Smart car attack vectors and their diversification trends-EEWORLD

Collect

As attacks become more sophisticated and frequent, the door to large-scale impacts on the entire ecosystem has been opened, and smart mobility stakeholders must be aware of emerging threats and their potential impact on cyber resilience. In 2023, cyberattacks will become more sophisticated and frequent, targeting various vehicle systems and components, as well as smart mobility platforms, IoT devices, applications, and rapidly make the entire industry realize that any connection point is at risk of attack.

This attack landscape has driven the continued growth of two new attack vectors that have emerged since 2022. These two vectors are at the core of the smart mobility ecosystem: mobile application and service APIs, and the electric vehicle charging infrastructure that is expected to replace internal combustion engines in the next decade.

API-based attacks showed dramatic growth in 2022, accounting for 12% of total incidents, an astonishing 380% increase. Looking ahead, we expect the trend of API-based attacks to gradually expand, and various attackers will exploit API vulnerabilities to carry out large-scale attacks.

In 2023, incidents targeting the backend servers of the automotive and smart mobility ecosystem (connected cars, applications, etc.) and infotainment systems increased dramatically. Incidents related to servers increased from 35% in 2022 to 43% in 2023; incidents related to infotainment systems almost doubled, from 8% in 2022 to 15% in 2023.

This is also a reflection of the maturity of the automotive cybersecurity field and the result of attackers trying to obtain sensitive data and potentially gain control of vehicles on a large scale of mobile assets.

Attack vector classification

Connected Car and Application Servers

Throughout the life of the vehicle, the connected car and application servers connect the vehicle to collect, transmit and receive information from the original equipment manufacturer (OEM) backend server and the car owner. This is achieved by using two types of servers: the connected car server that communicates with the vehicle, and the application server that is paired with the vehicle.

In addition, some vehicles have back-end servers that communicate with third parties, such as insurance companies, car rental companies, electric vehicle charging networks, etc. By exploiting vulnerabilities in the back-end servers, hackers can attack the vehicle while it is in motion.

In June 2023, a security researcher from the Automotive Security Research Group (ASRG) discovered multiple vulnerabilities in MQTT, a network communication protocol widely adopted in cars, that could allow attackers to access and even manipulate telemetry data from cars that commonly use the protocol.

A set of vulnerabilities dubbed CVE-2023-3028 were identified:

The MQTT backend does not require authentication, allowing attackers to make unauthorized connections.

The vehicles publish their telemetry data (e.g., GPS location, speed, odometer, fuel, etc.) as messages in a public topic. The backend also sends instructions to the vehicles in the form of MQTT posts in the public topic. As a result, the attacker can access the confidential data of the entire fleet.

MQTT messages sent by the vehicle or backend are not encrypted or authenticated. An attacker can create and publish messages to impersonate the vehicle or backend. For example, an attacker can send false information about the vehicle's location to the backend.

The backend server can inject data into the vehicle's CAN bus by sending specific MQTT messages on a public topic. Because these messages are not authenticated or encrypted, an attacker can impersonate the backend, create fake messages, and inject CAN data into any vehicle managed by the backend.

Keyless entry system

Modern vehicles use keyless entry systems to prevent theft, which include smart keys equipped with very strong encryption technology and immobilizers. But keyless entry systems can backfire as vehicle thefts and burglaries continue to increase.

Hackers use wireless key fobs to manipulate freedom to carry out attacks. Publicly available hacking tutorials and devices sold online without registration have made these attacks popular.

The wireless key is equipped with a short-range radio transmitter, which sends a coded radio signal to a receiving unit when it is close to the vehicle. The communication between the key and the vehicle can be manipulated by devices that can intercept and relay, replay or completely interfere with the radio signals.

The communication between the key fob mechanism and the vehicle can be attacked in several different ways:

Relay attack using "live" signal: In a relay attack, hackers are able to intercept normal communications between the key fob and the vehicle even when the key fob's signal is out of range. Hackers can use a transmitter or repeater placed near the vehicle to amplify the radio signal, which can amplify and relay a message to unlock and start the vehicle's engine. Thieves are increasingly using this attack to intercept signals from key fobs that are left at the owner's home.

Replay attack using stored signals: In another type of relay attack, the hacker intercepts the information sent between the key fob and the vehicle and stores it for later use. With this information, the hacker can unlock the car doors or start the vehicle's engine at any time.

Rekeying: A more complex and expensive device can be used to reprogram the key fob system, rendering the original key useless. This reprogramming device connects to the OBD port and allows a vehicle thief to take full control of the vehicle with relative ease - it can be purchased legally online and is used by authorized mechanics and service centers.

Interfering with the communication between the key fob and the vehicle: Car thieves may also gain access to vehicles using signal jammers, which are devices that block the communication between the key fob and the vehicle. Such devices prevent the owner from locking the vehicle, thus allowing the thief free entry.

Emulating wireless key fob EDU using CAN injection: A new attack method favored by hackers and widely used by criminals to steal vehicles is CAN injection. An attacker can bypass the entire keyless entry system using a CAN injector device that connects to the CAN lines and emulates the wireless key fob ECU.

In January 2023, a security researcher discovered a vulnerability, described in CVE-2022-38766, that affects the remote keyless system of a French original equipment manufacturer (OEM) model. The vulnerability is based on rolling codes, which are a series of changing codes used to prevent replay attacks. In this case, the researchers found that the system did not generate a new rolling code, but used the same rolling code for each door opening request. This vulnerability allows an attacker to intercept and replay the signal and manipulate the keyless system using specialized equipment.

In February 2023, police in Glasgow, Scotland, issued a warning to the city about an increase in keyless vehicle thefts after 28 vehicles were stolen. On the same day, police in Suffolk, England, warned citizens of a surge in keyless car thefts, with five luxury SUVs from British OEMs stolen in one month. Similar announcements were made by the Waterloo Regional Police in Belgium, Worcestershire Police in the United Kingdom, and the Franconia Police in Germany between March and May 2023. In August 2023, the UK government announced plans to ban keyless vehicle hacking devices in an attempt to combat rising vehicle thefts, which have soared 25% year-over-year.

In April 2023, a cybersecurity researcher disclosed a new attack method, called CAN injection, which bypassed the entire smart key system by using a CAN injector device. The device can connect to the control CAN bus from the headlight connector, taillight connector, or even punch a hole next to the CAN line to impersonate the smart key ECU. The researcher discovered this method after a long digital forensics investigation into the theft of his Japanese OEM vehicle in July 2022, after two failed attempts.

Electronic Control Unit

Electronic Control Units (ECUs), which are responsible for engines, steering, brakes, windows, keyless entry and a variety of critical systems, can be interfered with or manipulated. Hackers try to manipulate ECUs and control their functions by running multiple complex systems simultaneously.

In February 2023, the National Highway Traffic Safety Administration (NHTSA) ordered a recall of nearly 17,000 SUVs from Japanese OEMs manufactured between November 2019 and June 2021. The software in the hybrid vehicle control ECU used to calculate the hybrid battery output may not limit the battery output as required, causing the hybrid system to shut down completely under certain conditions. It is not clear what the cause of the problem is, but it certainly could evolve into a significant cyber risk.

In November 2023, a hacker used a device with a microcontroller to read the CAN bus of a Japanese OEM vehicle, enabling him to keep the vehicle's ACC (accessory) relay energized when the engine was off, maintaining power to the stereo and infotainment system. This type of attack can lead to privacy violations, as well as the potential exploitation of other vehicle systems.

Application Programming Interface

Connected cars and smart mobile IoT and services use a wide range of external and internal application programming interfaces (APIs), resulting in billions of transactions per month. Over-the-air (OTA) updates and connected car servers, OEM mobile apps, infotainment systems, mobile IoT devices, electric vehicle charging management, and billing applications all rely heavily on APIs.

APIs also present a significant, fleet-wide, and large-scale attack vector, enabling a variety of cyberattacks such as theft of sensitive personally identifiable information (PII), manipulation of backend systems, or malicious remote vehicle control.

Compared to hacking other types of systems, API hacking is relatively cost-effective and capable of large-scale attacks - it requires relatively low technical expertise, uses standard techniques, and can be performed remotely without special hardware. In the past two years, the automotive industry and its supply chain, as well as mobile devices and services, have experienced a significant increase in data and privacy breaches due to API-based attacks.

In January 2023, a group of security researchers published a detailed report on their months of work exploring the security of connected car systems, automotive APIs, and the infrastructure that supports them. They found multiple vulnerabilities in 19 major global OEMs and suppliers that allowed them to remotely control vehicles and access sensitive OEM and consumer data.

In March 2023, a security researcher disclosed that he had accessed a customer relationship management database of a Japanese OEM by modifying a developer application to use a production API that was inadvertently exposed by loading a rotator setup. A misconfigured API and lack of proper authentication and verification allowed the researcher to access the names, addresses, phone numbers, email addresses, tax IDs, and vehicle/service/ownership histories of the OEM’s customers.

In July 2023, security researchers reported three critical vulnerabilities found in the API interface of a Swiss vendor's Charging Station Management System (CSMS) platform, allowing attackers to access files uploaded by other users, bypass the required configuration PIN (authentication), and hijack the charger's OCPP connection.

In November 2023, security researchers from ASRG disclosed a vulnerability, described in CVE-2023-6073, that allows attackers to crash a specific electronic control unit installed in German OEM vehicles via a REST API call and irreversibly turn the volume to maximum.

In the same month, a popular Tier 2 supplier of automotive platform chips disclosed a multi-mode call processor memory corruption vulnerability, described in CVE-2023-22388, which occurred when processing bitmask APIs, leading to unexpected behavior and system crashes.

Mobile Apps