Internet-connected cars are now becoming a reality and various international studies show that their market will continue to grow in the near future. But this emerging trend in the automotive industry can also become a new vehicle for cybercrimes, according to a leading developer of secure content and threat management solutions Kaspersky Lab.

KL_connected cars

Announcing the First Annual Connected Cars Study that seeks to provide an overview of the connected car market, Kaspersky Lab said motorists can no longer ignore safety concerns about the communications and Internet services included in the new generation of connected cars.

Kaspersky Lab said privacy, software updates and car-oriented mobile applications in Internet-connected cars are three areas where cybercriminals could potentially launch attacks.

“Connected cars can open the door to threats that have long existed in the PC and smartphone world,” said
Vicente Diaz, the Principal Security Researcher at Kaspersky Lab who developed a proof of concept to analyze the safety implications of connecting these cars to the Internet.

“For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before,” Diaz explained.

Kaspersky Lab findings are somewhat timely for the Philippines. According to a study released by market intelligence company Transparency Market Research, Asia-Pacific will be the fastest growing region in terms of connected cars.

“If this business forecast comes true, then Asia-Pacific countries like the Philippines must brace for cyber attacks on Internet-connected cars,” said Jimmy Fong, Channel Sales Director of Kaspersky Lab SEA.

Kaspersky Lab’s proof of concept, which was based on analyzing BMW’s ConnectedDrive system, found several vulnerabilities to potential attacks:

Stolen Credentials

Information needed to access BMW’s website can be stolen by using familiar means like phishing, keyloggers or social engineering. These methods could result in unauthorized third-party access to user information and then to the vehicle itself. From here, it is possible to install a mobile app with the stolen credentials and enable remote services before opening up the car and driving it away.

Mobile Application

By activating mobile remote opening services on a phone, a new set of virtual keys for your car are created. This could give anyone who steals your phone instant access to your vehicle. With the stolen phone, it would be possible to change database applications and bypass PIN authentication, making it easy for a cyber-attacker to activate remote services.

Updates

Bluetooth drivers are updated by downloading a file from the BMW website and installing it from a USB. The downloaded file, which is not encrypted or signed, contains a lot of information about the internal systems running on the vehicle. This could give a potential attacker access to the targeted environment and could also be modified to run a malicious code.

Communications

Some functions communicate with the SIM inside the vehicle using SMS. Hence, breaking into this communication channel makes it possible to send “fake” instructions, depending on the operator’s level of encryption. In a worst-case scenario, a criminal could replace BMW’s communications with his/her own instructions and services.

Kaspersky Lab said it is essential to analyze these different vectors that could result in cyber-attacks, accidents or even fraudulent maintenance of the vehicle.

With its First Annual Connected Cars Study, Kaspersky Lab aims to bring some unity to the highly fragmented software ecosystem currently offered by car manufacturers.

The study was conducted by Kaspersky Lab in collaboration with IAB Spain, Applicantes and Motor.com.
# # #

About IAB Spain

IAB Spain (Interactive Advertising Bureau) is the Spanish association of advertising, marketing and digital communication companies. With more than 200 members, it represents 95% of the sector in Spain and is the only association that includes media agencies, digital agencies, advertisers, websites, social media, blogs, ads networks, browsers, consultants, TV, radios, publishing, email marketing, mobile, IT suppliers, digital signage, insights, associations, etc. The main goal is to promote the digital market in Spain. IAB Spain is part of the IAB international association working worldwide. Learn more at http://www.iabspain.net

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report “Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked
software vendors according to earnings from sales of endpoint security solutions in 2012.