It’s been a week since I posted my project’s first status report. Since then I’ve continued my work on the regulations and setting a baseline, but I’ve expanded a little bit to cover the topic of a connected car. This being one of the key segments of my research it’s important to set a really strong baseline. One thing that I quickly realized is that a connected car is, as the title says, just a smartphone on wheels. Filled with apps, chipsets, and network configurations, a car is just as vulnerable, (if not more so), than a modern-day smartphone. Last week I touched on the rules and regulations that are being developed, but this week my focus was on defining the modern-day connected car.
There are two sides to the technology inside a connected car, the internal and external. Quickly my focus shifted onto the external factors that make a car connected. These are things like Bluetooth, CarPlay, and Satellite, as well as some others. Each of these makes the car more enjoyable for the daily drive to work. As a consumer these aren’t thought to be insecure, Bluetooth for example gets used every day in most cases. Bluetooth is pretty insecure at its base, and when you put that in a car it becomes a problem. Internally poses a different risk. When it comes to external threats, those are just ways to get into the car and access its network. Internally threats are the things controlling your car, so from the traction control, to the airbags, even to the turn signals.
Both of these separate shouldn’t be an issue for any auto manufacturer. It’s the fact that in many older cars, these two networks communicate with each other through what’s called a CANbus. This means someone that gains remote access through the Wireless stack, can, with a little bit of know-how, send spoofed messages to the CANbus and tell the car to do what they want.
Using this information that I’ve gathered about the ins and outs of connected vehicles, I’ll be trying to put together a threat model surrounding connected cars over the next week. This includes the attack vectors as well as the damage potential they can cause. If you’re interested in hearing more about that be sure to check in next week as I’ll be posting an update on my status then.
Follow us for more updates on this project!
For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de
Written By: William Alber '22 // Computer & Digital Forensics