The aftermarket chink in the automotive armour3 min read

12/Jul/2019

In cyber security circles the success of “white hat” hackers in remotely penetrating vehicle controls through aftermarket car-alarm systems has sounded a new warning.

Carried out last year by a UK research team, the hacks indicate that, to ensure future vehicle security, the entire automotive supply chain will probably have to be enlisted. And this includes Tier 2 and even aftermarket manufacturers.

Being able to reach into a vehicle through parts made outside the control of an auto manufacturer represents a new cybersecurity challenge. The vast and growing marketplace of aftermarket add-on electronics remains largely unmonitored, according to Ken Munro, a security researcher with Pen Test Partners of Buckingham, England, who conducted the hacks.

“There is so much more vulnerability,” Munro told Automotive News. “In my experience, the OEMs are really waking up. But they have a lot of legacy product in the market already. My concern is not so much the OEMs, it’s all of their suppliers and the aftermarket.”

Vulnerability

Munro said that the Pen Test team hacked into vehicles through alarm systems from Directed Electronics of Vista Calif., and from the Russian-based Pandora Car Alarm Systems. Directed’s products include the well-known Viper-brand car alarms, available in the US.

Pen Test normally conducts “penetration testing” as a service to companies that want their security put to the test. However, according to Munro, on this occasion his company hacked the car alarms as a challenge. Pen Test conducted the research in a controlled experiment after equipping different vehicle makes and models with car alarms that researchers purchased.

“We appreciate the diligence of groups like Pen Test Partners in bringing this matter to our attention and are happy that it was quickly and successfully addressed,” Chris Pearson, director of marketing for Directed Electronics, said in the written statement. “The issue was quickly rectified.”

Directed Electronics said it believes “no customer data was exposed, and that no accounts were accessed without authorisation during the short period this vulnerability existed.”

Hacking results

The results varied by vehicle and alarm brand. But once the systems were hacked, researchers could locate a vehicle in real time; identify the car type and the owner’s identity; disable the alarm; unlock the vehicle; possibly eavesdrop on the vehicle’s occupants; and in some cases, kill the engine, even when the vehicle was moving.

David Barzilai, chairman of Israel’s Karamba Security, was unsurprised by the Pen Test hack. Karamba has gathered intelligence on hacking activity by setting up what Barzilai calls “honey pot” decoys, connected to the Internet with no security protection or with easily guessed passwords. He said that within a month, each decoy recorded more than 300,000 hacking attempts.

All of those attempts were almost certainly carried out by automated means. Hackers don’t necessarily know what kind of device they’re breaking into, Barzilai said. But once robotic hackers gain access to a device, any device running sophisticated programs such as those used in vehicles would become targets, he said.

Karamba’s security technology will go into the first mass-produced vehicles later this year, but the name of the manufacturer hasn’t been revealed.

Monique Lance, marketing director for another Israeli supplier, Argus Cyber Security, said she was aware of the Pen Test hack. Argus is part of Elektrobit, which is owned by the global Tier 1 supplier Continental AG. “It’s just another example of how increased connectivity is exposing OEMs to higher and higher risks,” said Lance. “It’s a warning signal for all the OEMs.”

The original article is available via the link.

United Kingdom

contact@cynation.com

+44 020 3190 5000

The Rain Cloud Victoria
76 Vincent Square
London, SW1P 2PD

Netherlands

contact@cynation.com

The Hague Security Delta
Wilhelmina van Pruisenweg 104
2595 AN Den Haag

Newsletter Signup

%d bloggers like this: