In the automotive industry there is talk of the "Internet of Vehicles" (IoV), a network that can help vehicles identify road blocks, traffic jams and pedestrians. She can help with the location of the vehicle on the road
By Rachel Medhurst, Head of Course and Senior Lecturer in Cyber Security, NCSA, University of South Wales
There is a lot of talk in the automotive industry about the "Internet of Vehicles" (IoV). The term describes a network of cars and other vehicles that can exchange data over the Internet in an attempt to make transportation more autonomous, safer and more efficient.
IoV can help vehicles detect roadblocks, traffic jams and pedestrians. It can help with vehicle positioning on the road, potentially allowing them to be driverless, and providing easier fault diagnoses. This is already happening to some extent with smart roads, where technology is used to manage highway traffic in the most efficient manner.
A more sophisticated IoV will require more sensors, software and other technology to be installed in the vehicles and surrounding road infrastructure. Cars already contain more electronic systems than ever before, from cameras and cell phone connections to multimedia systems.
However, some of these systems may also make our vehicles vulnerable to theft and malicious attack by criminals who identify and exploit security holes in this new technology. In fact, it is already happening.
Smart keys are supposed to protect modern vehicles from theft. Pressing a button on the key disables the immobilizer (an electronic device that prevents the vehicle from starting without a key), which allows the vehicle to be driven.
But a well-known way around this requires a manual relay tool that tricks the vehicle into thinking the smart key is closer than it really is.
For this, two people are needed who work together, one standing next to the vehicle and the other close to where the key is actually located, such as outside the owner's house. The person next to the house uses a tool that can receive the signal from the key and then transmit it to the car.
Relay equipment to carry out this type of theft can be found online for less than £100 (about NIS 450), with the attempts often being made at night. To protect against them, you can put car keys in bags or Faraday cages that block any signal emitted from the keys.
However, there is a more advanced method of attacking vehicles and its use is increasing or increasing. It is known as the "CAN (Controller Area Network) attack", and works by creating a direct connection to the vehicle's internal communication system, the CAN channel.
The main path to the CAN channel is under the car, so criminals try to access it through the lights on the front of the car. To do this, the fender must be pulled so that CAN can be inserted into the engine system.
Then the thieves can send fake messages that trick the vehicle into thinking they are the smart key and disable the immobilization. Once they have gained access to the vehicle, they can start the engine and drive the vehicle.
Zero trust approach
Due to the possibility of a potential epidemic in car theft, manufacturers are trying to find new ways to overcome this latest breach as quickly as possible.
One strategy involves not trusting any messages the vehicle receives, known as the "zero trust approach". Instead, these messages must be sent to receive verification from the vehicle owner. One way to do this is by installing a hardware security module in the vehicle, which works by generating cryptographic keys that enable data encryption and decryption, creating and verifying digital signatures in messages.
This mechanism is gradually being implemented by the automotive industry in new cars. However, it is impractical to integrate it into existing vehicles due to time and cost, so many of the cars on the road remain vulnerable to the CAN insertion attack.
Attacks on a multimedia system
Another security consideration for modern vehicles is the built-in computer system, also known as a "multimedia system". Defending against the potential harm of this system is often neglected, even though it can have catastrophic consequences for the driver.
One example is the ability for attackers to use "remote code execution" to deliver malicious code to a vehicle's computer system. In one case reported in the US, the multimedia system was used as an entry point for the attackers, through which they could plant their own code. They then sent commands to the cars' physical components, such as the engine and wheels.
Obviously, such an attack has the potential to affect the vehicle's performance. It could cause an accident - it's not just a matter of protecting the personal data included in the multimedia system. Attacks of this type can take advantage of many security holes such as the vehicle's web browser, USB dongles connected to it, software that needs to be updated to protect against known attacks and weak passwords.
Therefore, all vehicle drivers with a multimedia system should thoroughly understand basic security mechanisms that can protect them from hacking attempts.
The possibility of an epidemic of car thefts and insurance claims due to CAN attacks alone is troubling. There must be a balance between the benefits of internet in vehicles, such as safer driving and an improved ability to recover cars after they have been stolen, with these potential risks.
More on the subject on the science website: