I’m Not Driving: Security in The Age of Connected Cars Demands Immediate Attention

According to reports last week, a hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving the hacker the ability to monitor the locations of tens of thousands of vehicles – and even turn off the engines for some of them while they were in motion.

Motherboard reported the hacker accessed more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps companies use to monitor and manage fleets of vehicles.

The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.

Here’s how it plays out in the real world. You’re driving to an appointment, and following your GPS commands, and are on an off-ramp when your car engine stops. You lose control of the car and crash into the car in front of you.

Multiply this by an attack on multiple vehicles on the freeways of Los Angeles for example, and you can only imagine the chaos.

The hacker, who calls himself L&M, is a “white hat” hacker who breaks into systems for the greater good, providing an early warning for consumers on the risks of living a hyper-connected life. L&M’s mission is to test the limits of cybersecurity so he can tell the brands marketing connected products what they’re missing, along with how they can fix these holes to protect their customers.

He infiltrated a network of GPS tracking apps and found that more than 27,000 users used the default password 123456, and with access to the core car system, remotely shut down engines.

According to L&M, any stopped car or vehicle traveling 12 miles per hour or slower could be affected and could disrupt traffic on a global level if enough computer power was behind the hack.

L&M said in an online chat: “My target was the company, not the customers. Customers are at risk because of the company.”

This is an unusual case where ransomware could intersect with digital terrorism, and we need to take a hard look at this now – including establishing a means to ensure default passwords are managed and automated, so consumers are protected, as are the shareholders of companies whose liability may be greater than at any time in history if they don’t act on these security gaps.

“We can master the security of mobility,” said Rick Conklin, CTO of Dispersive Networks, a company offering advanced virtualized networking that protect data in motion and the endpoints and applications that rely on that data.  “Our next generation network security optimization software intelligently sends data over multiple independent paths, rolling away from congestion to improve speed.  But security is where this approach really makes a difference.  Rolling for performance is great but detecting and rolling away from an adversary is game changing.”

Conklin explained that their software significantly raises the bar on security for the endpoint, saying “We authenticate and authorize each user or device before they gain any access to the network, and we micro-segment the network.  Our authenticating control plane ensures that only authorized connections are allowed.  Our authenticating data plane ensures that any unauthorized traffic including DoS/DDoS or frames from port scans are immediately and silently discarded.  Port scans allow an adversary to detect and probe and endpoint, usually looking for vulnerabilities to exploit.  We stop that attempt which means that our software makes endpoints disappear from the network in the same way that stealth technology makes jet fighters disappear from radar.”

Conklin believes the way to thwart attacks is to make endpoints invisible to bad actors saying “An adversary can’t attack what they can’t find.  The only information that an adversary can detect is that an endpoint is sending and receiving information to and from the network.  All packets and frames are encrypted to ensure confidentiality and integrity.  All user fingerprints, application fingerprints, and TLS artifacts are hidden from prying eyes.  Source / Destination relations are also hidden.  It’s what we call a low-probability of intercept use case and it also ensures low probability of infiltration of the endpoint.  These features were not possible in the past, and it is imperative that auto manufacturers and service providers adopt stronger network security architectures or risk the unthinkable.”

“We all want our cars to be increasingly connected as we head towards autonomous vehicles, but we continue to hear of hacking examples that undermine the very trust required to progress to the cyber-physical world”, said Don DeLoach, CEO of Rocket Wagon Venture Studios. “The market demands will drive innovation of all types, but among the most important will be innovation regarding security, especially in the realm of mobility”.

“Scenarios like this are only becoming more common place as we continue to use outdated security mechanisms to secure networks of machines and people,” said Michael Hathaway, founder of Ironbridge Enterprise. “A new paradigm is emerging where both machines and humans must establish secure digital identities before connecting to a network. This requires that we migrate away from antiquated username and password authentication methods. We also see technologies like blockchain distributed ledgers playing an increasingly important role in coordinating security across distributed systems.

Whether it’s keyless entry or keyless starting, the wave of the future is keyless automobiles. And driverless vehicles, including ride sharing offerings and delivery services.

Apps the hacker was able to breach include iTrack and Protrack, which are found in multiple makes and models of car GPS systems. (If you are a user of either of these services, you should have already received an email to reset your account password).

Concox, the makers of one of the hardware GPS tracking devices used by some of the users of ProTrack GPS and iTrack, confirmed to Motherboard that customers can turn off the engines remotely.

The owner of Probotik Systems, a company in South Africa that uses ProTrack, confirmed it was possible to use the system to stop engines.

Invest Ottawa and the Government of Ontario have launched the Ottawa L5 Connected and Autonomous Vehicle (CAV) Test Facilities.

A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving the hacker the ability to monitor the locations of tens o…

Many cars are slowly becoming partially or fully autonomous and it has been predicted that in the early future, self-driving cars may become part of t…

With 71 percent of American drivers claiming to fear the self-driving car, it’s no wonder that it’s taking a long time for the automotive technology t…

Post time: Jun-14-2019