of the theft of the phone. In this case, it seems that it is possible to modify the application database to avoid PIN authentication, so an attacker could avoid it and activate remote services.
– Updates. The process of updating the bluetooth drivers is from downloading a file from the BMW website that we will later install in the car using a USB. This file is not encrypted or signed, and it is possible to find within it a lot of internal information about the system running on the vehicle. This would give a potential attacker with physical access the ability to know the attacked environment. It also appears that the update could be modified to run malicious code.
– Communications: Some functions communicate with the vehicle’s internal SIM via SMS messages. These messages can be decrypted and sent by posing as another sender, depending on the operator’s encryption. In the worst case, BMW could be replaced for the communication of certain services.
The study also includes an analysis of the online connectivity and apps of the main car manufacturers in Spain. Likewise, the business model and future trends in terms of connectivity platforms in the market are broken down. The main concussions, after analyzing 21 different vehicle models, the main conclusions of the report:
- High fragmentation: of operating systems, connection modes and apps.
- Free services for a limited time: Many manufacturers offer a free subscription for a certain time.
- The coverage problem: many of the online services need 3G coverage to function normally.
- Data consumption: this consumption may force the user to contract an additional fee.
- Voice assistants: most models use it as it is one of the safest ways to control the connectivity offerings offered by manufacturers.
The study was prepared by IAB Spain together with Applicantes, Periodismo del Motor.com, and Kaspersky Lab.
[+] Videos de nuestro canal de YouTube