Why smart cars can be a threat to you!

Last year, researchers at the University of California and the University of Washington demonstrated a proof-of-concept software, dubbed the 'CarShark'.

Developed using homemade software and a standard computer port, the contraption used a laptop to hack into a modern car. The same research team recently extended the scenario to remotely mount attacks through bluetooth.

Modern vehicles have radio frequency identification (RFID) tags embedded in tyres to provide sensor data over wireless short-distance communication to the vehicle.

It is used as a tyre-pressure monitoring system. Researchers at the University of South Carolina and Rutgers University showed an attack can be mounted to track a vehicle and compromise the privacy of passengers by tracking the RFID tags using powerful long-distance readers at around 40 metres.

...

Automakers have increasingly started to distinguish their models through electronics. Embedded devices are used in almost all areas of vehicles, including airbags, radio, power seats, anti-lock braking system, electronic stability control, autonomous cruise control, communication system, and in-vehicle communication.

New cars also have the ability to be remotely started by a mobile phone, using a connection from the car and a request to start it from the key holder, through cellular network services or the internet.

Personalised systems such as bluetooth, GPS navigation systems, in-vehicle infotainment and online help systems are common.

...

Numerous automakers offer cellphone-based communication, the examples of which include General Motors' OnStar, Ford's SYNC, BMW's Assist, Lexus' Enform, Toyota's Safety Connect and Mercedes' mbrace. Some carmakers also include Wi-Fi hot spots in their vehicles.

These provide internet access to the passengers' devices. Internet giant Google, too, recently demonstrated autopiloted cars and smart roads with sensors that report on traffic conditions and vehicle speeds.

However, as more and more digital technology is introduced into automobiles, the threat of malicious software and hardware manipulation only increases, cautions a new McAfee report, 'Caution: Malware Ahead'.

...

Stuart McClure, senior vice-president and general manager, McAfee, says in the rush to add features, security has often remained an afterthought.

"It's one thing to have your email or laptop compromised, but having your car hacked could translate to dire risks to your personal safety," he says.

Frost and Sullivan estimates cars would require 200 million to 300 million lines of software code in the near future. The increasing feature set, interconnectedness with other embedded systems and cellular networking or internet connectivity can also introduce security flaws that may become exploitable.

The report lists new tools like Viper Smart Security, which uses internet-mapping capabilities and a Facebook function that can be configured to send out instant updates on the car's activity.

...

This could easily be used to gain access to the passengers' whereabouts, schedule and routine. The security concern here is not with the automobile itself, but the correlation between tracking and social media that questions the privacy of the consumer.

Based on this information through Facebook updates, the details could be sold or used for other malicious activity against the individual. Security testing and white hat hacking are ways to better understand the possible threat vectors, says the report.

One penetration tester, hired by a US-based municipal government, determined several IP addresses used by the city's police department connected directly into a Linux device in police cruisers.

...

Using little more than FTP and telnet commands, he then tapped into a digital video recorder (DVR) to record and stream audio and video captured from gear mounted on the vehicle's dashboard.

He was able to not only tap live feeds from the two separate cameras mounted on the cruiser, but also control the DVR's hard drive.

Using default passwords hardcoded into the DVR's FTP server and disclosed in the support manuals he found using an internet search, he was easily able to upload, download, and delete files that stored months' worth of video feeds.

Gathering the knowledge to hack into the recording system is a flaw, but not ensuring strong, unique passwords allowed manipulation of valuable evidence.