Easier with a crowbar: hacking IoT accessories for cars
Credit to Author: Leonid Grustniy| Date: Fri, 26 Jul 2019 20:22:08 +0000
We often discuss vulnerabilities of different IoT devices, ranging from smart cameras to sex toys. This time, our researchers decided to find out whether smart gadgets for cars are well secured.
What was tested
For the test, we chose a number of devices with different functions: a couple of OBD system scanners, a tire pressure/temperature monitoring system, an Internet-dependent GPS tracker, a dashcam, and a smart car alarm.
OBD scanner vs Bluetooth scanner
What we investigated? A device that plugs into the OBD connector inside the car and transmits data about speed, acceleration, engine rpm, etc. to a smartphone connected via Bluetooth. The data can be observed while driving, and later overlaid on the video recording in the related app.
What we discovered? The scanner uses its MAC address as both the serial number and the password required to connect to it. The problem is that the scanner transmits its MAC address via Bluetooth — seen by all devices within a range of a few dozen meters.
So to connect to the device, a potential attacker needs only scan the ether and read its MAC address.
What’s the threat? Fortunately, the tested scanner only reads vehicle data and does not affect the car’s behavior. Therefore, even if a third party manages to connect to the gadget, they will not be able to harm the driver, only view a recording of the drive and the vehicle readings.
Another OBD scanner: wired means safe?
What we investigated? A wired OBD scanner for car diagnostics.
What we discovered? The device manufacturer put a lot of effort into securing the firmware. Yet, having tried several methods, Kaspersky experts managed to extract the firmware from the device’s memory and found a way to modify it.
However, it turned out that the scanner’s memory was only large enough to log readings and errors. The device cannot be used as a springboard to hack into the car’s electronic systems.
What’s the threat? Users have nothing to fear. The manufacturer of the gadget gave it only the features needed to perform its main task and no more. So besides accessing the error log, hackers have nothing to play with.
Tire pressure/temperature monitoring system
What we investigated? Unsurprisingly, this device is designed to display tire pressure and temperature data, and to notify the driver if the values go too high or low. It consists of four sensors (one per wheel), a screen, and a control unit.
What we found out? Since the sensors transmit information to the control unit via radio, our experts decided to try to intercept and substitute the data using an SDR (software-defined radio). For this, it was necessary to know the serial number of each sensor and what part of its outgoing signal contained data on pressure/temperature changes in the wheel. After several probes, our experts found what they were looking for.
However, it should be noted that substituting the signal in practice requires permanent communication with the sensors: the receiver antenna needs to stay pointed at the victim’s car and move along at the same speed.
What’s the threat? By substituting the sensor signals, attackers can display warnings about non-existent malfunctions, forcing the driver to stop the car. However, for a successful attack, they need to be near the target. With that in mind, owners of the device shouldn’t lose any sleep over this.
A super-smart alarm
What we investigated? A smart security system that opens and closes the car doors and starts the engine. It can be controlled either from the key fob or via Bluetooth through the Android app.
What we found out? The alarm key fob communicates with the security system over an encrypted channel. Moreover, the developers secured the Bluetooth connection for control via a smartphone: the devices pair up during installation of the alarm, so connecting from another smartphone will not work.
The weakest link in the security system turned out to be the app. First, it does not request a password or biometric data at login. It is also possible to give commands to the security system without additional authorization. In other words, having stolen your phone with an unlocked screen, the cybercriminal gains your car as a bonus.
The second threat faced by users of the so-called smart alarm is smartphone infection. A Trojan that simulates finger movement across the screen makes it relatively easy to open the car and start the engine. On one condition: the owner’s smartphone must be located near the car at the time and be connected to the alarm via Bluetooth.
What’s the threat? Although our experts managed to piece together a viable attack mechanism, it is not very applicable in real life. First, it is rather complex. Second, it requires the targeted infection of a specific smartphone. Third, to implement the scheme, the owner’s smartphone must be in the vicinity of the vehicle, which makes an under-the-radar attack harder to carry out. On top of that, it is easy to guard against such an attack: install a reliable protection on your smartphone, and do not forget to password-lock the screen.
GPS tracker
What we investigated? A standard GPS tracker that is connected to the Internet and transmits data on the vehicle’s movements. This type of tracker can be used to monitor couriers and parcels or keep an eye on hired-out equipment.
What we found out? Hacking the administrator account of the server side of the GPS tracker grants access to the user database containing routes, financial information, contacts, names, and much more besides. A more likely (due to the lack of two-factor authentication) hack of a user account can give access to the data of that client.
What’s the threat? Theoretically, hacking the GPS tracker server can be used for surveillance and data harvesting. However, our experts rate the likelihood of such an attack as low.
Smile, you’re on secure candid camera!
What we investigated? A smart dashcam. The gadget responds to voice commands, can independently identify potentially dangerous situations and log them, adapt to different lighting levels, and, of course, interact with a smartphone or tablet via Wi-Fi.
What we found out? In theory, by connecting a smartphone to the camera, cybercriminals could wreak havoc. However, in this case, the system security is up to scratch. For instance, not only is it protected with a password that can be changed, it also advises the user to create their own password instead of using the default when connecting for the first time. And to connect a new phone, the user must press a special button on the dashcam itself.
What’s the threat? Without physical access to the camera, attackers can neither interfere with its operation nor retrieve recordings from it. And if they managed to gain physical access, it would be far easier to steal the dashcam’s memory card.
Conclusions
In terms of practical attacks, the security of most of the tested IoT devices proved perfectly adequate. Sure, there are vulnerabilities, but ones hard to exploit in real life conditions. It seems that manufacturers have begun to pay more attention to product security, and this bodes well for the future of the smart device market as a whole.
For more details about the search for vulnerabilities in automobile gadgets and the expert findings, see our Securelist report.