Vehicles are throughout society. A person can’t walk far
without seeing one in place or driving. The vehicles manufactured within the
last decade and going forward are and will continue to be connected. This may
take the form of the GPS to alert the driver where they are located, radio,
internet access, and other beneficial functions.
While this connectivity clearly is helpful for the users,
there are drawbacks. The connectivity allows for additional attack points. One
of these recently detected and exploited was the MyCar app. This all began when
the security researcher purchased a remote car starter for his girlfriend. As
he installed this, he began to think through the process and if it was secure,
or not. The attack and exploitation were presented by Jmaxx at the 2019 DEFCON.
Having attended the presentation, the elaborated issues were fully explored in
a technical yet graspable manner.
MyCar
The app was created and is marketed by the Canadian company
Automobility. The SW is rebranded and sold under various other names, including
MyCarKia, Visions MyCar, Carlink, and other names. This allows the user to
interact at a distance with the vehicle. This connection allows, among other
functions, to start the car. This is especially useful when the user is in the
office in the middle of January in the Midwest.
Vulnerability
The exploit affected over 60,000 vehicles. One
vulnerability is enough of an issue. The more vulnerabilities, the greater the
problematic nature of the system. The flaws noted with this MyCar issue may,
among other acts, allow the attacker to steal a vehicle. With the flaws
exploited, the attacker has the ability to filter by the vehicle model they
would choose. The flaw allows someone to locate, identify, unlock, and start
the vehicle, along with triggering the alarm. The attacker could access any user’s
data. This is also open to a SQL injection, allowing access to and ability to
send commands to any of the subject user’s vehicles. To document the viability of
the issue and remove any opinion, Automobility issued a statement to the effect
the company was addressing this.
Danger
The issue is not only with the vulnerability, but also what
an attacker is able to do with this. This allows, for the subject vehicles, the
unauthorized access by the attackers to start the vehicle, among other actions.
This breach is significant and may also lead to life-threatening circumstances.
If the vehicle were to be started in an enclosed area, e.g. a garage, this
could lead to carbon monoxide poisoning for the users in the residence.
Curiously, the researcher was able to collect 2k location points for the car
over a 13 day period. Previously, it was unknown that the vehicle was collecting
this much data.
Mitigation
Fortunately, the researcher did notify the organization so
they could work on it. As of the presentation, the issues had been primarily
resolved.
Resources
EHacking News. (2019, August 12). MyCar exposes thousands of
vehicles to hackers. Retrieved from https://www.ehackingnews.com/2019/08/mycar-exposes-thousands-of.html
Greenberg, A. (2019, August 10). A remote-start app exposed
thousands of cars to hackers. Retrieved from https://www.wired.com/story/mycar-remote-start-vulnerabilities/
IANS. (2019, August 11). Remote-based app exposed thousands
of vehicles to hackers. Retrieved from https://auto.ndtv.com/news/remote-based-app-exposed-thousands-of-vehicles-to-hackers-2083648
IANS. (2019, August 11). Remote-based app exposed thousands
of vehicles to hackers-details inside. Retrieved from https://www.timesnownews.com/technology-science/article/remote-based-app-exposed-thousands-of-vehicles-to-hackers-details-inside/467106
No comments:
Post a Comment