How to Hack Smart Cars

Introduction

The advancement of technology and greater connectivity has pushed companies to sutaibility in better economic markets. Cybercrime is increasingly rising on par with these advancements alongside improved technology and greater accessibility. This is not only prevalent in countries like India, but also in developed countries like the United States of America.

Smart cars are the new frontier in the automobile industry. Connected to the internet, these cars have added features and can be controlled using mobile applications and given commands remotely. While this feature brings added flexibility to cars, it also paves way for hackers and malicious users to come up with new ways to hack into these machines.

Nowadays, Mercedes Benz and other companies have been working on concept vehicles, compact cars, city cars towards formulating computer systems and security teams centered around creating cars that are miles away from getting hacked in the smart cities of today.

While car manufacturers have been in the sector for decades, they are only now entering the market where computer technology helps drive and operate vehicles. In the comfort and functionality of modern cars, computers play a central role, including:

1. Apps that allow doors to start and unlock.
2. To assist with backup and driving tracking, video cameras.
3. Self-steering capabilities for parallel assistance for parking.
4. Running remote diagnostic tests.
5. Checking levels of battery capacity.

The Idea

It all started when I sat down to decide my college research project. One of the first things that occurred to me was either a machine learning-based application or something related to cyber-security and yes, I thought, “why not both”.

This idea of Hacking into cars is not a new concept. Car companies like Tesla pay millions of dollars to ethical hackers for finding loop holes in their products. Moreover, the CANBUS method to hack into cars has been talked about for years, in DEFCON events and Security seminars. But as times have changed, so have the cars that we drive.

“Phones are smart, But what about cars?”

Smart cars, electric vehicles and self-driving cars are at the forefront of the automobile industry’s breakthrough innovations. The thought of controlling your vehicle using your mobile seems quite appealing to the end-user, but it is, in fact, a nightmare for any cyber professional.

The main concept is that smart cars use mobile applications to take commands from users. These applications depend on API calls to and from the device and the company servers. It is possible, through API hacking and spoofing that a malicious user pretends to be the owner of the vehicle and sends an API request to the company server which thinks that the request is genuine and returns a positive response which then allows the hacker to control the car via the application.

So the debate that experts tackle is, how smart should our cars be? Or the age-old connected vs secure trade-off, meaning that the more connected a device is, the less secure it is. Well, this is where security engineers come in. They might not know much about how cars work, but once the car is connected to the internet, they have quite a few tricks up their sleeves

The Method

You own your car, but not it’s software, which is owned by the manufacturer of the car. We are permitted to use the software, but in the past, it was a form of copyright violation to attempt to change it in some way (including repairing it by yourself when it fails or patching security holes).

Moreover, hackers will try to access car systems without even physically being present there. Hence the idea of hacking into the app that controls the car seems more probable and sensible here.

So in order to hack into our own car (because it is illegal to hack into someone else’s devices without their consent!), we will understand how the car, the app, the physical parts all interact with each other.

Our entire process begins when the user installs the application on the mobile phone. In this blog, I have taken the example of my favourite smart car in the Indian market right now, NG Hektor (name changed). Smart cars come with an application which can be downloaded on the mobile phone and be used to control the car, it can also be used to interact with the touchscreen multimedia system that is present on the dashboard of most of the cars these days.

Through this application, the vehicle owner can control features like the AC, the music, the windows, see the geo-location, set geofencing parameters and a dozen more things. These features can be enabled by simply logging in into the app on your mobile phone, and connecting with your car over the internet.

For this magic to occur, the car companies place a sim card embedded into the multimedia system, which has a default top-up of 2 years, using which the owner can access the internet directly from the car, or the multimedia system can interact with the application without the two of them being near to each other.

Let us now dive into a real scenario to see how my NG Hektor is at risk…

The Art of the Steal

Our scenario is quite simple, we went to a restaurant, and are now returning to our car in the parking lot. What we don’t know is that in the van parked next to us, is an evil mastermind, Mr Robot, who wants to steal our car using his tech skills. Our wifi was ON inside the restaurant, and is still connected to “Starbubs Wifi”. This gives the attacker an opportunity, and he creates his own fake access point with the same name: “Starbubs Wifi”.

Now when we reach our car, our phone automatically disconnects with the original wifi because it goes out of range, but at the same time, since this new access point looks the same, our phone automatically connects to this wifi.

Now the real geek process begins...Once we connect to that hotspot, Mr Robot then acts as a middleman between us and the internet. We can connect to our websites and apps, and everything seems normal, but in reality, Mr Robot can see all the traffic that is going in and out of our mobile phone.

We then start our car, and as we open our NG Hektor App and connect to the car multimedia system, Mr Robot intercepts the API request that went from our phone to the NG car company servers, using BurpSuite, a program that can monitor and control internet traffic on a network.

Using this tool, the evil mastermind can now look at our API request as if it was a normal message sent to him. Our API key, our car details, everything has been intercepted by Mr Robot now (don’t panic...yet). All this time, we are unaware of these activities. We then drive off our car and go back home.

The next day, we return to our favourite restaurant, and when we go inside to enjoy our pasta, Mr Robot pulls over next to our car. He then installs the Hektor app on his own mobile phone. He already has our API key, which means that he can log into his app with his own credentials, but when he sends the “unlock door” command through the app, the command first goes to the company servers as an API request...but wait, Mr Robot intercepts his OWN app request using burp suite, changes the API key to OUR key, and then passes the request forward.

The car company servers receive a request from OUR API key and hence pass back the request to OUR NG Hektor, and since the portable e-sim on our cars are always on…” to to” and lo, our car doors open up. Mr Robot smiles, he has achieved his goal. We return from the restaurant, enjoying the free dessert, and well, let's just say, we burn all those calories by walking back home.

A picture says a thousand words, and I think I shall let these two diagrams explain the process to you.

The Attacks

Since we have established the fact that API hacking is the best possible approach for us in this scenario, let us also talk about some possible cyber attacks:

Attacks based on Injection

When malicious code is inserted into insecure applications, injection attacks occur. The most famous examples are SQLi (SQL injection) and XSS (cross-site scripting), although there are others. Injection attacks are a long-standing threat to web apps; they are also an increasing threat to APIs today.

Attacks by DoS/DDoS

The attacker attempts to render the targeted device inaccessible to its intended users in a Denial of Service (DoS) attack. They have a wide variety of potential measurements. "Slow" DoS attacks at one extreme will consume the resources of the victim with very little bandwidth.

Volumetric DDoS attacks, at the opposite extreme, can consist of several terabits per second of incoming traffic. They will earn a lot of advertising when these happen against popular websites.

Hijacking Validation

Attackers try to circumvent or break the authentication mechanisms that are being used by a web application.

Exposure of Sensitive Data

Sensitive data is also processed and transferred by web applications: payment card information, passwords, session tokens, private health data, and more. In particular, this is a problem for RESTful APIs using HTTP as the underlying protocol. HTTP covers a range of potentially insecure operations.

Obviously, the purpose of this blog is to create awareness by teaching the user the various cyber-attack methods that can be used by a hacker, but this isn’t a tutorial. I want both manufacturers and consumers to be aware of threats, not someone with malicious intent to get more ideas, hence I believe this is where I shall draw the curtains.

I am working on a research Project: CACTUS (Cyberthreat Assessment of Cars through Tensorflow Using Supervised learning). CACTUS is an all-in-one tool that secures these autonomous vehicles by preventing unauthorized users from accessing the car. It uses TensorFlow, a python-based machine learning library, to construct a network anomaly detection system and a cryptographic algorithm to further protect the transfer of information to and from the vehicle. The key idea is that smart cars use mobile devices to take commands from users.

These apps depend on API calls to and from the servers of the system and the business. It is likely that a malicious user pretends to be the owner of the vehicle via API hacking and spoofing and sends an API request to the business server that assumes the request is legitimate and returns a positive response that then enables the hacker to monitor the car through the application.

With CACTUS, the API requests to and from the app will be secure and better encrypted, and with machine learning-based anomaly detection, the car network will also be better secured.

Ending Note

The cybersphere is ever-changing, and while a lot of companies and users focus on device security, vehicles often go unnoticed. With Apple’s recent announcement of the Apple Cars in line for production, and Tesla already dominating the market, smart and connected cars are soon going to be a part of everyone’s daily lives, and it will be both scary, and interesting to see what security threats come up with these new smart vehicles.

The ball often lies in our court. As consumers, it is our responsibility to be aware of the threats that surround us, especially the ones that can have a massive impact on our daily lives. Manufacturers should also be aware of the new and upcoming threats that linger over different technologies.

There are only a few selected companies that have a bug bounty program where users can submit vulnerabilities to the manufacturer and get rewarded in return, these incentives will help more and more security professionals to come forward and help secure the upcoming smart car industries.

Thank you for I hope this article was able to shed light on the security flaws and at the same time, inform users how they can prevent such kinds of cyber attacks on their devices. I hope that every person who read this article will be vigilant enough in the future and will never have to say, “someone hacked my car”

I hope this article was a refreshing insight into the world of cybersecurity. Thanks for reading

ABOUT THE AUTHOR