Kaspersky Lab: Personal data, updates software and mobile devices applications for interconnected cars are potential targets for digital criminals.
Kaspersky Lab and the Interactive Advertising Bureau (IAB) in Spain presented the First Annual Study on Interlinked Cars, a groundbreaking survey.
The main purpose of the study is to provide a comprehensive overview of the interconnected car market by combining all available information to provide answers to important questions. In addition, the survey attempts to look more closely at the software ecosystem currently offered by car manufacturers, which is particularly fragmented. Vicente Diaz, Principal Security Researcher of Kaspersky Lab, was responsible for the research section on the potential safety issues raised by automotive connection to the Internet.
The drivers δεν μπορούν να αγνοήσουν πλέον τις ανησυχίες για την ασφάλεια των επικοινωνιών και των Διαδικτυακών υπηρεσιών που συμπεριλαμβάνονται στη νέα γενιά των διασυνδεδεμένων αυτοκινήτων. Σήμερα, τα αυτοκίνητα δεν διαθέτουν μόνο ηλεκτρονικά βοηθήματα για την οδήγηση, αλλά προσφέρουν και δυνατότητες accessς σε κοινωνικά δίκτυα και λογαριασμούς email, σύνδεσης με smartphone, υπολογισμού διαδρομής κλπ. Οι τεχνολογίες αυτές προσφέρουν μεγάλα πλεονεκτήματα στους οδηγούς, φέρνουν, όμως, και νέους κινδύνους για τους χρήστες. Γι' αυτό είναι απαραίτητη η ανάλυση των παραγόντων που θα μπορούσαν να οδηγήσουν σε ψηφιακές επιθέσεις και ατυχήματα.
Personal data, updates, and smartphone applications for these cars could be three separate attack agents for digital criminals. "Interconnected cars can open the door to long-standing threats in the world of PCs and smartphones. For example, vehicle owners may find that their codes have been stolen. In this way, the position of their vehicle could be located, while its doors could be unlocked remotely. Personal data protection issues are vital and today's drivers must be aware of the new risks that were not previously available, "said Diaz.
Kaspersky Lab's analysis, based on the study of BMW's ConnectedDrive system, has identified several potential carriers of digital attacks:
Stolen Identity Information: The theft of the data required to gain access to the BMW website - using known means, such as phishing, keyloggers or social engineering - could lead to unauthorized third party access to user information and then access and the vehicle itself. It is still possible to install a mobile application with the same access details that could activate remote services before starting the vehicle.
Mobile Applications: If mobile services are activated that allow a car to be unlocked remotely, a new set of keys is essentially created. If the app is not protected, anyone can gain access to the car by stealing the owner's phone. Using the stolen phone, a criminal could change the apps' database and bypass any authentication that requires entering a PIN code, making it extremely easy to activate remote services.
updates: Η αναβάθμιση των bluetooth drivers πραγματοποιείται με το «κατέβασμα» ενός αρχείου από τον ιστότοπο της BMW και την εγκατάστασή του μέσω USB. Αυτό το αρχείο δεν είναι κρυπτογραφημένο, ενώ διαθέτει πολλές πληροφορίες σχετικά με τα εσωτερικά συστήματα που «τρέχουν» στο όχημα. Έτσι, κάποιος εγκληματίας θα μπορούσε να αποκτήσει δυνατότητα πρόσβασης στο αντίστοιχο περιβάλλον πληροφορικής, καθώς και να το τροποποιήσει ώστε να «τρέξει» κάποιον κακόβουλο code.
Communications: Some features communicate with the SIM card inside the vehicle via SMS. Violation of this communication channel makes it possible to send "false" instructions, depending on the encryption level adopted by the administrator. In the worst case, a criminal could replace BMW's communications with his own instructions and services.
The study also examines Internet connectivity and leading applications in the Spanish automotive industry. Additionally, it analyzes business models and future trends for connectivity platforms. THE report, which analyzes 21 different car models, has come to the following conclusions:
- There is a great deal of fragmentation in operating systems, connectivity, and applications.
- Free services have time constraints: many manufacturers offer free subscription only for a certain amount of time
- There are coverage problems, as many online services need a 3G connection
- Data usage: Some users will have to pay for additional data
- Voice guides: Used by most models, as it is one of the safest ways to control connectivity.
The study was held by IAB Spain in partnership with Applicanttes, The Motor.com and Kaspersky Lab.
