Vehicle Hacking: Beyond Proof of Concept & Applied!
In the overall scheme of our reality, vehicle hacking is relatively a new area of research. This timeline was in place due to advances in computer technology. Once it was made known that vehicles had technology present, with the possibility of being hacked, the flood gates were open for security personnel and hackers alike, to perform research and experiment with what could be exploited on the vehicles.
The first significant manifestation was the infamous Jeep hack with Charlie Miller and Chris Valasek (Weise, 2016). This was widely publicized and was a sensation on YouTube. With this they were able to stop a car and disable its brakes when the vehicle was moving under 5 mph. After further research and application of effort, these two were able to take control of their steering and brakes while the vehicle would be driving up to 30 mph. Both of these attacks have the ability to create a bit of chaos for the driver whenever the attackers would want.
Since the initial published attack, this has garnered much more attention from academics, researchers looking for topics, law enforcement, and others. This focus has been on all aspects of the vehicle, including but not limited to the tire pressure monitoring system (TPMS), key fobs, communication to and from the vehicle, among other points.
Application
As vehicle security has been published in peer-reviewed journals, newspapers, magazines, television, and YouTube, a portion of the audience does not have the most altruistic intentions. A case in point, two men were arrested in Houston for stealing over 100 cars (Associated Press, 2016; Krisher, 2016). This was not part of a movie script but the workings of a criminal venture. The two criminals used only a laptop, a blank key fob, and software to commit the crime (Goudie, 2016).
These two were able to reprogram the vehicle’s security system with these simple tools. They were able to acquire a database with access codes used to program the key fobs for certain FCA vehicles. It is noted that these codes are not generic codes used for all lines of businesses or vehicles. These codes are unique. These codes are used to program the fob for each vehicle (Graczyk & Krisher, 2016).
For the specific attack, they gained access to the vehicle’s engine compartment and cut the wires to the alarm system. From this point they programmed a fob for the vehicle using the VIN and code from the database. The entirety of the attack took six minutes (VOA News, 2016). The two deviants would then steal the car with ease.
This attack is solely possible due to the computers being more advanced and connected in the vehicle. The computers had the ability to better the user experience, which is a benefit. These are also used as a marketing tool as it has become expected from the vehicles. As these are important, the implementation of security is likewise pertinent.
Target
There are under a dozen significant vehicle manufacturers across the globe. From these, there are hundreds of different distinct models to choose from over the last decade. The thieves chose the new Jeep and Dodge vehicles (VOA News, 2016; Krisher, 2016). These were chosen for two reasons. The database that was acquired were for these vehicles. Also these vehicles tend to sell for higher prices in Mexico, which is where the vehicles were going to be sold after the theft (Krisher, 2016).
Future
The increase in use of computers and their connectivity has certainly provided a new avenue to steal vehicles. This incident is not the first, and certainly won’t be the last set of thefts using the technology connecting to the vehicle. The technology has increased the number of known and yet to be known points and vulnerabilities to attack. These can be translated into theft opportunities. With this attack, the criminals only needed very few items. These were completed in the middle of the night. By the time the owners awoke for another productive day in society, their vehicles were long gone in another country and in the process of being sold.
Defenses
All is not lost. There are actions to use in order to better secure the vehicles. The manufacturers need to provide better defensive measures. At present there are and continue to be several vulnerabilities in the vehicles. To combat this, there cannot be a single point of defense, but there needs to be a defense in depth (VOA News, 2016). The manufacturers have to make it much more difficult to breach the vehicle. The industry best practices need to be applied to the vehicle’s defenses. This should be kept safe much like any network.
Without this, there will continue to be issues that will grow in frequency and intensity. We can’t afford to wait for a more serious or more dangerous situation to arise and they react to that. No one wants to be the victim. We need to work towards a better solution.
Remediation
FCA has taken this latest breach in security abundantly in a serious mode. Although the codes are in the wild, FCA is working towards an attempt to limit person’s motivation to secure the database. FCA is threatening criminal and civil actions against anyone providing these codes for the fob keys, codes applicable to the radios, and other anti-theft measures against non-authorized parties (Vellequette, 2016). This is clearly noted and published with the FCA amended terms of use also. FCA had to address this issue directly. With these codes, the person is able to unlock the vehicle doors, which allows the person to steal the vehicle. Until a more secured solution is made available, this may be the best course of action.
References
Associated press. (2016, August 7). Cops: Laptops used to reprogram, steal 100 cars. Retrieved from http://www.newsday.com/classifieds/cars/jeep-dodge-cars-stolen-after-laptop-reprogrammed-vehicles-security-system-cops-say-1.12143366
E-Hacking News. (2016, August 5). Hackers stole more than 30 jeeps. Retrieved from http://www.ehackingnews.com/2016/08/hackers-stole-more-than-30-jeeps.html
Goudie, C. (2016, August 4). Computer carjacking risk becomes reality. Retrieved from http://abc7chicago.com/news/computer-carjacking-risk-becomes-reality/1457581/
Graczyk, M., & Krisher, T. (2016, August 5). Hackers reprogram cars to accept wrong keys, police say. Retrieved from
http://www.heraldonline.com/news/nation-world/national/article94022252.html
Krishner, A.T. (2016, August 7). Suspected car thieves reset vehicle’s security systems. Retrieved from http://www.pressherald.com/2016/08/05/police-texas-car-theft-suspects-reset-vehicle-security-systems/
Vellequette, L.P. (2016, August 27). FCA moves to lock down security codes. Retrieved from http://www.autonews.com/article/20160827/OEM/308299963/fca-moves-to-lock-down-security-codes
VOA News. (2016, August 7). Hackers use computer to steal cars. Retrieved from http://www.voanews.com/content/us-car-thefts/3454284.html
Weise, E. (2016, August 4). Car hackers say they’ve hijacked jeep brakes. Retrieved from http://www.usatoday.com/story/tech/news/2016/08/04/car-jackers-say-theyve-hijacked-jeep-brakes-88180342
About the authors-
Charles Parker II has been working in the info sec field for over a decade, in the banking,
medical, automotive, and staffing industries. Charles has matriculated and attained the MBA,
MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security
(ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and
SCADA.
Jeremy Jones is a security engineer at Ciena Healthcare. Jeremy possesses a Bachelor's in
Cybersecurity and uses his knowledge and expertise to improve the security at his current
position.