Internet-connected cars are now becoming a reality and various international studies show that their market will continue to grow in the near future. But this emerging trend in the automotive industry can also become a new vehicle for cybercrimes, according to a leading developer of secure content and threat management solutions Kaspersky Lab.
Announcing the First Annual Connected Cars Study that seeks to provide an overview of the connected car market, Kaspersky Lab said motorists can no longer ignore safety concerns about the communications and Internet services included in the new generation of connected cars.
Kaspersky Lab said privacy, software updates and car-oriented mobile applications in Internet-connected cars are three areas where cybercriminals could potentially launch attacks.
“Connected cars can open the door to threats that have long existed in the PC and smartphone world,” said Vicente Diaz, the Principal Security Researcher at Kaspersky Lab who developed a proof of concept to analyze the safety implications of connecting these cars to the Internet.
“For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before,” Diaz explained.
Kaspersky Lab findings are somewhat timely for the Philippines. According to a study released by market intelligence company Transparency Market Research, Asia-Pacific will be the fastest growing region in terms of connected cars.
“If this business forecast comes true, then Asia-Pacific countries like the Philippines must brace for cyber attacks on Internet-connected cars,” said Jimmy Fong, Channel Sales Director of Kaspersky Lab SEA.
Kaspersky Lab’s proof of concept, which was based on analyzing BMW’s ConnectedDrive system, found several vulnerabilities to potential attacks:
Stolen Credentials
Information needed to access BMW’s website can be stolen by using familiar means like phishing, keyloggers or social engineering. These methods could result in unauthorized third-party access to user information and then to the vehicle itself. From here, it is possible to install a mobile app with the stolen credentials and enable remote services before opening up the car and driving it away.
Mobile Application
By activating mobile remote opening services on a phone, a new set of virtual keys for your car are created. This could give anyone who steals your phone instant access to your vehicle. With the stolen phone, it would be possible to change database applications and bypass PIN authentication, making it easy for a cyber-attacker to activate remote services.
Updates
Bluetooth drivers are updated by downloading a file from the BMW website and installing it from a USB. The downloaded file, which is not encrypted or signed, contains a lot of information about the internal systems running on the vehicle. This could give a potential attacker access to the targeted environment and could also be modified to run a malicious code.
Communications
Some functions communicate with the SIM inside the vehicle using SMS. Hence, breaking into this communication channel makes it possible to send “fake” instructions, depending on the operator’s level of encryption. In a worst-case scenario, a criminal could replace BMW’s communications with his/her own instructions and services.
Kaspersky Lab said it is essential to analyze these different vectors that could result in cyber-attacks, accidents or even fraudulent maintenance of the vehicle.
With its First Annual Connected Cars Study, Kaspersky Lab aims to bring some unity to the highly fragmented software ecosystem currently offered by car manufacturers.
The study was conducted by Kaspersky Lab in collaboration with IAB Spain, Applicantes and Motor.com.
