New-Tech Europe | December 2016 | Didital Edition

Figure 4. Automotive security: A hacker's eye view

Other Hacks in the News Charlies talked a little about other car hacking in the news, things you might have heard about: Some dongles exist to plug into your car to allow fleet management, or lower insurance rates for good drivers. All the dongles analyzed by academics were vulnerable. So most things that are in your car you can't do anything about, but here is one you can: don't plug a dongle into your car. Troy Hunt discovered that with a Nissan Leaf the authentication back to the server was just the VIN. So you could walk up to a Leaf, read the VIN through the windshield, and turn on the heated seats. Since it is an electric car it would drain the battery and it wouldn't go. This wasn't physically

dangerous but the attack was really easy. There was a famous Tesla hack. It also needed physical access and could not access the CAN bus, but they could control radio, windows, door locks. Not the really scary stuff. Then they found a web browser exploit which meant that they could reflash the CAN gateway and send arbitrary messages. Tesla fixed it, and made it so that the code needed to be signed. Since they can update over the air, it didn't require a recall, it could just happen while all the owners were sleeping. There were headlines about cars being stolen with electronic keys. But it turned out to be a low-technology approach. They stole the software for reprogramming keys, so they could

then look up the VIN, create a key, open the car, and drive off. All cars use proprietary message formats so an exploit in one car won't work directly in another. With trucks this is not the case. The message formats are standardized among all manufacturers. So any attack on a truck will work on all trucks. Summary Charlie said they are trying to get ahead of the curve and communicate with car companies but "they don't talk to us." There are no white papers like there are from companies like Microsoft, about how their systems are designed for security. Hopefully things will get better but they are not in good shape right now.

New-Tech Magazine Europe l 43