Easier with a crowbar: hacking IoT accessories for cars
#1
Exclamation 
Quote:
[Image: smart-driving-security-test-featured.jpg]

We often discuss vulnerabilities of different IoT devices, ranging from smart cameras to sex toys. This time, our researchers decided to find out whether smart gadgets for cars are well secured.

What was tested

For the test, we chose a number of devices with different functions: a couple of OBD system scanners, a tire pressure/temperature monitoring system, an Internet-dependent GPS tracker, a dashcam, and a smart car alarm.

OBD scanner vs Bluetooth scanner

What we investigated? A device that plugs into the OBD connector inside the car and transmits data about speed, acceleration, engine rpm, etc. to a smartphone connected via Bluetooth. The data can be observed while driving, and later overlaid on the video recording in the related app.

What we discovered? The scanner uses its MAC address as both the serial number and the password required to connect to it. The problem is that the scanner transmits its MAC address via Bluetooth — seen by all devices within a range of a few dozen meters.

So to connect to the device, a potential attacker needs only scan the ether and read its MAC address.

What’s the threat? Fortunately, the tested scanner only reads vehicle data and does not affect the car’s behavior. Therefore, even if a third party manages to connect to the gadget, they will not be able to harm the driver, only view a recording of the drive and the vehicle readings.

Another OBD scanner: wired means safe?

What we investigated? A wired OBD scanner for car diagnostics.

What we discovered? The device manufacturer put a lot of effort into securing the firmware. Yet, having tried several methods, Kaspersky experts managed to extract the firmware from the device’s memory and found a way to modify it.

However, it turned out that the scanner’s memory was only large enough to log readings and errors. The device cannot be used as a springboard to hack into the car’s electronic systems.

What’s the threat? Users have nothing to fear. The manufacturer of the gadget gave it only the features needed to perform its main task and no more. So besides accessing the error log, hackers have nothing to play with.

Tire pressure/temperature monitoring system

What we investigated? Unsurprisingly, this device is designed to display tire pressure and temperature data, and to notify the driver if the values go too high or low. It consists of four sensors (one per wheel), a screen, and a control unit.

What we found out? Since the sensors transmit information to the control unit via radio, our experts decided to try to intercept and substitute the data using an SDR (software-defined radio). For this, it was necessary to know the serial number of each sensor and what part of its outgoing signal contained data on pressure/temperature changes in the wheel. After several probes, our experts found what they were looking for.

However, it should be noted that substituting the signal in practice requires permanent communication with the sensors: the receiver antenna needs to stay pointed at the victim’s car and move along at the same speed.

What’s the threat? By substituting the sensor signals, attackers can display warnings about non-existent malfunctions, forcing the driver to stop the car. However, for a successful attack, they need to be near the target. With that in mind, owners of the device shouldn’t lose any sleep over this.
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06
GFYI [Official] Revo Uninstaller Pro v5...
"Share feedback...damien76 — 09:01
GFYI [Official] SpyShelter PRO v15 Chri...
Merry Christmas and ...damien76 — 08:56
GFYI [Official] IObit Christmas 2024 Bl...
Merry Christmas and ...damien76 — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>