White-hat researchers at a cybersecurity company claim they have easily and quickly taken remote control of a new battery-electric vehicle immediately before it was due to enter series production.
Their ”hack attack,” exploiting its many connected-car vulnerability surfaces, exposes the lack of robust measures being taken by some automakers in ensuring their software-defined vehicles are safe from cybercriminals.
The team from PlaxidityX, formerly Argus Cyber Security, claims its attack highlights the security problems through insecure Wi-Fi networks that allowed the company’s engineers to gain control over safety-critical systems and enabled the theft of the vehicle.
Key security failings published in a new white paper on the project included hardcoded credentials, insecure message queuing telemetry transport (MQTT) Internet of Things communication and a weak unified diagnostics services (UDS) Security Access implementation.
WardsAuto caught up with one of the white paper’s authors, security researcher Omer Ziv, who tells us the attack highlights the feasibility of rapid, high-impact attacks and underscores the need for automakers to concentrate harder on producing secure boot, proper credential management and robust in-vehicle network protections.
“What we see is that it is still a challenge for the automotive industry to move towards being more cybersecure-aware and to make sure that everything is protected,” says Ziv.
PlaxidityX’s study, Securing the Future: Cybersecurity for Automotive High-Performance Computers, presents a real-world vehicle penetration testing project on a BEV just before the start of production as part of the regulatory process under ISO-21434: Road vehicles – Cybersecurity.
During eight working days, two researchers penetrated the vehicle system via Wi-Fi and uncovered several critical security issues.
It began with minimal access via the Wi-Fi interface which was only protected by a weak “crackable” default password. After this the team was able to authenticate and
perform lateral movement within the internal network, eventually reaching the vehicle’s central gateway.
Here they replaced proprietary binaries with malicious versions to gain access to the CAN bus and control vehicle functions.
On top of this, by reverse engineering internal binaries, they extracted hardcoded credentials for a secured MQTT server used for communication between the vehicle and the end-user mobile application, allowing them to perform all actions normally available to the user through the official app.
During this process, they also recovered the Security Access algorithm used for UDS authentication, bypassing the challenge-response mechanism and enabling unrestricted diagnostic access.
These actions ultimately gave the team full remote access to safety-critical functions while the vehicle was in motion, leading to a complete disruption of its operation with
serious safety implications. Recovery required a full battery reset.
Ziv explains: “In general, we are seeing vehicles moving from non-cyber-relevant vehicles to cyber-relevant vehicles. Also, the regulations now that see the OEMs create their processes are unable to ensure we get a more secure car.
“There are steps in the process (where) you need to do some penetration testing in order to make things secure,” he adds.
The paper concludes that impactful vehicle vulnerabilities can be identified within relatively short timeframes.
Also, while Tier 1 suppliers and OEMs often focus on passing regulatory checks through isolated component-level ECU testing, this approach overlooks important system-level interactions.
Certain attack surfaces and vulnerabilities only emerge when the vehicle is considered as a whole, so comprehensive security assessments must therefore go beyond component testing to include full-vehicle testing.
“The message to automakers is, do intensive searching for vulnerabilities in both the hardware and software that they are going to use,” says Ziv.
He says it’s important to note that modern cars enter the market with technology up to five years out of date. They then spend another 10 to 15 years in use, so hackers can have about 20 years to research this vehicle.
“Penetration testing is critical and not just for compliance reasons, which are less hard to meet than cybersecurity and resilience,” says Ziv, adding, “OEMs need to invest in penetration testing in order that they are pushing their cybersecurity systems to the maximum.”
