Security Vulnerabilities In Modern Cars Somehow Not Surprising

As the saying goes, there’s no lock that can’t be picked, much like there’s no networked computer that can’t be accessed. It’s usually a continual arms race between attackers and defenders — but for some modern passenger vehicles, which are essentially highly mobile computers now, the defenders seem to be asleep at the wheel. The computing systems that control these cars can be relatively easy to break into thanks to manufacturers’ insistence on using wireless technology to unlock or activate them.

This particular vulnerability involves the use of a piece of software called gattacker which exploits vulnerabilities in Bluetooth Low Energy (BLE), a common protocol not only for IoT devices but also to interface a driver’s smartphone or other wireless key with the vehicle’s security system. By using a man-in-the-middle attack the protocol between the phone and the car can be duplicated and the doors unlocked. Not only that, but this can be done without being physically close to the car as long as a network of some sort is available.

[Kevin2600] successfully performed these attacks on a Tesla Model 3 and a few other vehicles using the seven-year-old gattacker software and methods first discovered by security researcher [Martin Herfurt]. Some other vehicles seem to have patched these vulnerabilities as well, and [Kevin2600] didn’t have universal success with every vehicle, but it does remind us of some other vehicle-based attacks we’ve seen before.

16 thoughts on “Security Vulnerabilities In Modern Cars Somehow Not Surprising

  1. Given that it’s pretty easy to prevent this sort of attack at the protocol level (obviously you’ll never prevent analogue relay as used by current car thieves), it’s pretty appalling how poor so many software teams have been.

    1. Probably not so trivial: this is a relay attack, so as long as you can implement a bent-pipe bidirectional relay the only way to detect the attack is occurring is an accurate method of physically locating the link endpoint that is resistant to relaying (e.g. an absolute time-of-flight measurement, or the keyfob having a battery-sapping GPS receiver).

  2. Until insurance companies start refusing to insure vehicles these problems wont get fixed.
    The consumer is ultimately picking up the tab with higher premiums.
    For every car which gets stolen and paid out for, one of the manfuacturers sells another one.

    Sounds like a massive scam. RICO time ?

    Physically put a key in a slot.
    It’s not exactly rocket science.

    Stop broadcasting signals.
    Radio transmissions are always just a implementation waiting to be bypassed/hacked.
    What’s even more heinous is that in many (most?) vehicles you cannot disable the feature/critical flaw.

    1. Insurance companies simply do not care… because if their losses increase, they simply pass these business costs/losses down to all of the consumer. This business practice is not unique in the insurance industry, but many others. The overall economic inefficiencies in this practice is astounding, but until it directly affects a particular company, nothing will change.

      1. No, insurance companies do care because they compete with each other for customers based on price. This is why owners of safer car models pay lower prices for insurance. Insurance companies do safety research such as that done by Underwriters Laboratories and the Insurance Institute for Highway Safety. While safety regulations are currently most often enforced by governments in the past they were most often enforced by insurance companies. One of the most important innovations in boiler safety, the Hartford Loop, was an insurance company requirement.

        1. Your arguments are an ideal case and certainly do not apply here in Canada with regards to auto insurance. Canada’s auto insurance market is uncompetitive in many areas and regions. In an ideal open market competition rules, but as I said this is not the case here in Canada. If one auto insurance companies increases their rates, they all follow suit. There are some that “may” not increase their rates as much, but in the end there is a fair amount of collusion. Auto theft, catalytic converter thefts, etc are simply not a concern for Canadian auto insurance companies simply because they ALL pass these costs downstream to the consumer. Sadly, this also extends to home and business insurance policies too. Recently an insurance friendly gov removed most oversight in insurance rates and overnight everyone’s insurance policy increased dramatically. Virtually everyone in the region saw insurance increases of 25-30%. Business increase saw increases from anywhere from 45-90% increases… all with no prior claims for decades. As I said in an ideal area where there is true competition and choice then market forces will work in a consumers favor. However, in areas where there are only a few players that are effectively a monopoly, then the consumer is simply forced to pay whatever the amount is with very little price difference between the various “competitors”.

      1. Yeah no. Luddites are opposed to advanced technology because it reduces their employability if they don’t maintain an ongoing education in their field. People who don’t want to use “advanced” technology because it has a high potential for actively causing them harm are intelligent and wise, which is very different. You can have your keyless entry, but when your car gets stolen by someone who uses it to get into your car, you don’t get to come whining to the security conscious people who warned you without looking like an utter fool. And no, “It’s fine because my insurance will cover it” isn’t a valid retort. Is your insurance going to send a ride to pick you up from work or the grocery store? Is your insurance going to cover the cost of missing that critical work meeting you got fired for missing or that lost you a critical client? Nope.

        My mom taught me a critical lesson: It doesn’t matter whose fault it was or who ends up paying the damages when something goes wrong, you still have to live with the immediate consequences, and sometimes those are far worse than what insurance will cover or the courts will award you. The first time she told me this, it was in the context of car accidents. It doesn’t matter whose fault the accident was if you die, because the courts can’t magically award you your life back. If you survive but are hospitalized, insurance might cover lost wages for the time, but they won’t cover the cost of losing your job, failing college classes, or missing that critical meeting that would have given you your big break. This applies to security as well. Insurance might replace your car or reimburse you for the loss. It will probably take at least 6 months though, and if the lack of a car prevents you from going to work, they aren’t going to reimburse you for that. All of the rest applies as well, including losing your job, failing classes, missing meetings, and so on. They might cover the obvious up-front loss, but they won’t cover the losses from all of the waves created that affect all of the parts of your life that lost time and lack of transportation cause.

        Be dumb and practice terrible security if you want. Your loss. You don’t get to go around insulting people who are objectively wiser than you though.

  3. I am still waiting for a Tesla Charge door exploit. Basically Tesla Charge ports open from a static RF signal when a Tesla pulls up to a charging station and the car is put in park. Because it is a static signal, it is easy to open charging ports with a transceiver or an SDR that can transmit.

    Now you might say big deal, but inside the charge port you can directly access the CAN bus or network that the Tesla ECU operates on. There is an old saying that “Physical Access, is Full Access”

    1. Flipper 0’s can do this pretty easily, I’ve popped my Model 3 a couple times for fun and honestly it’s not hard to manually pry one open with a simple screwdriver. I would hope the CAN bus is disabled to the rest of the vehicle and only exposes simple commands to initiate charging.

    1. Classic obfuscating patent language. Dozens of pages and figures with 160 numbered arrows to say

      “1) We can lock it by remote command”

      “2) We can command it to drive to a Ford agent by remote command”

      Now give us a patent for this totally innovative, completely not obvious idea we have just this very moment been the first people to realize might be possible.

  4. Sweet. This is a great followup to the Defcon talk I just watched. “Passive Keyless Entry and Start Systems – DEF CON 27 Car Hacking Village”. That talk covered the previous gen Tesla keyfobs and their crappy crypto

  5. Still, at least it’s not like the car can be made to drive itself and run someone over…

    Oh, wait.

    That Fast & Furious movie was surprisingly prescient, self-driving attacks will be terrifying and deadly.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.