Connected Cars Exposed: Half Have Potentially Serious Flaws

Connected Cars Exposed: Half Have Potentially Serious Flaws

Connected car manufacturers have been urged to fundamentally improve the design of their vehicles after major new research revealed flaws across virtually every single component or device tested – at least half of which could be exploited with potentially serious consequences.

Researchers at IOActive spent over 16,000 man hours and three years compiling their latest report, Commonalities in Vehicle Vulnerabilities.

While no specific makes and models of car are mentioned, report author Corey Thuen confirmed to Infosecurity that his team evaluated a multitude of components from tier 1 and tier 2 suppliers which end up in a variety of OEM-end vehicles.

As such, the report “touches a majority of the vehicle market,” he claimed.

Every system tested had at least one vulnerability and failed to follow industry best practice in some way.

More worryingly, half of those discovered bugs were rated critical (25%) or high (25%) impact, meaning they could lead to “complete or partial loss of control over the system,” the report found.

In these cases, it’s due to attackers being able to access the Controller Area Network (CANBus), or compromise or disable electronic control units (ECUs).

However, while “loss of control” could result in hackers being able to remotely steer the car or hit the brakes – as per Miller and Valasek’s research on a Jeep Cherokee last year, and this week – it could also mean winding down the electric windows, depending on the software flaw, said Thuen.

Another caveat to the 50% figure is that attackers first need to access the vulnerability to exploit it, which isn’t always easy.

Those that can be exploited via cellular network (16%) pose potentially the greatest risk as they require the least effort.

“The automotive market is behind on incorporating security industry best practices. All vehicles have the same kinds of vulnerabilities. For example, virtually every single component or device we tested had some kind of developer backdoor enabled,” said Thuen.

“Putting connected cars on the internet without rigorous security testing is a bad idea.”

The good news is that 77% of the critical impact bugs discovered could be remediated with very little effort.

However, the remainder stem from “design-level” issues which are “extremely difficult, if not impossible” to fix after the design phase – meaning many car manufacturers will have to go back to the drawing board to make lasting improvements.

Source: Information Security Magazine