In this part, we talk about possible remote attacks on a car, according to the different areas of possible attacks. For each communication channels, we describe attacks and how to prevent them with some recommendations. The main recommendation is to always follow the latest updates of these remote communication channels.
|Connectivity-Wireless-1||Update||Always follow the latest updates of remote communication channels.|
We will see the following parts:
|Connectivity-Wireless-1||Add communication channels (RFID, ZigBee?).|
For existing automotive-specific means, we take examples of existing system attacks from the IOActive document (A Survey of Remote Automotive Attack Surfaces) and from the ETH document (Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars).
We can differentiate existing attacks on wifi in two categories: Those on WEP and those on WPA.
- FMS: (Fluhrer, Mantin and Shamir attack) is a “Stream cipher attack on the widely used RC4 stream cipher. The attack allows an attacker to recover the key in an RC4 encrypted stream from a large number of messages in that stream.”
- KoreK: “Allows the attacker to reduce the key space”.
- PTW: (Pyshkin Tews Weinmann attack).
- Chopchop: Found by KoreK, “Weakness of the CRC32 checksum and the lack of replay protection.”
Do not use WEP, PSK and TKIP.
Use WPA2 with CCMP.
Should protect data sniffing.
|Domain||Tech name or object||Recommendations|
|Connectivity-Wireless-Wifi-1||WEP, PSK, TKIP||Disabled|
|Connectivity-Wireless-Wifi-2||WPA2 and AES-CCMP||Used|
|Connectivity-Wireless-Wifi-3||WPA2||Should protect data sniffing.|
|Connectivity-Wireless-Wifi-4||PSK||Changing regularly the password.|
|Connectivity-Wireless-Wifi-5||Device||Upgraded easily in software or firmware to have the last security update.|
- Bluesnarfing attacks involve an attacker covertly gaining access to your Bluetooth-enabled device for the purpose of retrieving information, including addresses, calendar information or even the device’s International Mobile Equipment Identity. With the IMEI, an attacker could route your incoming calls to his cell phone.
- Bluebugging is a form of Bluetooth attack often caused by a lack of awareness. Similar to bluesnarfing, bluebugging accesses and uses all phone features but is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 10-15 meters.
- Bluejacking is the sending of unsolicited messages.
- BLE: Bluetooth Low Energy attacks.
- DoS: Drain a device’s battery or temporarily paralyze the phone.
- Not allowing Bluetooth pairing attempts without the driver’s first manually placing the vehicle in pairing mode.
- Use BLE with caution.
- For v2.1 and later devices using Secure Simple Pairing (SSP), avoid using the “Just Works” association model. The device must verify that an authenticated link key was generated during pairing.
|Connectivity-Wireless-Bluetooth-1||BLE||Use with caution.|
|Connectivity-Wireless-Bluetooth-3||SSP||Avoid using the “Just Works” association model.|
|Connectivity-Wireless-Bluetooth-4||Visibility||Configured by default as undiscoverable. Except when needed.|
|Connectivity-Wireless-Bluetooth-5||Anti-scanning||Used, inter alia, to slow down brute force attacks.|
See Low energy and the automotive transformation, Gattacking Bluetooth Smart Devices, Comprehensive Experimental Analyses of Automotive Attack Surfaces and With Low Energy comes Low Security for more information.
IMSI-Catcher: Is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. Essentially a “fake” mobile tower acting between the target mobile phone and the service provider’s real towers, it is considered a man-in-the-middle (MITM) attack.
Lack of mutual authentication (GPRS/EDGE) and encryption with GEA0.
Fall back from UMTS/HSPA to GPRS/EDGE (Jamming against UMTS/HSPA).
4G DoS attack.
- Check antenna legitimacy.
|Connectivity-Wireless-Cellular-2||UMTS/HSPA||Protected against Jamming.|
See A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications for more information.
- Interception of data with low cost material (SDR with hijacked DVB-T/DAB for example).
- Use the Radio Data System (RDS) only to send signals for audio output and meta concerning radio.
|Connectivity-Wireless-Radio-1||RDS||Only audio output and meta concerning radio.|
- MITM: Relay and replay attack.
- Should implements protection against relay and replay attacks (Tokens, etc…).
- Disable unneeded and unapproved services and profiles.
- NFC should be use encrypted link (secure channel). A standard key agreement protocol like Diffie-Hellmann based on RSA or Elliptic Curves could be applied to establish a shared secret between two devices.
- Automotive NFC device should be certified by NFC forum entity: The NFC Forum Certification Mark shows that products meet global interoperability standards.
- NFC Modified Miller coding is preferred over NFC Manchester coding.
|Connectivity-Wireless-NFC-1||NFC||Protected against relay and replay attacks.|
|Connectivity-Wireless-NFC-2||Device||Disable unneeded and unapproved services and profiles.|