Vehicles are throughout society. A person can’t walk far without seeing one in place or driving. The vehicles manufactured within the last decade and going forward are and will continue to be connected. This may take the form of the GPS to alert the driver where they are located, radio, internet access, and other beneficial functions.
While this connectivity clearly is helpful for the users, there are drawbacks. The connectivity allows for additional attack points. One of these recently detected and exploited was the MyCar app. This all began when the security researcher purchased a remote car starter for his girlfriend. As he installed this, he began to think through the process and if it was secure, or not. The attack and exploitation were presented by Jmaxx at the 2019 DEFCON. Having attended the presentation, the elaborated issues were fully explored in a technical yet graspable manner.
The app was created and is marketed by the Canadian company Automobility. The SW is rebranded and sold under various other names, including MyCarKia, Visions MyCar, Carlink, and other names. This allows the user to interact at a distance with the vehicle. This connection allows, among other functions, to start the car. This is especially useful when the user is in the office in the middle of January in the Midwest.
The exploit affected over 60,000 vehicles. One vulnerability is enough of an issue. The more vulnerabilities, the greater the problematic nature of the system. The flaws noted with this MyCar issue may, among other acts, allow the attacker to steal a vehicle. With the flaws exploited, the attacker has the ability to filter by the vehicle model they would choose. The flaw allows someone to locate, identify, unlock, and start the vehicle, along with triggering the alarm. The attacker could access any user’s data. This is also open to a SQL injection, allowing access to and ability to send commands to any of the subject user’s vehicles. To document the viability of the issue and remove any opinion, Automobility issued a statement to the effect the company was addressing this.
The issue is not only with the vulnerability, but also what an attacker is able to do with this. This allows, for the subject vehicles, the unauthorized access by the attackers to start the vehicle, among other actions. This breach is significant and may also lead to life-threatening circumstances. If the vehicle were to be started in an enclosed area, e.g. a garage, this could lead to carbon monoxide poisoning for the users in the residence. Curiously, the researcher was able to collect 2k location points for the car over a 13 day period. Previously, it was unknown that the vehicle was collecting this much data.
Fortunately, the researcher did notify the organization so they could work on it. As of the presentation, the issues had been primarily resolved.
EHacking News. (2019, August 12). MyCar exposes thousands of vehicles to hackers. Retrieved from https://www.ehackingnews.com/2019/08/mycar-exposes-thousands-of.html
Greenberg, A. (2019, August 10). A remote-start app exposed thousands of cars to hackers. Retrieved from https://www.wired.com/story/mycar-remote-start-vulnerabilities/
IANS. (2019, August 11). Remote-based app exposed thousands of vehicles to hackers. Retrieved from https://auto.ndtv.com/news/remote-based-app-exposed-thousands-of-vehicles-to-hackers-2083648
IANS. (2019, August 11). Remote-based app exposed thousands of vehicles to hackers-details inside. Retrieved from https://www.timesnownews.com/technology-science/article/remote-based-app-exposed-thousands-of-vehicles-to-hackers-details-inside/467106
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!