Connected Car study shows that connected cars like BMW are vulnerable to hacks

bmw connected driveKaspersky Lab and IAB, published their First Annual Connected Cars Study. Vicente Diaz, Principal Security Researcher at Kaspersky Lab, researched the report about connecting cars to the Internet. However, the auto industry is diligently monitoring threats through its own organizations and most threats require physical access to interior parts of the cars in order to work.

Connected cars with social networks, email, smartphone connectivity, route calculation, in-car apps, can be risky, noted the report.

A  point of attack is not  the car, but the web portal where car features are registered or initiated. It is really important not to give out the VIN number, your user name or password to any kind of phishing scheme especially if you car has remote door unlock, remote start, remote light and remote a/c heat.  A hacker could not only open the car door but after opening the doors steal your passwords to other systems and get your contacts.

Privacy, updates and smartphone apps for car could be turned into three separate attack vectors for cybercriminals.  Type of attacks are simliar to those found int PC and smartphone world such as passwords theft that would show the location of the car, and enable the doors to be unlocked remotely.

The study analyzed BMW’s ConnectedDrive system found several places for possible attacks

  • Stolen password: Stealing the passwords and user names needed to access BMW’s website – using familiar means like phishing can open the car doors to theft. The hacker gets the password and user name installs the app and then can unlock the doors before driving it away.
  • Mobile Application: Mobile door opening  is another set of car keys, anyone who gets your phone can can get into your car if the application is not secured. That’s why it’s important to lock our phone
  • Updates: Bluetooth drivers are updated by downloading a file from the BMW website and installing it from a USB drive. This file is not encrypted and has a lot of information about the internal systems running on the vehicle. This could give a potential attacker access to the targeted environment, and could also be modified to run malicious code.
  • Communications: Some connected car functions communicate with the SIM in the car using SMS. A hacker could break into and send ‘fake’ instructions, depending on the operator’s level of encryption.

The report looks at all major players in the Spanish car market and found that apps and connections are fragmented, limited times for free subcription  Voice activation is the safest way to control cars.y.

The study was conducted by IAB Spain with Applicantes, and Kaspersky Lab it covers cars only sold in Spain and is written in Spanish.