August saw the release and exhibition of several studies testing the security of different connected vehicle components. The stimulated attacks involved remote keyless entry (RKE), remote exploitation of car apps, and a study on ways to hack the biometric system used by connected vehicles. These are all systems that are meant to secure vehicles and improve user convenience.
RollBack: A new attack on the RKE
Cybersecurity researchers Levente Csikor, Hoon Wei Lim, Jun Wen Wong, Soundarya Ramesh, Rohini Poolat Parameswarath, and Chan Mun Choon showed how the automotive remote keyless entry system could be susceptible to another form of replay attack, called RollBack. Compared to RollJam, a method that involves jamming, capturing, and replaying signals, RollBack does not need to do signal jamming and only needs to capture signals once. This means that it could be exploited at any time and as often as needed by a potential attacker.
Their ongoing research on vehicle makes, models, and RKE manufacturers (limited to Asian vehicle manufacturers) shows that around 70% of the systems they studied were vulnerable to RollBack. Since three RKE transceivers of the four manufacturers they studied were vulnerable to the attack, they believe it likely that the true impact of this vulnerability could be bigger worldwide.
Hacking biometrics systems in vehicles
In the same vein, another system aimed at boosting security and convenience in connected vehicles was found to carry several flaws, as detailed by researchers Huajiang "Kevin2600" Chen and Li Siwei. Just like phones and laptops, some connected cars use biometrics systems such as face recognition and voice-print to quickly authenticate the identity of their users. One test that they conducted involved spoofing the voiceprint-based system of their test vehicle to trick smart speakers into authenticating a recorded voice message. By successfully using this tactic, they could, for example, order the car to open its windows, which can have dire implications for potential attackers if used in the real world. Their research also demonstrated other similar attacks that tested the facial recognition biometrics used to open connected car apps and smartphones.
Remote exploitation using connected car app
Finally, researcher Mohammed Shine tested the security mechanism of APIs for access control of a car from a well-known car manufacturer. The weakness in the security mechanism he found could allow a potential attacker to start a vehicle or unlock car doors. He was able to remotely perform such actions by interacting with the vehicle’s telematics control unit (TCU).
Security for connected cars
These studies highlight the trade-off between convenience and security. More importantly, they reiterate the significance of planning or designing the phase of a vehicle and its components while also having a constant mechanism for monitoring for threats and gaps that might arise throughout the rest of the vehicle life cycle.
VicOne solutions
VicOne’s suite of automotive cybersecurity solutions provides car manufacturers and suppliers with complete cybersecurity protection, encompassing a vehicle’s life cycle, ecosystem, and supply chain. It covers the five aspects of protection (threat identification, detection, analysis, response, and recovery) with the following solutions:
- xNexus, a detection and response (DR) platform for vehicle security operation centers (VSOCs), can help build awareness mechanisms and early warning for incoming attacks.
- xCarbon (intrusion detection and prevention system or IDPS for electronic control units or ECUs) provides superior detection protection in vehicles, allowing security operations centers (SOCs) to quickly understand the nature of a potential attack.
- xZETA allows OEMs to scan vendors' firmware on multiple levels and effectively reduces the attack surface from the beginning.
- xScope is a penetration-testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.
VicOne positions itself as an ideal partner for building connected vehicle security strategies and solutions. To learn more about VicOne and its products, visit our homepage.
