How are criminals stealing cars via the coding of apps?
Speaking to Open Access Government, cybersecurity expert Asaf Ashekenazi of Inside Secure discusses the changing world of cybercrime.
The interview covers new car-theft methods, protecting yourself, paradigm-shifts in the cybersecurity world, predictions for the future and the unknown security risks we face every day.
This article follows our examination of keyless technology crimes, which you can read here.
1. How exactly are criminals stealing cars via the coding of apps?
“Car-controlling smartphone apps work through a cloud service, which receives a command from the smartphone app and forwards it to the vehicle. Typically, cars implicitly trust all commands from its cloud service. But this means that even when a command doesn’t originate from the owner, the car still enacts that command, as long as it came from the owner’s smartphone.
There are several ways hackers can gain control of the owner’s smartphone app. First, they can reverse-engineer the car manufacturer’s smartphone app and look for vulnerabilities in its code. If they find one, they can exploit it to attack the app and gain control over it or use the exploit to trick the cloud service that connects the app and the car.
Hackers can also look for vulnerabilities in smartphone software. If a smartphone is not updated with the latest software, or it is an old phone that is no longer supported by its manufacturer, it can include known vulnerabilities that are not patched. Hackers can easily take advantage of these known and well-documented issues to hijack the smartphone car app.
Another method used by hackers is smartphone app repackage, where hackers download the legitimate car app and use special tools to inject malicious code into the app. After the app contains the malicious code, they repackage it and post it as if it were the legitimate app. Users mistakenly download the repackaged app, thinking it is the legitimate app. They do not suspect anything because the repackaged app looks and behaves the same as the original one. Once run, the malicious content in the app allows the hacker to control the app.”
2. What can individuals do to strengthen security against such cyber-hacking measures?
“Individuals should make sure that their smartphone software is up-to-date with the newest version. They should also download smartphone apps only from legitimate sources and recognized app publishers.
More importantly, car manufacturers need to make sure their smartphone apps have the right protection to prevent hackers from reverse engineering, repackaging or exploiting the application through bugs.”
3. In your experience, what is the most ignored/misunderstood cyber-hacking threat posed to the ordinary individual?
“Generally, the main risk is the many devices that are connected to the home network and are not being updated regularly. For example, routers, printers, smart appliances, etc. Often the software in these devices is rarely updated which can allow hackers access to the home network and to other devices connected to the network.
Another future risk is in the automotive space: attacks via devices that connect to the car. In the future, this will include vehicle-to-vehicle (V2V) and vehicle to infrastructure (v2I) communication.”
4. What is your professional opinion on the risks posed by countries potentially relying on the use of cryptocurrencies?
“In theory, cryptocurrencies that use blockchain technology do not rely on a centralized entity to ensure its security and value. This makes cryptocurrencies more resilient to cyber-attacks. In practice, many people want to simplify the use of cryptocurrencies. They rely upon services that manage cryptocurrencies on their behalf (wallets). These services often host many users’ cryptocurrency accounts, making them function as banks.
However, unlike banks, these services are not regulated or government-insured. These services are targeted by cyber-criminals. Some of these services become victims to cyber-criminals who steal their customers’ funds. Very often, the users see no compensation for the loss. In addition, cryptocurrency value is not backed up by a centralised government, which some believe is a big risk.
This is not security related, so I will leave it to economists to debate.”
5. How has cybersecurity evolved during your 15 years of experience?
“During the last decade, the security world went through a paradigm shift: It moved from relying on a network security perimeter to a distributed and more diverse security approach. The old paradigm assumed that attacks come from outside the organizational network. Firewalls kept the organizational network secured from the internet, and everything within the secure perimeter was considered trusted.
But barrier systems are limited, and modern solutions have multiple layers of protection to account for this. Nowadays, a firewall alone is not enough, and IT professionals no longer automatically trust or don’t trust endpoints connected to the network. Different endpoints are given different levels of trust, which can change dynamically based on the current circumstances.
These newer systems work under the assumption that traditional security barriers can and will be breached. Therefore, the goal is not just to prevent breaches, but detect breaches before significant damage is done. This technology is possible thanks to advances in connectivity, cloud computing and artificial intelligence which can help identify anomalies in devices and system behaviour.”
6. Finally, what do you predict in terms of new car security technologies and cyber-security breaches for 2019?
“New solutions that identify breaches by analysing big data gathered from many vehicles and processing it in the cloud.”
Vice President and California-based cybersecurity expert