Automotive Security — Introduction
This article is going to be a bit different and is just going to be a small to medium talk on automotive cyber security. I will not be going deep into the security aspects such as the protocols, history, etc etc but will rather be talking about why security for cars is important, what hackers can do and speak on a more basic / introductory tone with this article. Since I am personally getting back into cyber security with automotive systems and better protecting them, I want to be able to explain the idea’s behind automotive security and how insanely vulnerable cars are in today’s world for the general public. So, I do not plan on making this long!
Automotive Security: A General Talk
For this article, like every other article or module; we will be separating everything into their own subsections. We will be going over a decent list of things so here it all goes!
- Automotive Security : Breaking into the realm: A section that will talk about exactly what automotive security is, why it is important, current systems, and talk about a cars and the future of it!
- Automotive Security : Why is everything connected? A section that talks about why cars have become connected over time, the purpose and so on from there.
- Automotive Security : Why it needs to be talked about: A section that talks about why automotive security is important and why it makes sense that we
- Automotive Security : What we can do to ensure security of ourselves: A section that talks about how we can secure our cars and how security researchers such as myself or possibly you — the reader can better protect the world by standard contributions.
- Automotive Security : Conclusion && Summary: A section that will summarize this article and go over everything we talked about with one unique ending note.
- Automotive Security : An Ending Note: This will be the section where we properly end everything, talks about proper resources you can use and also everything about me as a writer for those who typically look into that for the end of articles.
I want to make a note before going into this again. This article is meant for people that barely know anything about automotive security or people who do but want to read how I explain it to people. I also want to note that we will not be talking about file formats, systems, networks and protocols on a deeper level but rather be scratching the surface of it! Now lets dive into this!
Automotive Security : Breaking into the realm
Now for those who are new to this whole realm of things, I figured I would take a second to actually get down to talking about what exactly automotive security is. By just the term you can imagine that it is about the depth of security and research into the automotive systems that exist on our everyday drivers! Well, in this case, that is directly correct! Automotive security is a way of saying how we protect systems in cars, its how we research new vulnerabilities. Woah woah woah, my car is vulnerable? Yes! Yes! Yes! Cars one of the most unexpected systems are the most hackable things here simply because of that, no person typically thinks a hacker would go for a car! Well, hackers are not the only people who want to attack cars, government agencies who may be spying on a specific target such as high profile targets! These vulnerabilities in cars though can be both helpful and the opposite- harmful. So this is why the security research exists in the automotive realm even if it is nearly invisible! The whole idea of automotive security is to also show people how vulnerable the future may be. Some people often also throw around the common misconception that their car is not hackable because its not an EV car, well I got news for you, cars dating back to even 2001 are hackable! Ever since protocols such as CAN ( Controller Area Network ) came into vehicles like the Mercedes-Benz W140 cars have been able to be hackable in some shape or form. This is because of those networks and also because systems became more digital over the years, the attack surface of vehicles have expanded drastically! For example, you may think that a car from like 2005 with not that much universal systems are not at all hackable or do not have that much to attack when that is also false! This is because hackers have been able to find ways through radio stations and systems in cars all the way up to infotainment systems within cars! So, when we talk about general hacking, what exactly are hackers after, and why are some of them tuned to cars? There are a ton of reasons why hackers may want to target cars and below I have listed a few.
- Understanding Of The Modern World: Think of it, when was the last time during a company spread recall that you actually updated the cars software or took it to the developers or the shop to have it checked? Probably never right? Well that is the sad truth with most even regular systems today. When some update or vulnerability is found, companies will not make a huge deal about it but instead just issue vehicle recalls in hopes that they can properly secure over a few hundred thousand vehicles or at least half when in reality most people refuse to turn in their car 95% of the time. Because of how well known this is amongst hackers, this makes it easier for hackers to target specific vehicles, systems in third party providers on cars and more to just snap onto their list. Because of this, hackers are easily going to grab more information on the driver or owner of the car, systems diagnostics, more sensitive information and just be able to completely mess up the car! In one specific scenario and one of the most fluent ones, a group of hackers were able to remotely hijack a jeep and easily take full control over the vehicle! In this case, a good amount of jeeps ended up becoming apart of the recall. For basic context of the story the hackers were able to control seat-belt functions, breaking, gas, steering and more! You can read more here.
- Easy Grabs! → Since hackers are aware that most people will not turn in their cars for updates and may disable features such as auto updates, it makes it so easy for hackers to commit USB attacks, radio attacks or jacking attacks as fast as light! Because they also know that people are easy to social engineer, the ease of attacking a car becomes much more likely since systems are not as much as paid attention to. That brings up the second note is how horribly un-protected automotive systems are. We will get into this later, there are sum ( pun intended — SUMS ) systems in place and standards to better protect the cars and their systems but not many people especially bigger companies care much about it! The issue is that in itself. Every hacker also knows that as long as the industry goes on, as long as newer technologies advance, the more people “want” than realize what they “need”. This is basically saying that while people are so distracted about the newer features of a car, they are forgetting about the huge security risk that comes with it because they simply do not care about it and are deeply distracted and caught in a loop they refuse to get out of. When hackers understand that this is the way the world is and the way humans work then they realize everything is up for grabs and it is just a matter of time before they get their hands on that sweet sweet car of yours!
- Political or Media reasons → This has not happened yet but like most cyber crime some of it may be used or executed due to political motives. Now you may be asking, why in heck would a hacker organization target cars? Well, there are many reasons they might and one bit of research shows a good point. This blog post shown here by a security researcher known as Graham CLULEY emphasizes the use of modern day systems. In today’s world of cars, most things in your car are web, hell, most cars have WiFi and Bluetooth systems in them now and almost all of your systems including breaks, gas, steering, configuration systems, check systems, update systems, monitoring system, tire pressure monitoring systems, control modules, diagnostics systems, alarm systems, airbags and even the most complex systems all operate around the network of the car and rely on some form of web to possibly remotely control that system from an app that uses something known as an Application Programming Interface or API to communicate with the system. Because of these flaws in those API’s or applications as a whole, hackers can easily take advantage of more than thousands of cars at once and abuse it to broadcast political statements or even stop cars in traffic even just to simply play a video on the entertainment systems of the vehicle! Aint that quite insane? Now again, this is purely hypothetical but it is only a short coming.
There are many other reasons why a hacker may want to break into a car, they may want to steal the car, use the car for malware distribution, use the car as another computer in a network or chain, and may even want to just mine information from people’s social networks linked to that car. However, what about people who are just nerds, where else can car hacking come in handy? Well, sometimes car hacking despite voiding warranties is something people may do for multiple reasons in the realms to modify their cars. If someone wants to disable GPS mechanisms or governors on specific cars, they might be able to damage, crack or break software or firmware on the car to get past those systems. Wait, did I just say that? Yes! Hackers will even go so deep as to rip parts out of the car such as the hardware and run specific tests to attack the boards and bypass specific systems just to maximize features on the car itself! Now, we can hop into a different section that might explain this none-sense!
Automotive Security : Why is everything connected?
A ton of people have either been upset that cars are now mostly turning to EV and make some weird political statement like it is the way the government is going to spy on us. But why exactly are people saying this now? Most vehicles have been wired to the web ever since the mid 2000’s and have been vulnerable to major attacks since the early 2000’s? Well, the truth being told here is that many people really did not see how truly interconnected cars and systems were until brand names like Tesla really made a name for themselves. It was only until then did people see how much truly goes on in a car and even then do not actually fully see everything as it should be! But like everything there comes a huge risk to it becoming interconnected. As we have seen with systems already, especially web systems, we just are not truly secure enough to have these systems put into place, the bigger issue is just the fact that it makes everything cheaper, easier and much more fun to build, use, embed and more. So, lets look at your average car in today’s world. The screenshot below is from the driver side of an Audi and shows a good example of what the front of a system looks like.
Just from looking at this system, what do you see here? What could possibly be web based here? I will give you a second to think on that.
People such as yourself who may be new to this world might not see much, might not see anything web, but lets get it from a different angle. As mentioned before, cars today operate off of typically multiple forms of communication, use specific protocols to communicate internally and even use WiFi networks to give drivers outside connection and access to other servers. So let me explain this with what I see. I see here a car that is purely digital, where nearly every single bit of data is being transferred through a set of digital wires and communication buses that we can not see. I then see an infotainment console that may be primarily made and installed by audi but may use third party systems, something that may also need outside connections and may be using API’s to download and upload data to and from the car! This is what looking at a different angle means. We may not see it up front, but if you truly look at a modern car, everything you see here today is exactly what is working on a network. Anything from the locks and the gas to the instrument cluster and infotainment consoles. This is the world we live in today and we must accept it. But other than the fact as to it makes everything easy, why is everything connected? Why must it all be this way? Ever since the invention of the CAN protocol also known as Controller Area Networks, the goal has been to make the manufacturement and design of cars not only much more easy but to also make it much more slick and fit up to the modern standards of what everyone did or did not want. These designs required something more modular, something much more advanced yet easier to work with! That is why the cars work on protocols. You might be asking right now, how did the invention of an automotive communications network such as CAN fix the cost of manufacturment? This is a question that is quite easy to solve actually. One of the major reasons CAN was invented was to save on the amount of wiring in cars. Back then, when the protocol was invented, the systems in cars would be hardwired and communicative all together which would require a TON of copper and raise costs during production. Mix this with the raise of human beings over time / population and now you have triple the production costs. So, the main reasons cars had to go online was because it cut costs, made cars much more advanced and responsive and made them much more easier to manage remotely. Because of the boost automotive networking got put into place, the world of web ( much later on ) also started to get involved with the way systems operated in cars. While the cars might not make the locks on a car door or the gas DIRECTLY AND PRIMARILY over a web network, there are still systems in the vehicle such as the infotainment system that could be hijacked and could be used to gain full control over the vehicle.
But wait, if all of this is happening, then why exactly are we still managing to keep systems in place like this? This is where automotive security comes into play!
Automotive Security : Why it needs to be talked about
The previous section talked about the interconnection with cars and automobiles in general, we then raised a question of why actually keep these systems in if they can cause harm. Well, the simple question can come in a few multiple paths.Cuts Down Production: As mentioned before, just because a system is unsafe does not mean that companies can afford to take that system down and take it out of the car. Because networks such as CAN and even the other various systems power our cars, without them we would not exactly have the most accurate cars to date. Just think about how truly helpful the instrument cluster on your car is, or what about that fancy GPS and monitoring systems that tell you “so and so hazard is so and so miles away, merge left to prevent” or what about those unique sensors that can tell you when you are hovering over a line and merging or even the systems inside of Tesla’s that will throw hazards on and then start slowing the vehicle down if a human is counted as asleep or non active. These systems are not only extremely important for human safety but also cut a ton of cost from the general development of the vehicle even with the new ones in there.
General Human Safety: This was mentioned in the previous point
There are many other points that we could also go deep into, but here is another primary reason. Because even if we wanted to, we are so far in this world its impossible to turn back. So, this is where automotive security research comes into play, and where educating people about the general matter comes into MASSIVE help. Automotive security is one of the most empty fields right now, it is talked about on a specific level , it has its popularity and it is well known to an extend but it has an issue, a few points should address these issues.Not Much Proof: There is a ton of case studies out there to show the potential of automotive security and to show how important it is — to people like you and me anyway. But lets take a more different approach. Despite some companies and even laws admitting that it is a problem, it is not taken seriously enough in the under saturation. Not to go dark a bit but lets look at the September 11th 2009 terrorist attacks. Regardless of how you want to make it seem, those attacks happened because noone actually cared enough for the security of airports, not many people understood the dangers despite people talking about an idea in communities of how they can be taken control of. So, whats the deal with security in cars? In a way, this can sort of relate. Think about this more logically, you are driving a 2–4 ton vehicle on average 45+ miles an hour on a road, if a hacker manages to abuse that system and gain access especially to multiple vehicles just imagine the insane amount of damage that hackers can due to human life if it is not truly taken the way it needs to be! My point may seem quite radical, but if we do think about it for quite a second, damages can and will be caused and history shows it — not just physically but also just to the industry and the world around it! This could also damage years and years of structured and well executed research to the point where it becomes rendered useful and becomes another rant on someone’s Instagram page.
Not Much Considered “fun”: Unlike most fields in cyber security, automotive right out of the gate is not fun to everyone. When you start learning about the current standards such as the ISO-21434 and other systems such as SUMS and CSMS as well as other systems in place, it seems like on the surface area that its all handled and taken care of + the teachers in the field are not exactly so to say “excited” about wanting to teach about it. it is quite the rare field not to mention while research is done by some amazing security researchers, the genuine world of education sucks and to be honest shares the same relation with the rest of the security world.
Hard To Afford: I will say this correctly and from my experience of someone who can not just toss 80K at a car. When it comes to automotive security, due to the lack of knowledge and the lack of developers and security researchers, there is not nearly enough programs that people can test their own exploits or even attacks on to train. So you are either stuck with some bad resources, or you can build the connections necessary to get you access to a bunch of cars to hack. This is just one of those fields that are extremely hard to afford, not to mention you need a good enough setup with hardware sniffers and a bunch of other components that will aid you during the security research and discovery route.
There are also many other routes to explore that this field can be troubled to get into and there is a huge reason why this field is not progressing the way it needs to be but those are some genuinely good examples as to why that happens. So this is where it starts. Not everyone in the world understands where automotive security is going to go, most people do not even know that you can hack a car. This is where talking about it really comes into play. I will say this from experience but it is quite hard to just go out and talk about things, you have to get with the right people and prove your educative experience to even be able to show up and meet with the right people. But there are many things you can do to talk about it once you are more educated on the topic and there are things we as people can do without requiring so much heavy funding.Writing Blogs: The media will be a primary topic for getting something out here. But as I am right now, writing blogs is a great way to show people “hey this is happening” because it allows writers such as myself and many other much more powerful authors to say “we need to talk about this” and then write an entire series on just automotive secuirty and why it is important. But also talking about it in a sense that might get everyone out there more understandable with it instead of using entire technical terms.
Videos / Live Demonstrations: This happens all the time at security conventions but I feel like it would be much more beneficial if news and media stations could easily get out there to people to have them execute a live demonstration of the dangers of automotive security and even prove that something dangerous could possibly happen with vehicles.
Building Industrial Connections and Collaborating: This is just general networking, but if you want to actually get something out there, you have to build a crazy amount of connections and actually tell people what you want to do and how you are going to do it! It does not matter who it is, who knows, maybe someone you connect with knows a friend who knows a friend who knows a CEO that knows a CTO that known a founder that knows a media team. Despite what you think, this does actually exist.
Talks In Communities: A ton of hacking communities and security conferences always do talk about some form of hacking even something as much as automotive security, but what if someone was actually to go to another community and spread word about it. Now sure, communities do find ways to always be on topic, but you yourself can always find ways to bleed a topic you want to talk about such as automotive security into that chain.
There are many other ways you can communicate, but regardless; the point is that building connections and spreading the word about a topic like this without being so technical but also proving a point is something that you should do if you feel like it will help! Let me tell you right now, the more people that talk about it, the more companies, more people will follow the hype train and actually go forward with everything! So, it is important that we actually stay on-top of not only addressing the problem and finding solutions but also getting it out there when the time is right!
Automotive Security : What We Can Do To Protect Ourselves
One of the primary issues with the security of modern day cars or rather the result may not always be placed on the developers. For instance, despite OTA (Over The Air) updates in vehicles, people will find ways to disable systems ( if they are not hidden ) like that in the case that they feel they will always need it. Get where I am going? Sometimes, the reason for bad security is because people who are not willing to properly update their stuff.
So, this section is quite small and simple. Just make sure you update your stuff and do not ignore mandatory updates or even recalls when they are extremely important and rely on core systems in the vehicles!
Automotive Security : Conclusion && SummaryWhile there is no proper proof of hackers causing an insane amount of damage, it is important to ensure that we stay ontop of our toes with this and secure it before something does happen. We have seen security researchers exploit major vulnerabilities that allow them to glitch the car, remotely control the car, take advantage of third party systems and more; but we have yet to see a major attack spook the world, which is something we do NOT want to see! So, it is important that as the world continues to grow and tech in cars becomes much more advanced that we also make sure our security is our top priority when developing systems. That being said, I hope this article gave you a bit of an introduction as to what this world is. I know this was super short, but I felt that it was important to go through and at least talk about on some shorter level.
Ending Note — Extra’s, Resources, Support, Thanks
This section will just show a bit about me- for those who are interesting in helping support my page it means quite alot!
- Ending Note | About Me → This section will talk obviously about me, who I am, why I am doing this, current projects etc.
- Ending Note | Thank You → A section thanking you for reading this article and explaining why I value community.
- Ending Note | Ways To Support → A section talking about ways you can support me with currency!
- Ending Note | Where To Find Me → A section that talks about where you can find me and how you can follow me.
- Ending Note | Resources To Advance Your Knowledge → A section that explains some basic resources used to help you.
Below, sections are listed and talked into!
Ending Note | About MeHello there nerd! My name is Ryan and I am commonly known as Totally_Not_A_Haxxer! I am a 16 year old security researcher and developer with quite the experience primarily in development (50+ language’s including working on my own) and take a huge interest in automotive security! I write the articles I write especially in length as well as books because I believe that knowledge is for everyone and should not really be charged so much. For example, I saw someone write a Golang tutorial that was like 10 hours of content and charged over 1K for it- I thought it was a complete waste of time so I started my blog page to not only do what they were doing but do it better and for free! I also have multiple projects going on around education such as $1 Courses which are courses on various topics in tech or even general that get sold off for a single buck! That is a small about me, you can find more which we will get into in quite a second hahaha!
Ending Note | Thank YouI want to also thank you for reading the article and coming this far, I know these articles are extremely large and take a ton of time but I hope they were worth it. I do try my best to actually go and put the time and effort into the articles by ensuring that I can actually help educate people and go deep into the topics I talk about for free! So, if you have made it this far, I appreciate giving the effort back as far as reading the article and hoped it helped :D!
Ending Note | Ways To Support (Financially)Currently I am not in the best of situation with money and I do not have the proper funding to afford good equitment for security research even something as much as a laptop where I could do remote work. That being said, I have always been used to saying “I do what I do with passion, and I will stop at nothing to do so”. Even though I do not have the direct resources, I always do try my best to deal with what I have and do what I want to do with said resources that I do have. With this, I ask that if you can bother to donate or do have the extra to spare, this will make my development, skill and more go much MUCH more faster and also make me much more motivated to continue doing what I am doing! Below I have listed my cashapp and venmo as well as crypto wallets!
- BitCoin Address: bc1q45ctj3cwl8zr2qdw4xceukr58cdnayxuutymt8
- Ethereum Address: 0x466BA936E2bdbEab74c8cd048CC43279fE712E54
- USDC Address: 0x466BA936E2bdbEab74c8cd048CC43279fE712E54
- Tether Address: 0x466BA936E2bdbEab74c8cd048CC43279fE712E54
- XRP Address: r4s8FeyYCBHJQGJRGuDuPeM2YLMwRCZP4R
Ending Note | Where To Find Me
This sounds weird to say, but you can find me on a few places; social media is one of them. Below I have listed some links of where to find me but I will say this. Often in discord servers, communities and even other platforms: some people always ask me for links and I can get tired of constantly pasting social media links on days where I have a bunch of stuff to do and given social media is not on my phone ( at this time, working on a study / ghost month ). SOOOO, that being said, Google is a good place to go literally search “Totally_Not_A_Haxxer” and some of my socials should pop up + look at it this way, you get more OSINT expirience.
- Hakin9 Articles / Research point
Ending Note | Resources To Advance Your Knowledge