Hackers vs. smart cars: Count the models that failed

Cars are no longer just a means of transportation for us. With the development of mobile technology, cars, like the Internet of Things, have their own Internet of Vehicles platforms and technologies. Relying on Internet of Vehicles technology, we can achieve more technological functions such as navigation, road condition information acquisition, remote control, automatic driving and even unmanned driving.

However, like the Internet of Things, the Internet of Vehicles also faces the problems of system vulnerabilities and hacker intrusion. Unlike the Internet of Things platform being hacked, once the Internet of Vehicles is hacked by someone with "impure intentions", our losses are not just as simple as personal information and property. Hackers can control our car systems and even take over our steering wheels and brake systems, putting our lives in danger.

This statement is by no means an exaggeration. If you don't believe it, let's take a look at some real examples that have been reported in the newspapers. I believe that after seeing these, you will involuntarily pay more attention to the security of the Internet of Vehicles.

Jeep becomes the hardest hit area by hackers

If we talk about hackers' favorite "car meat", it must be the Jeep brand under Chrysler. Two security researchers named Charlie Miller and Chris Valasek seem to be full of "interest" in Jeep. In 2015, the two hackers once controlled a Jeep Cherokee owned by Andy Greenberg.

According to the car owner, when the Internet function was turned on, the car's air conditioner suddenly blew out strong cold air, and then the audio system started playing music at full volume, and then the temperature and volume control functions all failed. After that, the two hackers displayed their photos on the car's central control display, and then the windshield cleaning fluid sprayed out, and the wipers started working at full frequency.

Then there was something even more "heart-pounding". The two hackers actually stopped the car, and when Greenberg continued to drive the car, the hackers managed to disable the brakes and completely took over the control of the car. In the end, the car was forced to stop on the slope beside the road. Fortunately, the two hackers did not intend to endanger the life of the car owner, but were only evaluating the safety of vehicles equipped with new technologies. The attack directly led to Fiat Chrysler recalling 1.4 million vehicles in the United States and became one of the main topics of last year's Black Hat conference.

Not long after their controversial 2015 test, Charlie Miller and Chris Valasek once again set their sights on the Jeep Cherokee, and this time they took full control of the car's braking system.

The two hackers accessed the Jeep's system through the CAN bus, and then completely paralyzed the Jeep's brake system to achieve control. They said that more remote control methods can be used, such as using hidden devices with wireless connections to attack. Hackers can redesign the attack program during the attack to launch new targeted attacks. , and can easily achieve control over it. The Uconnect dashboard information system developed by the researchers was easily hacked in this way. Not only the brakes, wiper switches, but also the car engine were controlled, but the hackers must first be physically connected to the car, and remote control cannot be achieved immediately.

General Motors' OnStar was hacked

Also in 2015, another "white hat hacker" Smay Kamkar chose GM's "OnStar" system, saying that he could exploit a security vulnerability in the product to unlock the car and start the engine from a distance.

Smay Kamkar figured out a way to "locate, unlock and remotely start" the car by intercepting communications between the OnStar Remote Link mobile app and the OnStar service.

Later, GM's Chief Cybersecurity Officer Jeff Massimilla said that the company attaches great importance to security researchers and has launched a new disclosure project. In this project, they will cooperate with the security vulnerability bounty platform HackerOne and use white hat hackers to learn about potential security issues. More importantly, the launch of this project ensures that these security researchers can hack GM's cars without worrying about being sued.

According to GM, anyone with good intentions can try to hack into their cars without facing legal action, as long as they do not break the law or cause harm to the company or its customers. When a security hole is discovered, the hacker can only make his or her findings public after GM fixes the problem.

Mercedes-Benz and BMW were not immune either.

After Samy Kamkar successfully conquered GM OnStar, even luxury car brands such as Mercedes-Benz and BMW were not spared.

Kamkar said that apps including BMW's Remote, Mercedes-Benz's mbrace and Chrysler's Uconnect all have vulnerabilities in SSL certificate verification. As long as you have the certificate, you can imitate the App to communicate with the remote server and implement the corresponding functions provided by the original App. Moreover, these certificates are not only valid once, their validity period is the same as that of the car owner. In other words, obtaining this certificate is equivalent to obtaining the car owner's administrator privileges.

Once the car owner is hacked, the hacker will obtain the home address, email address, credit card information, etc. At the same time, some car models can also be remotely controlled to start and unlock the car.

Tesla hacked

At the 2015 DEF CON 23 digital security conference, security experts Kevin Mahaffey and Marc Rogers demonstrated how to exploit a vulnerability in a Model S to open the door, start the car, and drive away successfully. They could also send a "suicide" command to the Model S, suddenly shutting down the system engine while the vehicle was driving normally to stop the vehicle.

After removing the rubber and other equipment on the Model S body, the security experts found a total of two removable SD cards, USB ports, a set of diagnostic ports and a mysterious special cable. Using this mysterious port, Mahaffey and Rogers were finally able to access the vehicle's onboard network through an Ethernet cable and some transparent tape. After connecting the vehicle to a network switch, they were able to further connect to the Model S's network connection and make full use of the VPN to connect to Tesla's servers to download and decompile the firmware.

After the firmware cracking is completed, it means that the security personnel have more permissions to operate Tesla. Through the combination of these two vulnerabilities, wireless connection, digital car key data found on SD card, and physical VPN connection to Tesla server, almost allows security personnel to have full access to the car service called QtCarVehicle, and all functions of the car can be controlled.

Toyota and Ford are also "very miserable"

Charlie Miller and Chris Valasek are two white hat hackers. At the 2013 DefCon hacker conference, they demonstrated how to use a computer to invade the electronic control system of Toyota Prius and Ford Escape models and take over the control of the vehicle, including steering, braking, acceleration and instrument display.

As more and more car models are being hacked, the FBI and the National Highway Traffic Safety Administration even issued an announcement earlier this year, officially reminding automakers and car owners that some vehicles with Internet access functions may be subject to network "hacker" attacks.

The reminder was issued in the form of a "public service announcement". The two government agencies warned that the "Internet of Vehicles" technology is increasingly being used in cars, but it brings potential information security threats. Even if hackers "take over" the control of the vehicle, the accident caused may not pose a risk to personal safety, and car owners still need to take measures to minimize the risk.

In fact, today's car manufacturers may be too focused on appearance and fashion and ignore the safety issues of cars. Especially for products like cars that can easily cause physical injury and major accidents, safety issues should be taken more seriously.

In addition, some car manufacturers are willing to expose user data to the public in order to use the latest technology. As car companies are vigorously developing intelligent car systems, they should pay more attention to the security of car systems. After all, cars are different from mobile phones and computers. Once they are hacked, people's lives will be more threatened. Therefore, the entire industry group should pay more attention to the security of intelligent car systems and self-driving cars, and provide more rigorous encryption mechanisms.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.