Old smart car exploits can allow hackers to leak data, demand a ransom, unlock your doors, or track your location, according to Kaspersky Lab.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Exploits for almost any connected car model can be found on the Dark Web. — Kaspersky Lab, 2018
- Connected car owners should use only officials apps and accessories, update firmware regularly, and scan connected car mobile apps with antivirus to stay safe. — Kaspersky Lab, 2018
Exploits for almost any connected car model can be found on the Dark Web. These modules and tools allow hackers to create backdoors, leak data, demand a ransom, track your location, or even gain control of your car's locks or airbags, according to research from Kaspersky Lab.
Modern smart cars offer a number of attractive features for consumers, including the ability to connect to the internet, download maps, exchange data with service centers, and perform remote diagnosis and maintenance, researchers noted.
However, many of these features are costly to purchase through the manufacturer's channels, leading consumers to look elsewhere to access them. Hackers have been able to find vulnerabilities in connected cars that grant them access to the digital certificates protecting these features, and are selling them on the Dark Web and other underground forums, Kaspersky Lab found.
SEE: Intrusion detection policy (Tech Pro Research)
Researchers found tools such as modules for resetting the mileage or reloading airbags after an accident, as well as those for diagnosis and unlocking paid features, pirated navigation apps, and unlicensed accessories—all meant to attract consumers looking to save money.
However, you get what you pay for, the researchers noted: When connected, these tools gain access to the entire car system, including the owner's confidential data and control functions—opening up new areas for cybercriminals to exploit.
Depending on what code hackers inject into the firmware, they can potentially gain almost unlimited control over the vehicle, according to the researchers. This means they can monitor the car's location, listen in on conversations, access a smartphone connected to the system, or turn off the alarm and unlock the doors. Hackers may even be able to inject ransomware that prevents the car from moving until the owner pays up in cryptocurrency.
"Features such as remote fault diagnostics, telematics and connected infotainment significantly enhance driver safety and enjoyment, but they also present new challenges for the automotive sector, as they turn vehicles into prime targets for cyberattacks," Sergey Kravchenko, senior business development manager of Kaspersky Lab, said in a press release. "The growing risk of a vehicle's systems being infiltrated or having its safety, privacy and financial elements violated requires manufacturers to understand and apply cybersecurity."
Cybersecurity should be considered just as important as safety when it comes to car manufacturing and purchasing, Kravchenko said in the release. "Car safety features can be switched off remotely with software commands without due check and protection," he added. "So, if your system is not secure—it's not safe."
Kaspersky Lab offered the following three tips for protecting your car from cybercriminals:
1. Use only official apps and accessories.
2. Service your vehicle properly and update its firmware regularly. Don't ignore firmware updates for your model, as they will likely fix some issues before they become a problem.
3. Scan mobile apps for connected cars with antivirus. That way, intruders won't be able to steal registration data from your smartphone for resale on the black market.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Self-driving cars vs hackers: Can these eight rules stop security breaches? (ZDNet)
- Dark Web: The smart person's guide (TechRepublic)
- IBM launches new security testing services for IoT, automotive (ZDNet)
- Why the age of connected cars presents a 'very real threat' in cybersecurity (TechRepublic)