CyberWire Daily - Alarming vulnerabilities in automotive security systems. [Research Saturday]
Episode Date: March 30, 2019Researchers at Pen Test Partners recently examined a variety of third-party automotive security systems and found serious security issues, potentially giving bad actors the ability to locate, disable ...or meddle with multiple vehicle systems. Ken Munro is a security researcher with Pen Test Partners, and he joins us to share their findings. The original research can be found here: https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Well, so you've probably seen there's been a lot of issues around key relay attacks for
keyless entry vehicles. That's Ken Munro. He's a security researcher
at Pentest Partners. The research we're discussing today is titled Gone in Six Seconds?
Exploiting Car Alarms. So the idea being a car thief will come along with a smart black box
and use that to amplify your keyless key signal and then can open your vehicle and drive it away.
So a lot of people are now looking
at third-party alarms that provide another layer of protection to mitigate against key relay attacks.
And that's what we started looking at. And so what's the range of features that these
third-party vendors are advertising? Well, if you've got a mobile app for your car already,
you'll probably know some of the sort of functionality you'd expect.
So you can geolocate your car so you can see where you've left it in the parking lot.
You could lock and unlock the doors.
If you've forgotten, you can easily lock it and you can check the status and immobilize, de-immobilize your vehicle.
So sort of things you're probably familiar with if you've already got a mobile app for your car.
But these are also provided by third-party alarm vendors.
And so what's the benefit here of the third-party vendor?
Is this a functionality that's not built into all cars?
Well, that's the thing.
It's another layer of security.
So if you've got a vehicle that's vulnerable to, say, key relay,
or maybe it doesn't have a high-quality alarm factory fitted,
you can have another layer of security.
So an additional set of immobilizers
that will take control if the other ones are overridden. All right. Well, let's dig in here.
Walk us through. What did you discover? Well, what really got our attention is we
noticed one of the alarm vendors advertised their system as unhackable. And that is a red flag. We've looked at a few devices over
the years. We looked at a cryptocurrency wallet that was promoted by John McAfee a little while
ago. And that was promoted as unhackable. And guess what? It wasn't. So that word always gets
our attention. And we saw this and we thought, you know, we have to have a look. So the first
thing we started looking at were a couple of major alarm vendors. So Pandora, very big brand in Europe and Russia. And then Viper, who I think
are very well known in the US and are branded in UK as Clifford. But they have several brands
around the world. So we started looking. The first thing we did is we started looking at
their smartphone apps. And we found some things that bothered us, but we couldn't really go too
much further without getting hold of the equipment and having them fitted to our vehicles. We didn't want to
start touching other people's alarms. That wouldn't have been ethical or right. So,
we took a backseat and then booked some expensive smart alarms to be fitted into a couple of our
vehicles here. And about six weeks later, we had them in. We had them working.
And guess what?
Everything that we suspected turned out to be true.
So we had the ability to find your vehicle in real time, whether you were driving, stationary, parked, or whatever.
That was quite creepy.
So we could track you, something like 3 million vehicles in real time.
So we knew where you were, where you were going, what you were doing. So just to be clear here, not your own vehicle, but the ability to go in and track other people's
vehicles beyond your own.
If you want to do, yeah. Obviously, we only tracked our own because we're the ethical guys.
We're good. We're not going to add that breaking law. But bad guy, vehicle thief could track you,
people in your vehicle, anytime. 3 million vehicles in real time.
What was the specific vulnerability here that allowed you to do that?
Okay. So technically, what we discovered were some missing authorization steps in the APIs
that the mobile apps used to communicate. So whilst you had to create a user account and you
had to log in, what it didn't do is after you'd logged in, checked correctly that you were the person authorized
to make those requests. Essentially, anyone with an account could make a request to reset
a password. They could send that password reset to any email address, obviously to one in control
of the hacker, reset the password, and then take control of the account, locking out the legitimate
user. And you don't have to be an owner of one of these devices to spin up an account, right?
No, that's where our first initial steps started. So we created a couple of accounts for ourselves,
checked to see if we could access our data from the other account. So we weren't trying
to access anyone else's data, but we could prove that we could access one from the other.
And so your ability to do this, you can go in and basically grab control of someone's account.
And then what abilities do you have from there?
Right. So we can track you. That's great. So we know where your vehicle is.
So we can then unlock the doors, which you probably wouldn't be very happy about that.
We can disable the alarm and then we could disable the immobilizer.
So we're now in a position where we can get into your vehicle
and in some configurations, you could drive it away.
But the bit that creeped me out the most
was that because we can track you in real time,
one of the bits of information disclosed in the app
is the type of vehicle.
So you could deliberately target expensive, fast sports cars.
You could go and find them late at night, go and drive behind the
owner, set the panic mode off on their alarm, which would usually call someone to stop. And
then you can go and assault them, take their keys, pull them out of the vehicle and drive
off in their expensive car. So that's pretty horrible, right?
Yeah, it is. The ability to target a certain group of vehicle owners, then this provides you with a map to where they are and an ability to directly affect the vehicle that they're driving, including, can you shut the engine off?
we had the alarms fitted to, but we believe that certain types of vehicles with some of the alarms,
we could successfully disable the engine in motion. So whilst we couldn't prove it during our research, it's just a matter of having another couple of vehicles fitted and we're
confident we could kill the engine of certain vehicles whilst they're in motion. So you might
be driving along the freeway at 70, 80 miles an hour, all of a sudden your engine quits.
Now, some of these devices have audio capabilities as well.
They have microphones built in.
Oh, this is mad.
This was really mad.
One of the alarm vendors, this was Pandora.
If you experienced a high G impact, for safety reasons, it could automatically dial the emergency services and set up a call.
So you could call the emergency services.
Cool.
the emergency services and set up a call so you could call the emergency services. Cool.
However, we just realized that the same microphone, this component of the alarm that allows that, we could actually enable that microphone remotely on around 2 million vehicles.
So we could set up a listening bug into 2 million cars and listen to the driver and
their passengers talking with no evidence of that happening. Nothing was evidence
to the user at all. Wow. So a remote snooping capability that doesn't draw any attention to
itself. Yeah. And how often do you have conversations that you really don't want
overheard when you're in the privacy of your own vehicle? Yeah. Just the amount of talking to
myself that I do would be embarrassing. Now, there's another part of this, and that has to do with the CAN bus on these vehicles,
which is a part of all modern vehicles. Can you describe to us, first of all,
what is the CAN bus and how do these interact with it?
Oh, sure. Okay. So the CAN is the car network. That's the bit that electronic components talk
to. They talk to your throttle. They talk to the braking system. They talk to the brakes.
They talk to the engine. It's what makes the car work and communicate. And it's the integration
of other things on your car that expose the security of the canvas. So if you've got braking
by wire or throttle by wire, you can actually start to tamper with the way that the vehicle
operates. In some cases where you have self-park, you can, in theory, take over control of the
steering column as well. And that's quite worrying. Now, what we started looking at,
for simplicity and to make the alarm install easy for the installers, you would often connect the
alarm to the vehicle CAN bus network. And the alarm was then capable of determining which vehicle
it's connected to, and then could interact with the vehicle immobilizer and could configure itself.
So it sped up the process of installation dramatically. But as part of that, we discovered
that some alarms have the ability to issue commands to the vehicle network, to the CAN,
and that's where things get a bit scary. Now, we haven't completed the research in that space,
but we've already seen evidence that it may be possible to issue commands to the cruise control to accelerate. And also, because in some cases you need to tap
the brake pedal before you start a vehicle, some of these alarms have the ability to talk to the
braking systems. So in other words, I'm trying to puzzle through this, a remote start function
would need to simulate a foot on the brake to be able to remotely start the vehicle, for example?
That's absolutely right.
And so having that access to the vehicle itself while driving wouldn't necessarily
know the difference between a real foot on the brake and one that was triggered artificially.
That's right. So you've got access to the CAN bus, which means hopefully when we complete
our research in this space, we'll be able to issue arbitrary commands to the vehicle network over the alarm API.
Does this point to a fundamental issue with the CAN bus itself?
Should this information be available to external devices being sent around in the clear?
Well, you're talking about reversing, what, 30 plus years of development there.
That's the challenge.
So the CAN on the vehicle, there's very little one can do about it so if you were to apply say
encryption to it then you'd increase the latency so when you press your brake pedal instead of the
brakes coming on immediately they might be delayed by half a second and you know what if you you know
have a have a wreck as a result of that that wouldn't be a good place so well the most important
thing with can is stopping what we call bridging onto it, whether that's through your sat-nav, through your phone, through your Bluetooth, through your tire pressure sensors.
The trick to vehicle security is stopping other systems talking to it and therefore making it easy to compromise.
I can imagine some sort of handshaking type of thing.
Like, I am the brake pedal, and here's how I'm verifying that I am who I say I am, and I'm not someone else.
I am the brake pedal, and here's how I'm verifying that I am who I say I am, and I'm not someone else.
Kind of, yeah.
Although I think what many vendors are working on is the concept of what we call a CAN gateway.
So it means that, say, your sat-nav can only use you certain commands onto the CAN.
So your sat-nav needs to know how fast it's going, so how fast the wheels are rotating.
So it should only be able to read that data. It shouldn't, therefore, be able to send information to the braking system.
I see.
Yeah, no, that makes a lot of sense. So you discover these things and you reach out to the vendors. What happened next? Actually, that was the good bit. Probably
the biggest problem we have when we're doing security research and find vulnerabilities,
the vendors just don't listen in far too many cases. So we try and disclose responsibly,
and then we get to a point three, four months down the road where we end up having to go to the media in order to get them to listen and fix the bugs.
However, in the case of these two alarm vendors, they were actually really responsive.
So Pandora, the Russian manufacturer, fixed it in four days, which included a weekend.
And Viper, they fixed it in five days.
So they're actually really,
really responsive. And that's unusual. So I think the good piece of this story is just how well the vendors responded. But what bugs me is those vulnerabilities shouldn't have been there in
the first place. Now, when you say fixed it, what did they do under the hood?
So what they did is they implemented authorization checks to make sure that when you're making,
for example, a password reset request, the email address goes to the email address on file, not just anyone's email address. Really simple fix. And that's what we liked about this is we knew that the vendors would be able to fix it fast, which meant we could start writing up our work.
Now, have you looked at any other manufacturers of these sorts of devices? Have you found any that were doing it right from the get-go?
It's not often we find smart tech that does security 100% right.
It's very, very rare that we do.
There are a few good examples, not many.
We are continuing our research and we're looking at a bunch of other devices right now that relate to vehicle security.
Not strictly alarms.
I won't go into detail about what they are, but we are continuing our research. And so far, every product we've
looked at has serious security flaws. And we'll be releasing those a little later in the year.
What about from the manufacturer's side of things? What sort of work are they doing
to try to prevent these things from happening?
By and large, the automotive manufacturers, the OEMs, they're doing a good job. They're actually really working hard to reduce security. And actually,
many of them are completely re-architecting their vehicle networks, including security at every
point. The problem is vehicles last for a while. Maybe your vehicle lasts 10, 15 years. So we have
this huge legacy problem. There's also quite a significant lead time in the development process for a new vehicle.
You're talking three years from drawing boards to full production and sale.
So even the manufacturers that are right on it and doing a great job right now, it still
can be 18 months to three years until we see the fruits of their efforts actually getting
onto the tarmac.
Yeah, it really is an interesting development as the
technological sophistication of vehicles has grown over the past decade. So I saw someone
comment recently that they said, my favorite iPhone accessory is my car.
I love that. But that's true. I mean, we're seeing automotive tech grow by 15% to 20%
every year, which is incredible. However, unfortunately,
security wasn't keeping pace with that development of functionality for many years. And I think it
took people like Charlie Miller and Chris Valasek to draw attention to that with their
Jeep hack a few years ago. And that point was the wake-up call three and a half, four years ago.
But only now we're starting to see vehicles hit the road, which have got good security controls
included.
Now, what are your recommendations for the folks who may be developing products like
this, things that interact with vehicles?
What are your recommendations in terms of making sure that they don't have these sorts
of security problems?
Well, I just love the irony of a vehicle car alarm making your vehicle less secure.
And I think that that did have a reputational impact
upon these alarm vendors. So I think it's really important that you take security very seriously.
It was evident from the majority of the coding work that these two vendors did in their mobile
apps. They kind of got it, but they didn't check thoroughly enough. So it's really,
really important to get an understanding of secure development practices so that your development teams code correctly and safely and securely.
But also then to verify it.
Don't just take the word of your developers or your third-party suppliers that their products
are secure.
You've got to get it checked.
You've got to thoroughly, thoroughly make sure that the product that you're taking to
market doesn't make your customers less secure.
And is this the kind of vulnerability that had this been sent out to a third-party tester? Is this the sort of thing that would have been
readily discovered? Yeah. That's probably the most embarrassing bit, is that these are really
simple vulnerabilities. Don't get me wrong. We do some really hardcore research work here involving
taking chips off PCBs, reverse engineering them, fault injection using lasers and magnets
and electrons and stuff like that.
But this was real simple.
It was what's called an insecure direct object reference.
And it's right up there in the OWASP top 10 list of most commonly found vulnerabilities.
Now, what about from the consumer side of things?
If I'm someone shopping around and I want to make my car more secure and not less, any
tips for folks out there?
I want to make my car more secure and not less. Any tips for folks out there?
Well, ironically, actually, going with the two vendors that have this train wreck,
actually, it's probably a good idea now because they've addressed their security concerns. They've had a bad experience and they're right on their security now. So arguably, I'd look for an
organization that maybe had a bad experience of security, because they're the ones that are going to be taking it right now.
Our thanks to Ken Monroe from Pentest Partners for joining us.
The research is titled Gone in Six Seconds, Exploiting Car Alarms.
We'll have a link in the show notes. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
safe and compliant. Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter
Kilpie, and I'm Dave Bittner. Thanks for listening.