Connected car technology vulnerabilities tested in Cyber Security Challenge
Image credit: Proof Communication
Amateur hackers have tested how to penetrate a car rental company's IT system through a third-party Internet-connected device installed in one of its vehicles.
The scenario, enacted as part of the Cyber Security Challenge 2017, saw six groups of aspiring cyber defenders break into a GPS tracking device to be installed into a fleet of cars owned by a fictional car leasing company. Through the device, they were able to breach the company’s internal computer network and book a ride in one of the firm’s luxury vehicles, bypassing all approval and registration procedures.
“It’s a device that has hard-coded credentials that are available for anybody to read as long as they get hold of the firmware,” explained Ian Lyte, security consultant at Protection Group International (PGI), who prepared the challenge. “That allows you to execute commands from the device. It exploits the same principle as the one used by the Mirai botnet that has taken down some major websites last year. You can find the same sort of thing in many medical devices as well.”
In the real world, attackers exploiting the path examined by the challenge participants would not only be able to collect the car and drive away with it, leaving no trace behind, but could also steal the company’s financial records or directly transfer funds.
“Once they reach the end of the game, they will have a presence on the internal network of the company. They can go and see finance, they can transfer money, they can try to target specific individuals,” Lyte explained. “They have complete control of what they can do in that network, they can go and sit there, they can visit other servers, and they have got passwords and other credentials. It’s exactly the same as somebody coming in and plugging a laptop in.”
Lyte said that while car manufacturers themselves are usually paying close attention to the security of their systems due to the high public profile of the connected car technology, makers of Internet of Things devices that could be plugged into the car by owners present a much larger source of vulnerabilities.
The most disconcerting ting about this type of vulnerability, according to some of the Cyber Security Challenge contestants, is the fact that it could be exploited by anyone with moderately advanced IT skills, using instructions publicly available on the Internet.
“You buy these devices off the shelf and install them in your home, and if someone’s clever enough to understand how they work, they can cause a lot of damage,” said web developer Mark Brown, who took part in the challenge to expand his understanding of cyber security.
“You can find all this information online anyway. All you have to do is to search Google and find out how to break into this, how to exploit this feature. All that information is available on the internet, you don’t necessarily need to understand it but if you know where to find it then anyone can basically do what we are doing.”
The absence of encryption, coupled with an inability to patch vulnerabilities as they occur, is a major shortcoming of many Internet of Things devices available in today’s market, according to Lyte. “If you have something that can’t be upgraded and a vulnerability is found, if you have an internet-connected device at home or in a car, that can’t be updated, once that vulnerability has been found, there is nothing you can do,” Lyte said.
“Most car manufacturers can issue updates over the air, but if you look at the majority of connected products on the market, especially the cheaper ones, they have no safeguards in place. They rely on what we call security through obscurity, they simply don’t expect anyone to go and do something.”
The Cyber Security Challenge 2017 takes a detailed look at the Internet of Things problem, which has been preoccupying experts for the past few years. The issue received wider public recognition following last year’s Mirai attack, which compromised millions of web cameras, connected printers and other systems.
The car technology hack, which took place in Bristol on Saturday 25 February, was the first of the competition’s 2017 semi-final events.
The Cyber Security Challenge, which debuted in 2010, seeks to find the best of the UK’s cyber talent and encourage enthusiasts to consider career in the industry, which is desperately struggling with the lack of skilled professionals.
According to a recent report by the International Information System Security Certification Consortium, the shortfall of skilled cyber security professional will reach 1.8 million globally by 2022.
The Cyber Security Challenge has a successful track record of matching talent with the relevant businesses and organisations. Over the years, more than 50 per cent of the participants of semi-finals have found employment within the sector soon after taking part in the challenge.