Muscat: Kaspersky Lab and IAB, Spain's leading marketing and digital media company, have announced the launch of the first annual connected cars study, a pioneering piece of research.
The main objective of this study is to provide an overview of the connected car market, combining all available information to answer some burning questions and bring some unity to the highly fragmented software ecosystem currently offered by manufacturers.
Vicente Diaz, principal security researcher at Kaspersky Lab, was responsible for developing a proof of the concept to analyse the safety implications of connecting these cars to the Internet.
Motorists can no longer ignore safety concerns about the communications and Internet services included in the new generation of 'connected cars'. This is much more than just helping to park your car safely; it now encompasses access to social networks, email, smartphone connectivity, route calculation and in-car apps to name a few.
These technologies offer great advantages to drivers, but they also bring new risks to today's users. That's why it is essential to analyse the different vectors that could result in cyber-attacks, accidents or even fraudulent maintenance of the vehicle.
Privacy, updates and smartphone apps for these cars could be turned into three separate attack vectors for cybercriminals. "Connected cars can open the door to threats that have long existed in the PC and smartphone world. For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Privacy issues are crucial and today's motorists need to be aware of new risks that simply never existed before," said Diaz.
Kaspersky Lab's proof of concept, based on analysing BMW's ConnectedDrive system found several potential attack vectors:
Stealing the credentials needed to access BMW's website — using familiar means like phishing, keyloggers or social engineering — could result in unauthorised third-party access to user information and then to the vehicle itself. From here it is possible to install a mobile app with the same credentials and potentially enable remote services before opening up the car and driving it away.
If you activate the mobile remote opening services, you effectively create a new set of keys for your car. If the application is not secured, anyone who steals the phone could gain access to the vehicle. With a stolen phone it would be possible to change database applications and bypass any PIN authentication, making it easy for a cyber-attacker to activate remote services.
Bluetooth drivers are updated by downloading a file from the BMW website and installing it from a USB. This file is not encrypted or signed, and is found with a lot of information about the internal systems running on the vehicle. This could give a potential attacker access to the targeted environment, and could also be modified to run malicious code.
Some functions communicate with the SIM inside the vehicle using SMS. Breaking into this communication channel makes it possible to send 'fake' instructions, depending on the operator's level of encryption. In a worst-case scenario, a criminal could replace BMW's communications with his/her own instructions and services.
The study also looks into online connectivity and the leading apps in the Spanish automobile industry, as well as exploring business models and future trends in connectivity platforms on the market.