Cybersecurity firm Kaspersky has uncovered a critical vulnerability in connected car systems, exposing a potential threat where remote attackers could seize control, potentially turning off engines or manipulating gears while you’re driving.
This revelation highlights a growing threat as vehicles become increasingly integrated with the internet. It’s no longer just about infotainment; the core functions of your car are now susceptible to remote exploitation.
The vulnerability stems from a zero-day flaw within contractor applications linked to an automotive manufacturer. Kaspersky‘s investigation revealed that this weakness provides a gateway for malicious actors to infiltrate the telematics system. This system acts as the car’s nervous system, managing everything from GPS navigation to engine control.
Kaspersky’s remote audit targeted public services belonging to these contractor manufacturers. Their findings paint a disturbing picture of interconnected vulnerabilities:
Interconnected Vulnerabilities
- SQL Injection: A zero-day SQL injection vulnerability in a wiki app allowed hackers to extract user lists and password hashes. Weak code security policies made some passwords easily predictable.
- Firewall Misconfiguration: A misconfigured firewall exposed an internal server, granting access to the file system using the pre-obtained credentials.
- Full Telematics Control: This access led to contractor accounts with full control over the telematics system.
- Firmware Manipulation: The most alarming discovery was the ability to upload modified firmware to the Telematic Control Unit (TCU), the car’s brain.
The implications of this access are significant. Imagine a hacker remotely disabling the engine on a busy highway, or manipulating the steering or braking systems. The potential for accidents, injuries, and even fatalities is undeniable.
This isn’t just theoretical; it highlights the inherent risks of connecting critical vehicle functions to networks without robust security measures. The convenience of over-the-air updates and remote diagnostics comes at the cost of increased vulnerability to cyberattacks.
Kaspersky offers solutions to bolster defenses for both contractors and automotive manufacturers. Their recommendations provide a roadmap for enhanced security measures.
Recommendations for Contractors
- Limit internet access to web services via VPN.
- Isolate services from corporate networks.
- Implement strict password policies and multi-factor authentication (2FA).
- Encrypt sensitive data.
- Integrate records with a Security Information and Event Management (SIEM) system for real-time monitoring.
Recommendations for Automotive Manufacturers
- Limit access to telematics platforms from the vehicle network segment.
- Use a permissions list for network interactions.
- Disable SSH password authentication.
- Run services with minimal privileges.
- Ensure the authenticity of commands on TCUs.
- Integrate with a SIEM system.
The Kaspersky discovery serves as a wake-up call for the automotive industry. As cars become increasingly software-defined, security can’t be an afterthought; it must be a core design principle. The future of driving depends on it.
This incident also highlights the importance of ethical hacking and responsible disclosure. Security researchers play a crucial role in identifying vulnerabilities before malicious actors can exploit them. The automotive industry needs to embrace collaboration with the security community to build more resilient and secure vehicles.
