Could Hackers Drive Your Car Off a Bridge?

What if hackers took control of your car? This hypothetical has been floating around for decades as an illustrative example of what could happen when cyber attacks bleed into the physical world. The idea of being behind the wheel yet totally at the mercy of an invisible, malicious driver is terrifying to say the least. So I have some bad news: the hypothetical has become a reality.

Major Flaws Found in Popular Auto Tech

I am not the first person to observe that today’s cars are essentially computers on wheels. Highly digital and internet-connected, cars work basically like any other IT asset – except for the fact that they weigh a ton and go 100 miles per hour.

As cars have become increasingly digital, an aftermarket has developed for automotive tech that supplements the systems built into the car to increase performance, comfort, etc. GPS trackers are one example. Popular on fleet vehicles, GPS trackers record and report a vehicle’s location and, to varying degrees, control what the vehicle can do.

Cybersecurity researchers at BitSight recently evaluated one of these trackers: the MiCODUS MV720. They discovered significant security flaws. I will cover those in a second. But first, consider the potential risks of those flaws, as highlighted by the researchers:

• Injury or loss of life
• National security breaches
• Property damage
• Supply chain disruptions
• Individual or fleet-wide ransomware
• Surveillance and tracking

Any (or all) of these scenarios are possible because the flaws the researchers discovered allow hackers to gain administrative privileges over the trackers. Those privileges let them track vehicle locations (for who knows what nefarious purpose). Worse, these trackers give administrators the ability to disable the engine at will.

Hackers may not be able to drive the car off a bridge. But they can still cause ample chaos, put lots of lives at risk, and bring down an entire vehicle fleet all at once.

Eager to emphasize how alarming these flaws are, the researchers propose several possible exploits. Hackers could disable emergency vehicles en mass so that police and fire can’t respond. They could monitor when a vehicle is on a busy highway and cut power suddenly to cause a multi-car pileup. They could use tracking capabilities to surreptitiously spy on someone everywhere they go. Or they could disable a vehicle and demand a ransom to restore access. Unfortunately, this list barely begins to cover all that could go wrong when vehicles are a tool of cyber attacks.

Where Researchers Found Flaws

The six flaws found in the GPS trackers are worth reviewing for what they reveal about the flaws lurking in insecure connected devices (automotive or otherwise) and the tactics hackers use to exploit them:

• Hardcoded Password – Using a master password lets unauthenticated users take control of any tracker.
• Broker Authentication – Authentication issues let hackers exploit the API server to launch a man-in-the-middle attack.
• Default Password – Weak default passwords (123456) combined with no prompt or requirement to change them leave devices vulnerable.
• Reflected XSS – Taking control of a script in the victim’s browser gives the perpetrator the same data and permissions the exploited user has.
• 2 Insecure Direct Object References – Two different flaws in the web server permit hackers to alter and access information without authentication.

Perhaps more alarming than the flaws themselves is MiCODUS’ reaction when confronted with them: complete silence. Researchers made multiple attempts to share their findings with the developer, but all of those efforts were rebuffed, so they went to the Cybersecurity and Infrastructure Security Agency (CISA), but they have also been unsuccessful at engaging the vendor.

It’s one thing to sell insecure devices. It’s another thing to ignore those flaws – especially when the consequences are so severe.

The Frightening Evolution of Cyber Risk

We can draw lots of conclusions from this incident, about the pervasive vulnerability of connected devices, about the egregious disregard of developers, and about the unforeseen consequences of digitization.

But what jumps out to me about this story is what it says about the evolution of cyber risk. This is just one of several recent examples of cyber attacks putting human health and safety in danger. The stakes in cybersecurity are suddenly much higher. And escalating faster than ever given the recent rise of ransomware and state-sponsored hacking. To me, this looks like the trajectory of cyber risk taking a sharp turn upwards and moving into unprecedented territory. Which is all to say, if the flaws in the GPS tracker seem bad, just wait until these flaws exist in every part of the built world. Will anything be safe?

I have my own complicated opinions, but I’m eager to hear yours. What do you think are the new frontiers of cyber risk? Can we make these risks manageable, and how? When will we start to see automotive cyber attacks become commonplace?

Admittedly, I don’t have good answers to all these questions. But if we aren’t asking them, we are doing the same thing as MiCODUS: turning a blind eye to a problem staring us directly in the face.

#blog #cybersecurity #automotive #IoT #CISA #vicarius_blog