Last week, it was reported that two US security researchers successfully compromised a Jeep Cherokee’s air-conditioning system, radio, windscreen wipers, and brakes while a Wired Journalist was in the midst of driving it. Jeep has since patched this vulnerability, but days later, the Manchester-based NCC Group raised the ante higher by broadcasting a signal that disabled another vehicle’s braking system.
The attack, recreated for research purposes within NCC’s property, sent data from a mobile device to the vehicles internet-connected infotainment system using digital audio broadcasting.
Speaking with the BBC, NCC research director Andy Davis explains that DAB data is harnessed by the infotainment system to display text and images on the vehicle’s dashboard screen, but the data may also be intercepted and replaced with malicious code that the system cannot identify.
Once the malware infects the infotainment system, any other critical systems attached to its network, such as braking or steering.
What’s more, the DAB station that Davis constructed for the demonstration incorporated inexpensive off-the-shelf components connected to a standard laptop, meaning, that anyone can build one with the right knowledge. And if that wasn’t enough, a powerful enough transmitter could potentially affect multiple vehicles at once.
“As this is a broadcast medium, if you had a vulnerability within a certain infotainment system in a certain manufacturer's vehicle, by sending one stream of data, you could attack many cars simultaneously,” he said.
“[An attacker] would probably choose a common radio station to broadcast over the top of to make sure they reached the maximum number of target vehicles.”
The above examples are but a taste of what will inevitably become a rampant issue as the number of Internet-connected vehicles continue to rise. According to Mike Parris of the vehicle security firm SBD, a modern vehicle’s computer runs a total of 50 million lines of code, whereas a modern airliner sits at 14 million. Theoretically, that’s more than triple the amount of QA and security checks that must be accounted for.
Source: BBC
Learn more about Electronic Products Magazine