By Shin Li (Staff Threat Researcher, Automotive) and Omar Yang (Senior Threat Researcher, Automotive)
In the first installment of our two-part blog series, we discuss the security flaws in electric vehicle (EV) chargers highlighted by researchers from Trend Micro’s Zero Day Initiative (ZDI) program, VicOne’s co-host for the first-ever Pwn2Own Automotive. Their two demos, one involving firmware extraction and the other privilege escalation, give us a glimpse of the kind of work that participants will showcase at Pwn2Own Automotive.
In this blog entry, the second half of the series, we look at how security gaps in technologies used in connected vehicles can translate to real-world attack scenarios. In doing so, we seek to demonstrate the kind of situations that vulnerability discovery and cyberthreat research help to avoid.
The API attack surface
In this new era of mobility, vehicles have become more reliant on data, connectivity, and other technologies. For instance, it has become almost commonplace for vehicles, just like mobile phones, to carry SIM cards, either physical or virtual, enabling them to interact with other vehicles and systems.
An example of a scenario that uses connectivity is a car owner sending a command to their car to honk its horn. The command is transmitted from the owner’s mobile phone to the nearest cell site and then to the manufacturer’s back-end server, before being relayed to the vehicle’s telematics control unit, which directs the command to the component that controls the car horn. The command travels through so many points in almost an instant.
From a security standpoint, we always have to examine where things could go wrong and how an attacker could compromise this flow of information, whether by some vulnerability or a cyberattack.
An API attack scenario
In this demonstration, our goal is to show what attackers can do with compromised account credentials. We have obtained the credentials for an account tied to a vehicle that is halfway across the world. We simulate a remote attack from a compromised account that highlights how distance would not matter in such a scenario, as summarized in Figure 1.
Figure 1. The attack chain in our API attack scenario
Credentials can be compromised through phishing techniques or cyberattacks such as ransomware. For a fleet of vehicles, they are often managed as general assets despite their high financial value and the privacy risks they present.
Since we have the credentials of our target vehicle, we want to see what kind of requests we can do using the vehicle’s APIs (application programming interfaces). Through our research, we have found several significant commands that we can try. In Figure 2, we can see that some of the commands include fetching the status of the vehicle’s doors and starting the vehicle remotely.
Figure 2. Example categories of API requests
Thankfully, most of the tests similar to what we have done are performed under controlled conditions. But should these security gaps remain unaddressed and users remain unaware of the risks, the scenarios could very well transpire on the road.
The goal of vulnerability discovery and cybersecurity research
News of data breaches, system compromise, and vulnerabilities in the automotive industry should raise the urgency of a stronger cybersecurity stance. Having a head start against threats while they remain hypothetical scenarios necessitates stronger threat intelligence and research.
As highlighted in the first half of this series, putting security first has never been more important in the automotive industry than it is today. The flaws demonstrated by the ZDI could be avoided through the implementation of simple security measures. This attack scenario likewise emphasizes some security practices that can help reduce the risk of similar attacks, such as:
- Better authorization. Automotive manufacturers (OEMs) should implement stronger security measures so that when certain information is leaked, such as the vehicle identification number (VIN), it cannot be used to make valid API calls.
- Better authentication. Implementing measures such as multifactor authentication (MFA) can add a layer of protection that can make it harder for malicious actors to make API calls.
- Better logging and monitoring. All API calls need to be logged, so that if API calls are made far from a car’s location, the OEM can alert the owner accordingly.
In this demonstration, we show how unaddressed security flaws and lax security measures are land mines scattered across the expanding automotive ecosystem. The goal of vulnerability discovery in particular and cybersecurity research in general is to uncover and address these issues before they inspire real-world cyberattacks.
VicOne will demonstrate this remote API attack scenario in the inaugural edition of Pwn2Own Automotive, happening from Jan. 24 to 26, 2024, at Automotive World in Tokyo Big Sight, Japan.
Watch the video below for a wider discussion of risks associated with connected cars and a demonstration of this remote API attack scenario.