Your car is a computer on wheels — and its code can be hacked
Security vulnerabilities and attacks put cars and their owners at risk
What are some of the most common security flaws?
Poorly written code is vulnerable to security risks or malicious activity. Those millions of lines of code within a car’s microprocessors all have their own origin. For example, embedded system firmware, including the firmware used in connected vehicles, is composed of 80-95% third-party and open-source components.
And, once you start using software from other parties who may not share your security vigilance, the risk increases. Some common examples:
Log4J vulnerability
An example of the recentLog4j vulnerability— a zero-day vulnerability in the Apache Log4j Java-based logging library.
The main developer might have pulled in the Log4j software as part of their development practice. Or it might be wrapped in a third, fourth, or fifth party component built in Java that lands in the final software.
This jeopardizes the security of any auto server using the library. The data is collected and stored in different places over time. This increases the risk of impact on the vehicle software.
In January, cybersecurity researcher David Colombogained remote entrytoover 25 Teslasdue to a security flaw discovered in third-party software used by Tesla drivers.
It didn’t enable him to ‘drive’ the cars. But he could lock and unlock windows and doors, disable the cars’ security systems, honk the horns, and turn the cars’ radios on and off.
The security problem of hardcoded credentials
Another example ishardcoded credentials. This is where plain text passwords and secret data are placed in source code. It provides a backdoor for product testing and debugging.
Left in the final code, an attacker can read and modify configuration files and change user access. If the same password is in use as a default across multiple devices, then you have an even bigger problem.
In 2019, hardcoded credentials left in theMyCar mobile appmade it possible for attackers to access consumer data and gain unauthorized physical access to a target’s vehicle.
So, how do you secure software against vulnerabilities and attacks?
Finite State’s work starts at the testing phase, focusing on the final binary copy and builds. They work backwards, automating the reverse engineering of code, disassembling, decompiling, and testing for weaknesses and vulnerabilities. They then share these with the client’s security team.
Wyckhouse explained that end testing enables them to see how a software artifact has changed over time:
When we think ofcybersecurity and mobilityreally, we’re only just beginning. But according to Wyckhouse, automakers are continually investing in security, not only to comply withindustry standardsbut also to gain reputational and competitive advantages over rivals who repeatedly suffer from security breaches.
Still, not a week goes by without yet another report of an attack or a vulnerability found by white-hat researchers. And as car automation increases, the risks only get greater.
Story byCate Lawrence
Cate Lawrence is an Australian tech journo living in Berlin. She focuses on all things mobility: ebikes, autonomous vehicles, VTOL, smart ci(show all)Cate Lawrence is an Australian tech journo living in Berlin. She focuses on all things mobility: ebikes, autonomous vehicles, VTOL, smart cities, and the future of alternative energy sources like electric batteries, solar, and hydrogen.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
