{"id":1813,"date":"2017-07-13T15:02:27","date_gmt":"2017-07-13T09:32:27","guid":{"rendered":"http:\/\/autofacets.com\/insights\/?p=1813"},"modified":"2021-10-02T12:15:17","modified_gmt":"2021-10-02T06:45:17","slug":"car-hack-technique-uses-dealerships-to-spread-malware","status":"publish","type":"post","link":"https:\/\/www.autofacets.com\/insights\/car-hack-technique-uses-dealerships-to-spread-malware\/","title":{"rendered":"Car Hack Technique Uses Dealerships to Spread Malware"},"content":{"rendered":"

OVER THE LAST\u00a0summer, the security research community has proven like never before that cars are vulnerable to hackers \u2014 via\u00a0cellular Internet connections,\u00a0intercepted smartphone signals<\/a>, and even\u00a0insurance dongles plugged into dashboards<\/a>. Now an automotive security researcher is calling attention to yet another potential inroad to a car\u2019s sensitive digital guts: the auto dealerships that sell and maintain those systems.<\/p>\n

At the Derbycon hacker conference in Louisville, Kentucky last week, security consultant Craig Smith presented a tool designed to find security vulnerabilities in equipment that\u2019s used by mechanics and dealerships to update car software and run vehicle diagnostics, and sold by companies like Snap-On and Bosch. Smith\u2019s invention, built with around $20 of hardware and free software that he\u2019s\u00a0released on GitHub<\/a>, is designed to seek out\u2014and hopefully help fix\u2014bugs in those dealership tools that could transform them into a devious method of hacking thousands of vehicles.<\/p>\n

If a hacker were to bring in a malware-harboring car for service, the vehicle could spread that infection to a dealership\u2019s testing equipment, which in turn would spread the malware to every vehicle the dealership services, kicking off an epidemic of nasty code capable of attacking critical driving systems like transmission and brakes, Smith said in his Derbycon talk. He called that car-hacking nightmare scenario an \u201cauto brothel.\u201d<\/p>\n

\u201cOnce you compromise a dealership, you\u2019d have a lot of control,\u201d says Smith, who founded the\u00a0open source car hacking group Open Garages<\/a>, and wrote the\u00a0Car Hacker\u2019s Handbook<\/a>. \u201cYou could create a malicious car\u2026The worst case would be a virus-like system where a car pulls in, infects the dealership, and the dealership then spreads that infection to all the other cars.<\/p>\n

The tool Smith created simulates that kind of attack by acting like a malware-carrying car. Primarily, it\u2019s a testing device; a way to see what kind of malicious code would need to be installed on a car to infect any diagnostic tools plugged into it. Smith\u2019s device is built from a pair of the OBD2 or On-board Diagnostic ports, the kind that typically appear under a car\u2019s dashboard to offer mechanics an entry point to the CAN network that controls a vehicle\u2019s physical components. It also uses a resistor and some wiring to simulate a car\u2019s internal network and a 12-volt power source. All of that is designed to impersonate a car when a dealership\u2019s diagnostic tool is plugged into one of the OBD2 ports. The second OBD2 port is used to connect the device to a PC running Smith\u2019s vulnerability scanning software. Smith calls his easily replicated hardware setup the ODB-GW, or Ol\u2019 Dirty Bastard Gateway, a play on a common misspelling of OBD and an homage to the late member of the Wu Tang Clan.<\/p>\n

\n

The dealership tools trust that a car is a car. They\u2019re a soft target.-\u00a0Craig Smith<\/em><\/p><\/blockquote>\n

\n

With that ODB-GW plugged into a laptop, Smith\u2019s software can perform a technique known as \u201cfuzzing,\u201d throwing random data at a target diagnostic tool until it produces a crash or glitch that might signal a hackable vulnerability. Smith says he\u2019s already found what appear to be multiple flaws in the dealership tools he\u2019s tested so far: One of the handheld diagnostic tools he analyzed didn\u2019t check for the length of a vehicle identification number. So rather than 14 digits, his car-spoofing device shows that an infected vehicle could send in a much longer number that breaks the diagnostic tool\u2019s software and allows a malware payload to be delivered. Or, Smith suggests, an infected car could overload the dealership\u2019s gadget with thousands of error codes until it triggers the same sort of bug. (Smith says his own tests are still preliminary, and he declined to name any of the diagnostic tools he\u2019s tested so far.) \u201cThe dealership tools trust that a car is a car,\u201d says Smith. \u201cThey\u2019re a soft target.\u201d<\/p>\n

If a hackable bug were found in those dealership tools, Smith says it could be exploited in an actual dealership garage by building an attack into a car itself. He suggests a hacker could plant an Arduino board behind a car\u2019s OBD2 port that carries the malware, ready to infect any diagnostic device plugged into it.<\/p>\n

That \u201cauto brothel\u201d attack is hypothetical, but it\u2019s not as farfetched as it might seem. In 2010 and 2011, researchers at the University of California at San Diego and the University of Washington\u00a0revealed a slew of hackable vulnerabilities in a 2009 Chevy Impala that allowed them to perform tricks like disabling its brakes<\/a>, although they didn\u2019t name the make or model of the vehicle at the time. One of those attacks was designed to take advantage of an auto dealership: The researchers found that they could break into the dealership\u2019s Wi-Fi network and gain access to the same diagnostic tools Smith has tested via gadgets\u2019 Wi-Fi connections. From there, they could hack any vehicle an infected tool plugged into.<\/p>\n

\u201cAny car ever connected to it, it would compromise,\u201d says Stefan Savage, the computer science professor who led the UCSD team. \u201cYou just get through the Wi-Fi in the dealership\u2019s waiting room and the attack spreads to the mechanics shop.\u201d<\/p>\n

Savage admits that the dealership attack isn\u2019t a particularly targeted one. But that\u2019s precisely what makes it so powerful: he estimates that thousands of vehicles likely pass through a large dealership every month, all of which could be infected en masse. \u201cIf the goal is to create mayhem or plant some kind of car ransomware, then going after the dealership is a fine way to get a lot of cars,\u201d Savage says.<\/p>\n

In his talk, Smith pointed out that an attack on a dealership\u2019s diagnostic tools wouldn\u2019t necessarily have to be malicious. It could also be aimed at extracting cryptographic keys or code that would let car hacker hobbyists alter their own vehicles for better or worse, changing everything from fuel ratios to emissions controls, as Volkswagen did with its\u00a0own scandalous nitrogen oxide emissions hack<\/a>.<\/p>\n

But Smith also argues that the diagnostic tool bugs his device susses out represent significant security threats\u2014ones that the auto industry needs to consider as it tries to head off the potential for real-world car hacks. \u201cAs more and more security researchers look into automotive security, I want to make sure this isn\u2019t overlooked, as it has been so far,\u201d Smith says. \u201cIdeally, I want people doing security audits in the automotive industry to be checking dealership tools, too. This is the way to do it.\u201d<\/p>\n

\n

Author – \u00a0ANDY GREENBERG<\/span><\/p>\n

Courtesy of WIRED<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

OVER THE LAST\u00a0summer, the security research community has proven like never before that cars are vulnerable to hackers \u2014 via\u00a0cellular Internet connections,\u00a0intercepted smartphone signals, and even\u00a0insurance dongles plugged into dashboards. Now an automotive security researcher is calling attention to yet another potential inroad to a car\u2019s sensitive digital guts: the auto dealerships that sell and <\/p>\n

Continue Reading<\/a><\/p>\n","protected":false},"author":3,"featured_media":1815,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[99],"tags":[146],"class_list":["post-1813","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dealers","tag-cyber-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/posts\/1813"}],"collection":[{"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/comments?post=1813"}],"version-history":[{"count":7,"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/posts\/1813\/revisions"}],"predecessor-version":[{"id":4163,"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/posts\/1813\/revisions\/4163"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/media\/1815"}],"wp:attachment":[{"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/media?parent=1813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/categories?post=1813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.autofacets.com\/insights\/wp-json\/wp\/v2\/tags?post=1813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}