IOActive researchers found that half of the cyber vulnerabilities in connected vehicles could grant an attacker full or partial control of a vehicle, the majority of which could be fixed with an ounce of prevention.
The researchers conducted a metadata analysis of the multitude of private vehicle security assessments and other publicly available research and found that of those vulnerabilities, three quarters could be exploited without much difficulty, according to the Commonalities in Vehicle Vulnerabilities whitepaper.
Researchers also examined potential attack vectors and found that 39 percent of them are related to the network, which includes all network traffic such as Ethernet or web, 16 percent are related to the cellular network, and 17 percent were related to the local attack vector.
Many of these could be exploited via cellular radio, Bluetooth, Wi-Fi, Companion Apps, V2V Radio, OBDII, Infortainment Media, and Zigbee Radio, all of which are points in where data could enter a vehicle, researchers said.
Engineering problems where the root cause of the top eight vulnerabilities types which included accidental information disclosure , coding logic errors, buffer overflow, authentication systems requiring hardcoded credentials, vendor-introduced backdoors, vulnerable dependency, and web vulnerability implementation problems and incorrect utilization of the principle of least privilege.
One issue that was hard to ignore was the prevalence in backdoors in the components that were tested, researcher and author of the whitepaper, Corey Thuen, told SCMagazine.com via emailed comments.
“A vast majority had some type of developer backdoor enabled in the final production product,” he said “Creating these systems is difficult and I understand why such access mechanisms are desired but (back to Industry Best Practice) secure your backdoors and debug ports before you ship.”
Thuen said an ounce of prevention could be the cure to preventing these vulnerabilities as cars become more connected.
“About 75 percent of vulnerabilities are relatively easily fixed or prevented with little upfront work,” he said. “The remaining 25 percent are the hard problems of embedded software development that all companies will face.”
Furthermore, Thuen said if automakers would incorporate Security Industry Best Practices, up to 75 percent of vulnerabilities would disappear.
To catch the bugs moving forward, white box testing, where researchers conducts assessments wherein the client will either share data, code, or other information, is the most effective means to identify high priority bugs and to improve the developmental process, the whitepaper said.
Thuen noted that one of the biggest challenges to securing connected vehicles is the need for manufacturers to shift their focus from purely being auto manufactures to seeing themselves as hardware, database, and cloud provider companies.
“They basically are becoming an Amazon or a Google very quickly which is going to require major shifts in company policy and personnel,” he said.
Security researcher Samy Kamkar, who earlier this year who spotted a major flaw in GM's OnStar app which could grant an attacker remote control over a vehicle, weighed in on the research and said automotive security is a complex issue.
“Fortunately, car manufacturers are working hard to address many of these security issues and bolster the security of their vehicles, but the intimate coupling between various components of a vehicle, such as the telematics system to the engine, has created a gateway for attackers to reach into various systems of a vehicle, in many cases entirely remotely,” Kamkar told SCMagazine.com via emailed comments. “The biggest improvement I see is a double edged sword, the connection to the Internet, while allowing the vehicle to more likely be attacked remotely, is the same feature I commend as it allows such computers on wheels to update with new features and security updates while you sleep.”