AfterDawn: Tech news

Report: Security in embedded automotive systems is sorely lacking

Written by Rich Fiscus (Google+) @ 08 Sep 2011 11:54 User comments (3)

Report: Security in embedded automotive systems is sorely lacking A new report highlights several security deficiencies in modern automototive electronics systems.
The report was released by McAfee in partnership with embedded security firm Escrypt and mobile/embedded software company Wind River.

According to the report, potential risks range from tracking a vehicle's location using RFID tags embedded in tires to remotely disabling critical systems via Bluetooth. It cites research being done at the University of California, San Diego, which shows critical safety components can be hacked remotely using a program they call CarShark.

Researchers suggest just how far this sort of attack could go:

Going one step further is to combine the CarShark attack and weaknesses of Bluetooth implementation in cars. Once the attacker guesses the Bluetooth PIN, the attacker could mount the CarShark attack. Other wireless devices like web-based vehicle-immobilization systems that can remotely disable a car could be manipulated in these situations as well. The immobilization system is meant to be a theft deterrent but could be used maliciously to disable cars belonging to unsuspecting owners.


The other area of concern for researchers is the growing number of embedded systems capable of storing and accessing personal information, and potentially even devices like smartphones you may be using to communicate with them.

At least one of the researchers involved believes it will be a few years before these issues are addressed.

Stefan Goss spent nearly a decade working for Volkswagon, first as head of instrumentation development and later as head of diagnostics development, before becoming a professor of automotive technology at Ostfalia University of Applied Sciences this year.

He predicts:

Vehicles of all price segments are equipped with several electronic units, which in the near future, will boast dramatically increased computing performance and interfaces. Each interface serves as a motivator and means for an attacker to access the vehicle. We can expect new challenges to protecting the changing interface of embedded systems in cars. Vehicle makers have to solve the conflict of implementing security mechanism without losing customers acceptance. I expect a new chapter of car security in the next two car generations.


You have to wonder whether it will take one or more highly publicized incidents involving these sorts of vulneratilities before that happens.

Previous Next  

3 user comments

19.9.2011 0:32

its for this reason i still drive a 35 year old vehicle, i don't like the control they off into the electronics.

This message has been edited since its posting. Latest edit was made on 09 Sep 2011 @ 0:34

Powered By

29.9.2011 3:36

I don't mind electronics...if they are done correctly. When a company makes a security system that can be controlled by bluetooth, and which uses a 4-digit code that is standardized for the entire model line, this is an engineering mistake. You might as well say that you don't like any kind of engine because old Oldsmobile V8's have a defective rocker arm design.



314.2.2012 21:26

Originally posted by KillerBug:
I don't mind electronics...if they are done correctly. When a company makes a security system that can be controlled by bluetooth, and which uses a 4-digit code that is standardized for the entire model line, this is an engineering mistake. You might as well say that you don't like any kind of engine because old Oldsmobile V8's have a defective rocker arm design.
Unfortunately, I don't think the manufacturers will fix it until they are forced to have some skin in the game. An example would be if a motor vehicle is stolen using a hacked four digit Bluetooth pin, and then the vehicle is involved in an incidence where there was a great loss of life and/or property. Theoretically, the company could be on the hook for providing inadequate security for their product, especially if it was widely known at the time that the implementation was vulnerable to compromise.

This would be like the credit card companies. The only reason the CC companies employ such great security is because they have skin in the game, and could stand to loose millions on stolen credit card numbers. If they were *not* responsible for them, and the consumer was forced to shoulder any losses from a stolen credit card, the security would not be as great, and the company would not be as involved in it.

Comments have been disabled for this article.

News archive