Automotive hacking. The first time you hear the term, you can’t help but think it sounds like a futuristic, science-fiction concept. But it’s not futuristic and it’s not fiction – it’s reality, and it’s happening now. Car manufacturers need to acknowledge and respond to this growing problem, and developers should educate themselves on solutions to the problem.
The most recent example we’ve seen of automotive hacking’s growing prominence concerns BMW. As the BBC recently reported, the automotive company was forced to address a security flaw that left millions of its cars vulnerable to hackers. We’ve said it before, but it’s worth repeating: only by embracing software security tools, including static code analysis (SCA) solutions, can car manufacturers hope to catch these flaws early enough to prevent a costly and embarrassing automotive software security incident. Here’s an explanation of the problem and how SCA can help.
BMWs open to hackers
The security flaw affected all BMW models featuring its ConnectedDrive software. This software controls a number of key functions within the cars, including air conditioning, traffic updates and, most importantly, door locks.
According to research from the German motorist association ADAC, which discovered the flaw, car data was not being encrypted, allowing hackers to potentially take control of anything guided by the vehicle’s SIM card. BMW released a new patch to add HTTPS encryption, the BBC reported. According to BMW, this update happened automatically as soon as affected cars connected to the BMW Group server, thereby not requiring vehicle owners to take any action. In total, approximately 2.2 million cars required this software patch, including models such as Rolls Royce and Mini
It appears that the hack could be exploited through a man-in-the-middle attack, where data intercepted from unencrypted transmissions between the vehicle and mobile networks could be used to extract API information. While specifics are unclear, an example of how static code analysis can prevent exposure of application details is the SV.IL.DEV checker. This checker identifies calls that have the potential to leak information to the outside world, such as through an HTTP request (our documentation has an example of this). Another type of HTTP checker is SV.HTTP_SPLIT. This security checker identifies instances of HTTP response splitting in code, which could be used for web cache poisoning, hijacking, and cross-site scripting (XSS) by forging malicious responses to requests.
“Cybersecurity experts believe the automotive industry is not prepared to deal with the rising threat of car hacking.”
A growing concern
BMW emphasized that there is no evidence hackers successfully exploited this flaw on any vehicles, or even attempted such a hacking effort. However, Reuters emphasized a point that we’ve made ourselves: many cybersecurity experts believe that the automotive industry is not adequately prepared to deal with the rising threat of car hacking. Numerous leading voices in this field expect that it’s only a matter of time until hackers are able to take complete control of targeted vehicles.
Unfortunately, we can’t help but agree with this assessment. In fact, there’s already evidence that this time has arrived. Late last year, police in Montreal investigated a string of automotive break-ins in which the criminals left no signs of forced entry. According to several experts, these were likely examples of successful hacking efforts – much like the kind that BMW’s vehicles would have been vulnerable to had the company not issued a software patch.
“It’s not a whole lot of work if you know what you’re doing,” Spencer Whyte, a Carleton University electrical engineering student, told the news source.
The simple fact of the matter is that cars are becoming increasingly reliant on software, and particularly externally-exposed programs. At the recent Consumer Electronics Show in Las Vegas, for example, Vox reported that one of the overwhelming trends was the evolution of cars’ computer systems. Whereas in the past these systems were entirely internal, that is no longer the case. Almost every car manufacturer plans to enable Android Auto or Apple CarPlay support in their upcoming models, both of which allow owners to use their smartphones to control the vehicles’ dashboard displays.
Critically, though, these systems will also create opportunities for hackers to hijack vulnerable automotive systems.
“What you see here is if you cut out one of the lines of defense, the thief really only needs one way in,” said George Inhy, president of the Automobile Protection Association, CBC reported.
As Vox noted, these potential cyberattacks could grant hackers control not just of the cars’ doors, as was the case in the BMW flaw, but also internal microphones, brakes and even the steering wheel. The first of these presents the risk of eavesdropping, while the latter two are serious threats to driver and passenger safety.
With all that established, it’s safe to say that car manufacturers need to adopt better software security solutions across the board. That’s why we recommend every company in this sector embrace static analysis tools. These resources are invaluable for identifying potential code flaws early in the development cycle. Not only does this improve efficiency, it also reduces the likelihood of releasing a software fix later on, which would obviously generate negative publicity.