Significant security challenge for new vehicle communication standard

While V2V communications will enable a range of safety applications, securing the protocol will require a system of unprecedented complexity.

While V2V communications will enable a range of safety applications, securing the protocol will require a system of unprecedented complexity.

When Car Hacking Turns Your Vehicle into a Video Game

image1_8.png
 

Modern cars contain a lot of nifty electronic gadgets, as well as more than one kilometer of cable wired to all kinds of sensors, processing units, and electronic control units. The cars themselves have become large computers, and as history shows, wherever there is a computer, there is someone trying to attack it. Over the past few years various studies have been conducted on how feasible it would be to attack a car through its onboard network. Most researchers focused on attacks with full physical access to the car, but some also explored external attack vectors.

If attackers have physical access to a car they can, for example, access the Controller Area Network (CAN) or the On-Board Diagnostic (OBD) system, but they can also perform other dangerous actions, such as physically tampering with the brakes or stealing the car. Digitally tampering with a car, on the other hand, might be much more difficult to prove after an accident. Such attacks could potentially be combined with other attacks that allow for a remote code execution and should be taken as a demonstration of payloads.

There are a few ways to get into a car’s system without having physical access to it, for example through tire pressure monitoring systems, traffic message channel (TMC) messages, or GSM and Bluetooth connections. Some manufacturers have started developing smartphone apps that can control some of the car’s functionalities, which opens another possible attack vector. There have also been some cases where specially crafted music files on USB drives were able to hijack some of the car’s systems.

Charlie Miller and Chris Valasek, two researchers working on a project for DARPA, explored how far they could go by hacking the Controller Area Network once inside the car. The pre-released video of their presentation for the upcoming DEFCON conference shows that nearly all of the car’s functions can be controlled or triggered including, switching off all lights, shutting down the engine, disabling the brakes, some limited steering, sounding the horn, and manipulating the system display. It doesn’t take much imagination to understand that this has the potential to cause serious accidents. Some of these changes could be made permanent and invisible with malicious firmware updates or system changes. Of course, a laptop with a modem in the glove box would work as well, but would not be as stealthy. If an attacker used the same method as the researchers, hopefully you would notice the attacker’s laptop on your backseat and wonder what was going on.

Car manufacturers are aware of these challenges and have been working on improving the security of car networks for years. Remote attack vectors, especially, need to be analyzed and protected against. At Symantec we are also monitoring this research field to help improve it in the future. Miller and Valasek’s research shows that cars can be an interesting target for attackers, but there are currently far bigger automobile-related risks than hackers taking over your car while driving. Personally, I’m more scared of people texting messages while driving and I assume they pose a far bigger risk than hackers when it comes to accidents, for now at least. Safe driving.

image1_8.png
 

Modern cars contain a lot of nifty electronic gadgets, as well as more than one kilometer of cable wired to all kinds of sensors, processing units, and electronic control units. The cars themselves have become large computers, and as history shows, wherever there is a computer, there is someone trying to attack it. Over the past few years various studies have been conducted on how feasible it would be to attack a car through its onboard network. Most researchers focused on attacks with full physical access to the car, but some also explored external attack vectors.

If attackers have physical access to a car they can, for example, access the Controller Area Network (CAN) or the On-Board Diagnostic (OBD) system, but they can also perform other dangerous actions, such as physically tampering with the brakes or stealing the car. Digitally tampering with a car, on the other hand, might be much more difficult to prove after an accident. Such attacks could potentially be combined with other attacks that allow for a remote code execution and should be taken as a demonstration of payloads.

There are a few ways to get into a car’s system without having physical access to it, for example through tire pressure monitoring systems, traffic message channel (TMC) messages, or GSM and Bluetooth connections. Some manufacturers have started developing smartphone apps that can control some of the car's functionalities, which opens another possible attack vector. There have also been some cases where specially crafted music files on USB drives were able to hijack some of the car’s systems.

Charlie Miller and Chris Valasek, two researchers working on a project for DARPA, explored how far they could go by hacking the Controller Area Network once inside the car. The pre-released video of their presentation for the upcoming DEFCON conference shows that nearly all of the car's functions can be controlled or triggered including, switching off all lights, shutting down the engine, disabling the brakes, some limited steering, sounding the horn, and manipulating the system display. It doesn’t take much imagination to understand that this has the potential to cause serious accidents. Some of these changes could be made permanent and invisible with malicious firmware updates or system changes. Of course, a laptop with a modem in the glove box would work as well, but would not be as stealthy. If an attacker used the same method as the researchers, hopefully you would notice the attacker’s laptop on your backseat and wonder what was going on.

Car manufacturers are aware of these challenges and have been working on improving the security of car networks for years. Remote attack vectors, especially, need to be analyzed and protected against. At Symantec we are also monitoring this research field to help improve it in the future. Miller and Valasek’s research shows that cars can be an interesting target for attackers, but there are currently far bigger automobile-related risks than hackers taking over your car while driving. Personally, I’m more scared of people texting messages while driving and I assume they pose a far bigger risk than hackers when it comes to accidents, for now at least. Safe driving.

After burglaries, mystery car unlocking device has police stumped

Southern California cops can’t figure out how keyless entry device works.

It's February, about an hour after midnight, and three men in oversized clothing and hats walk silently down a deserted residential street in Long Beach, California. Each one goes up to a car in the area, takes out a small electronic device, and pulls on the passenger side car handle. The first man tries a car in the street. It doesn't open, and he walks on. The other two men try an Acura SUV and an Acura sedan in one home's driveway. Both of the cars unlock, their overhead lamps going on. The two men rummage through the cars, taking what they find. They shut the car doors and walk off.

Video of this scene was recorded by a surveillance camera placed in the driveway where the two Acuras were parked. The Long Beach Police (LBPD) department says that eight vehicles in total were “accessed and burglarized” in the same neighborhood that night. But despite having footage of the crime, the LBPD was not able to determine how the electronic devices worked or who the suspects were.

Auto burglary technology grants keyless access.

In April, the Long Beach Police posted the surveillance video on YouTube, desperate to figure out just how the electronic device used by the three suspects works. Ars spoke to a Long Beach Police spokeswoman who confirmed that after another two months, the department still hasn't come to a conclusive answer.

Read 6 remaining paragraphs | Comments

Escrow Scams Searching New Avenues

Contributor: Binny Kuriakose
People dream big when buying expensive items like a car or a property. When those dreams are seen with very affordable price tags it certainly attracts everybody’s interest. There are lots of websites available that a…

Contributor: Binny Kuriakose

People dream big when buying expensive items like a car or a property. When those dreams are seen with very affordable price tags it certainly attracts everybody’s interest. There are lots of websites available that allow people to post free classified advertisements online and one of the biggest categories is that of used cars. This is the new breeding ground for the old escrow tricksters.

This blog will discuss an interesting case of how a free classified advertisement and an escrow service turned out to be an online scam.
 

What are escrow services?

Escrow services are essentially mediators in trade that ensure all terms, agreed by both parties, are met. Escrow companies take the payment from the buyer and ‘hold it’ until the seller delivers the goods to the buyer and all the terms of sale are met. If you are buying an item from an unknown party without meeting face-to-face, the best bet is to use an escrow service.
 

How I stumbled across this scam

I happened to skim through the ads on a classified site for used cars in India and I came across an advertisement for a really good car at an attractive price. In fact, too attractive to be true!
 

image2.png

Figure 1.  Car advertisment
 

Even though alarm bells were going off, I just could not resist replying to the advertisement.

I got a prompt reply within an hour, which was from a lady named Karina Lommer, at least that’s what it said in the email ID. She explained to me that the car was in pristine condition and the reason why she was selling it at a very low price.
 

image4xxx.png

Figure 2. Seller email
 

Uh-oh! Alarm bells ringing off their hooks! It was exactly what I had suspected, another one of those dodgy emails that try to lure you into a bogus deal, most likely involving an escrow scam.

I saw similar “too good to be true” deals in separate advertisements and got the exact same email reply from Mrs. Tania Shurrer and Mrs. Letticia Coleman.
 

image5_0.png

Figure 3. More seller email
 

It’s definitely a scam all right, but I wanted to know where this was leading to. I played along, giving them some bogus information and hoping that I could trick the trickster. I got two emails from the same address informing me that the deal was on and giving me further instructions.
 

image8xx.png

Figure 4. Emailed instructions
 

image10xxx.png

Figure 5. More emailed instructions
 

The emails give the impression that the car is in India but I won’t be meeting the owner. I just need to send the money to a popular third-party online shopping service and the car will be shipped to me. Sure enough, there arrived an email which was made to look like it was from the third-party shopping website asking me to deposit the money in a local account within five working days. The email claimed that the third-party organization would guarantee the transaction and the car would be shipped to me as soon as they received the money.
 

image12xxx.png

Figure 6. Online service used for payment
 

image14xxx_1.png

Figure 7. Online payment instructions
 

Now that we can see the entire picture, it is clear that once someone deposits the money in the account, they will be down a large sum of money and still without a car.

Another possible way to trick people is to set up a site masquerading as a legitimate escrow site and con people into sending money to the fake service.

To avoid scams like the one discussed I this blog the following practices are recommended:

  • Stay away from ads that provide very little or no contact information
  • Poorly written emails and shabby formatting may be a sign of a possible scams
  • If the transaction turns out to be from a foreign country, avoid it
  • Be cautious of purchases requiring wire transfers
  • Do your research, and search for scams using similar tactics on the Internet, chances are you will find other examples
  • Most importantly, go through the site’s safety policies so that you can be better equipped to handle such situations. Notify the sites being spoofed and forward them on the spam emails received