Connected Cars: How One Vulnerability Can Turn Cybercriminals into Backseat Drivers

By on Aug 04, 2017

Whether it’s turning the music up a little, or turning down the AC – when you’re in your own car, you’re the driver in all senses of the word. Well, usually. Now, with the recent boom in connected cars, cybercriminals may soon be a backseat driver, only they’re not executing commands from the back row. They have the capability to remotely track you as you drive, or even take control of the settings all due to this recent explosion of connected cars — and vulnerabilities within those cars that have yet to be addressed.

Our Advanced Threat Research (ATR) team addressed these vulnerabilities in preparation for this year’s DEFCON, a cybersecurity conference held annually in Las Vegas, that brings together the best and the brightest to poke and prod new technologies and discover and document vulnerabilities. Vulnerabilities in connected cars are a particularly severe issue, especially as internet-connected and semi-autonomous vehicles begin to become commonplace.

The first vulnerability explored, which our team disclosed before DEFCON, allowed a test ransomware attack. The simulated ransomware attack didn’t disable the car, it made being around the car a chore by playing a popular 80’s song at full volume until the target paid the ransom.

Another newly-discovered (and fixed) vulnerability found by our research team allowed them to make their way within into the car’s navigation system. There, they were able to find the web address the car used to check in with its manufacturer for navigation. As it so happens, the manufacturer no longer owned the domain — enabling our team to set up a honeypot site for any car that wanted to check into the manufacturer’s site. Our ATR team was surprised to see a number of cars check in. Not only that, but a number of vehicles gave their geographic location, their current navigation destinations, the GPS coordinates of waypoints and even the name of those waypoints.

That’s not all. Our team was also able to execute code through the S-Gold 2 (PMB 8876) cellular baseband chipset — a device used in a car to communicate with either the internet or a manufacturer’s intranet (an intranet being, essentially, a private internet). Obviously, our ATR team notified the relevant manufacturers of these issues, and a fix has been issued.

All of these vulnerabilities may sound concerning, but their public disclosure is actually good. Since we’ve notified Nissan and BMW of the S Gold 2 vulnerability, we have been told that a free fix has been issued to their dealers, which is available now to all affected customers in U.S. and Canada. It’s important both manufacturers and their drivers become aware of these issues, and take the necessary steps to keep their vehicles secure. To help keep your vehicle safe as a driver, follow these security tips:

  • Do your research before you buy. Conduct a quick scan online to see if any security issues have been reported with a car and its technology. That way, when looking to purchase your next car, you’ll be educated on the issues and buy with security in mind.
  • Check online notices. When made aware of vulnerabilities, manufacturers will notify the public, as well as make them aware of incoming fixes. Therefore, scan technical service bulletins or notices on a company site so that if a vulnerability does pop up with your existing car, you can learn what to do to help your vehicle stay secure.

And, of course, stay on top of the latest consumer security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs