Hacker Uses Telematics System for Revenge

Alright, that headline is a bit much… It’s true though and re-raises some security concerns…

Apparently Omar Ramos-Lopez, 20, was laid off from the Texas Auto Center and decided he’d use a telematics system installed on some cars sold at that auto center to be very annoying. He used the system to activate the horns and lights of the cars of ~100 customers before the Texas Auto Center reset their passwords and Omar lost his access (through an ex-coworkers account…his account was deactivated when he was laid off).

We know that the telematics system is a potential opportunity for nefarious activity, but as the integration between vehicle and outside world grows so do to the opportunities to use the system for evil. In this case it was a simple issue of poor password security among co-workers and the the WebTech Plus system (used to ‘remind’ people to make their car payments and locate the cars for repo) that was ‘hacked’ didn’t have access to particularly critical systems (it can remotely disable an ignition, but not stop a vehicle in motion). People in general are just bad about changing and protecting passwords, but even more so when the account does not include their own personal information (like access to any customer database a mechanic at an auto center might have). Also, Ramos-Lopez was able to access the web portal for the WebTech Plus system from a location other than a computer from the automall which means there is likely no location / hardware based authentication. This type of security would only allow authorized computers to access the network and would add an additional layer of protection against this type of intrusion.

Again, this is a pretty minor example, but what would happen if hackers really attacked OnStar’s (or any integrated and connected system) vehicle control systems? A system that can remotely locate a car, bring it to a stop, lock / unlock the doors is a pretty powerful thing and in the hands of the wrong person could clearly cause massive problems (can you say, ‘a stalker’s dream come true’) for OEMs and, more importantly, end users.

I have no idea what the server side security for these types of systems are, but I have no doubt it is extensive. Unfortunately, it’s probably not as strong as Google’s and they get hacked often enough to worry me as a user. Many people (myself included) have significant and well founded concerns about big brother type issues of GPS integrated into vehicles and smartphones (I try to close my eyes and tell myself the good out weighs the bad) and it would be bad enough to have the government using these technologies to track you or listen in on your in-vehicle conversations, but if a criminal was able to get into the systems they’d have access not only to the vehicles of the end users, but potentially also all the personal information to go along with it. Scary stuff.

At least systems like OnStar and SafetyConnect are closed systems and they gain some security from that (though if you’ve ever seen a hacked Prius you know even that system’s security is limited). The future of technology is openness and integration and the vehicle is no exception. We’ve previously discussed the important roll applications and app stores will play in the future life of in-vehicle telematics, but with this integration comes significant safety and security considerations as well. As the systems give developers more and more access to the vehicle systems the opportunities to hijack the controls increases right along with it. It’s a classic trade-off in open architectures and will be a major concern in the vehicle.

The Ford Sync and Kia Uvo systems work off of the Microsoft Auto OS and the Continental AutoLinQ system (featured later this week) uses the open source Android OS from Google.

I am a huge proponent of Open Source tech and I love the Android OS and the decision to use it, but I am still waiting to see how the homebrew community (geek speak for, all the people that do the hacking and app creation for little to no compensation other than the thanks of the user community). With a Google phone you can actually download an entirely modified version of Android and install it, customized with many of the bells and whistles Google hadn’t implemented yet (if you’re interested look for the Cyanogen ModROM). From a security standpoint, the open source community is basically self policed. Since every line of code is available for any other developer to view anything developed and adopted by the community generally undergoes an extensive peer review. It’s actually an amazingly effective system, but it relies on the power of the community.

Each smartphone platform also includes an approval process which adds a layer of quality control to the process.  By choosing open platforms and offering APIs the OEM’s and Tier-1s are empowering the users, but they’ll also have to give up their iron grip on the in-vehicle systems.  Ford Sync believes they don’t need to be involved in the approval process, but I have to think that Continental’s system will require it.

No matter what the platform the fact is that there will be people trying to take advantage of the system and it will be up to the provider of the framework to make sure their users are safe and secure.  It’ll be a balancing act of relinquishing some control while still ensuring overall quality.

Be Sociable, Share!

Both comments and pings are currently closed.
Powered by WordPress