• sh7786

Hacking connected cars: how are mobile networks involved?

The automotive industry is now laser-focused on cybersecurity. The current revolution to comprehensively integrate digital technologies into car and trucks has engendered a dangerous exposure to hackers exploiting vehicles connected to mobile wireless networks. The consequences of such attacks could be catastrophic, entailing irremediable damage to enterprise brand and even loss of human life.

White-hat hackers have famously demonstrated local exploitation of vehicles through both physical connections (such as an ODB interface; see Experimental Security Analysis of a Modern Automobile) and short range communication channels (see A Survey of Remote Automotive Attack Surfaces.) Such targeted intrusions bear serious attention, yet the risks and consequences of fleet-wide attacks are exponentially greater than those on individual vehicles.

Indeed, the very definition of the term “fleet” is currently transforming beyond mere common ownership or operation of multiple vehicles to reflect connectivity cyber-risk. The evolving understanding of a “fleet” today includes all vehicles connected to a common technology platform through shared hardware, operating system or software (see KPMG fleet definition) -- as in the case of vehicles from same OEM or sharing a parts supplier. In short, a fleet today amounts to all vehicles that effectively constitute a network.

High level connectivity

Large scale attacks are inherently remote attacks, exploiting wireless network access to a large number of vehicles, regardless of physical location. Many Mobile Service Providers, such as Sprint Velocity, offer connectivity to vehicles via Telematics and In-Vehicle Communications Systems. It’s precisely this wireless connectivity that enables fleet-wide attacks by propagating vulnerabilities identified in a single car to similar cars through “lateral movement”.

In a highly-followed investigation (see Remote Exploitation of an Unaltered Passenger Vehicle), researchers demonstrated how a vulnerability identified in the Uconnect head-unit of a 2014 Cherokee Jeep could be exploited in similar vehicles over the cellular network connecting this car model to the control center. The researchers discovered that the Sprint network involved here did not block communications between two devices on the network. They first determined that a Sprint device (in this case a burner phone) could directly communicate with another Sprint device (such as the Jeep) within the range of a single cellular tower -- a range of many miles. But more shockingly, they found that any Sprint device anywhere in the United States could communicate with any other Sprint device in that nation, a range enormously larger than that of individual towers or segments!

Anomaly Detection Confirms the Problem

Similar behavior was detected by imVision’s Anomaly Management Platform (AMP) in several mobile networks worldwide, confirming -- in our view -- that device-to device-communication has become a de-facto standard for mobile network architecture to enable advanced, low latency, communication patterns between mobile endpoints.

An analogous approach was used by IoT core malware Mirai to enable extensive lateral movement from one infected IOT device to an uninfected IOT device of the same type, to enlarge the IOT botnet in preparation for a subsequent large-scale attack.

imVision’s AMP continuously monitors communications between connected cars and the mobile network to identify and block lateral movements to execute large scale fleet-wide attacks.