Redirecting you to
Podcast Jan 23, 2023

Root Causes 271: A Whole Fleet of Identity-based Automotive Hacks

A white hat security researcher recently revealed a large number of identity-based vulnerabilities across many automotive manufacturers. In this episode we explain how a group of white hats exploited these manufacturers' dependence on non-secret "secrets" such as VIN or email address to force a raft of unacceptable behaviors across a large number of automotive brands.

  • Original Broadcast Date: January 23, 2023

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So we want to talk about a blog post from January 3 from someone who calls himself - Sam Curry, who says he is a web application security researcher and this is a post. It starts out with this very amusing video where he shows how he and his friends came across a set of electric scooters and did something to them there on the street to make them all flash their lights and honk their horns at the same time. And it’s a funny video where they are doing that. But then it goes on to say as a consequence of this that Sam and a community of people proceeded to try to see what they could find in various vehicles and the list of vulnerabilities and exploits that he lists that they were able to do is pretty stunning.

  • Jason Soroko

    Very stunning. Let’s break down really what’s been going on here. I want to compare and contrast a little bit to say, you know, a famous car hacking example, Charlie Miller, back X number of years ago, car takeovers, things like this. I think what Sam’s approach was to look at two things.

    Basically, identities of a car. Let’s think about identity for a moment. Most car manufacturers when they are making the choice of, hey, there’s some sort of personalization going on with the vehicle. You are choosing to have your car seat position digitally remembered in a vehicle. You are making choices, you know, fleet management, etc. When car manufacturers are deciding how do we store a certain set of personalization against a vehicle, well, there’s that VIN number. It’s unique to each car. The problem is that it’s not a secret.

  • Tim Callan

    It’s not a secret at all. When you drive it off the lot, it’s written on the back of your car.

  • Jason Soroko

    That’s right. So if cars were not connected by computers then who cares. If there was no networking, if there was nothing reaching out and talking to a big cloud server somewhere, hey, whatever. The problem is, as you know, as everybody listening to this podcast knows, cars are basically rolling laptops and they have networking protocols and etc., etc. Well, how much time do we spend on this podcast talking about secure digital identities.

    That’s most of what we talk about and unfortunately, what we are finding in the car industry is that because they don’t listen to this podcast enough apparently, they are choosing secrets for digital identity that are not secret. And so therefore, what you’d think is ok that VIN number, whatever, it’s publicly known information. You can walk up to a car and read the VIN.

    Most of the time. And so therefore, it’s just like something we’ve argued before where your fingerprint, your eyes, your voice – our voices aren’t a secret. We are giving them to you right now. The whole point about a weak secret is if you are going to use weak secrets to do unique identification, you should be associating that with a strong secret in order to be able to do things such as attest yourself into a cloud webserver. If you are storing sensitive information, PII, the ability to turn off a starter on a car, the ability to do - -

  • Tim Callan

    The ability to command a car to drive to a certain location.

  • Jason Soroko

    Exactly. And think about autonomous cars which are coming at some point in the future. We don’t think about cars as having a personality or being personalized but they are. There is a lot of personalized information to each unique individual vehicle and those systems on the car, the car being a computer in itself just like your laptop, your mobile device, you are interacting with the cloud; you are interacting with servers here and there and everywhere and the way in which we do that securely, Tim, in the real world, is to use strong secrets and then authenticate and make sure that bad guys can’t do the same thing.

    Unfortunately, what we are seeing in Sam Curry’s research is that this combination of weak authentication at the point of APIs and weak authentication or non-existent authentication in many cases leads to these kinds of white hat research reports that just seem absurdly crazy.

  • Tim Callan

    By the way, I’ll just say it right now, the title is Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, DMW, Rolls Royce, Porsche, and More. So, Samcurry.net. It’s a blog. You can go there. You can find this article very easily. So I won’t read it all but some of these are just amazing. Kia, Honda, Infiniti, Nissan, Acura – fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights and honk vehicles using only the VIN number. Full remote takeover and PII disclosure via the VIN number. There’s some of these things, there’s ability to change ownership; there’s abilities to inject code or update your own code for various vehicles. Hyundai Genesis fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights and hock vehicles using only the victim email address. So that’s another secret that isn’t necessarily very secret. I give that email address to all kinds of people. People know my email address because they send me emails all the time and also, by the way, these things get bundled up and harvested and sold. So, trivially easy to get email addresses. And this goes on and on and on and it’s many manufacturers and many different types of really bad things. Some of these things you can shut off the engine. You can steal information. You can do a full account takeover for many manufacturers and things. It’s worth reading.

  • Jason Soroko

    So, Tim, what’s interesting to me is, you know, I won’t read off the list of the vehicle manufacturers because it’s almost everybody. It’s a who’s who. And in the past, we’ve seen certain researchers just look at specific brands of vehicles. I think what Sam’s research here is showing – and this was actually discussed in his blog – it’s important to know. I think a lot of people jump in their car and the car manufacturers have done a great job of making you think that everything you are touching in your car and that’s car experience is associated with the brand name of that car. Sit in a Honda, everything about it feels like Honda. In reality, that dashboard wasn’t made by Honda.

  • Tim Callan

    It’s made by some OEM. And that is being provided by other automobile manufacturers as well.

  • Jason Soroko

    And in fact, there are a lot fewer of these Tier 1 automotive providers than there are automotive brands and so what it shows you and what Sam is showing us here is that there is a monoculture.

    So think about, Tim, one of the devastating results of genetic singleness for lack of a better way of putting it in things like a wheat crop. You get a virus. You get a bug of some kind that has genetically figured out how to optimize it’s way into a particular crop of wheat where they are genetic clones of each other. You can wipe out the entire wheat crop in a moment. Like that’s the problem. And so the way that Mother Nature solved that way before we ever started to do genetic modification was every wheat stalk was just a tiny bit different and so you’d only lose part of the wheat. You’d never lose everything. The way cars are made you don’t think of the brand names as being clones of each other but the digital aspect of automobiles is a monoculture and so that’s why white hat researchers and, unfortunately, the bad guys as well, they know this. So they don’t have to work very hard to – hack one, you’ve hacked them all. Or hack many. And I think that is part of the lesson of what is being taught here. It’s not just that we are using weak credentials with weak authentication schemes but also what’s making this super - -

  • Tim Callan

    The footprint of what I can affect is very, very large.

  • Jason Soroko

    Very large. Once you’ve found the vulnerability, which is not really a tough vulnerability, it’s not a high bar to have to leap over, all of the sudden you as a bad guy can affect things in a big, big way. I’ll tell you, Tim, this goes back to an old theory I’ve had that it’s similar to critical infrastructure and we have to ask ourselves, oh my goodness, critical infrastructure you’d think would have the best security there is. And, in fact, we know it’s the opposite.

    So therefore, why haven’t we seen more bad guys attack X, Y and Z? I think it’s because there is a certain discipline aspect. You know, why hurt people when you can do fraud. You know, nation states, they pick their moment when they want to go to war. They don’t just cause mayhem all the time.

  • Tim Callan

    But where we have seen that, to use your infrastructure example, where we absolutely have seen that is with ransomware attacks. Because now it is economic. I’m gonna shut off your pipeline until you give me a whole lot of money.

  • Jason Soroko

    Therefore isn’t it interesting that it comes down to money which is where we see most of these attacks. When it comes down to automobiles, you know, I think Charlie Miller said it best. I remember being in a conference room when he said it. Especially when you are dealing with this monoculture problem. His problem was in fact with one particular auto maker and he and Chris Valasek basically said on stage their biggest problem was trying to only manipulate an individual car. It would have been easier to cause mayhem on a whole fleet of vehicles. They had to work extra hard to keep it minimal.

    Think about this for a moment. Think about not just these white hats that are fantastically calling this all to our attention but what’s the motivation for a bad guy to - - there’s really nothing stopping bad guys from causing absolute mayhem.

  • Tim Callan

    And so you think about the scenarios where this could occur. This certainly could be a form of a terrorist attack. It certainly could be a form of a ransomware attack. Hey, I’m in your fleet. Give me this much money or I’m gonna make everyone of your vehicle engines shut off at the exact moment regardless of where they are and what they are doing. Which would definitely result in many deaths and do that in rush hour and, you know, it’s really bad. And you could also see that as a nation state level attack. We are now in the system and we are ready to shut off every vehicle of a certain manufacturer in North America and we will use this in the event that things escalate to that level. And this is a lot like what you and I have discussed with other infrastructure. Power, water, fuel. It just feels like to some degree you start thinking of a nation’s fleet of vehicles as infrastructure and all the same things apply.

  • Jason Soroko

    Absolutely. Let’s bring this down to now even just to the consumer levels. When mobile devices first came out there were all kinds of issues and you and I reported on a lot of these things over the past couple years. Talking about the past, self-signed certificates which were so easy to convince somebody to download and therefore you could start intercepting communication. That’s fairly sophisticated. But it’s things that mobile device manufacturers and operating system vendors kind of solved.

    Mobile devices are – well, they are far from perfect but if they were as bad as automobiles appear to be, my God the heartburn that consumers would have just on privacy issues. Never mind public safety issues but with an automobile, we’ve talked a few times on this podcast about automobiles becoming kind of the new mobile devices. They are so computerized, so connected and I think when we start to have autonomous vehicles in the future that will become even that much more so.

  • Tim Callan

    And I feel like – and I don’t have evidence for this, this is just my impression – but I feel like part of what is going on here and, again, this also applies to the infrastructure discussion, is that these other forms of devices aren’t used to being scrutinized for IT security in the same way that our computers have been. So people who have made mobile devices and laptops have been very cognizant for a long time about the fact that these things are gonna get attacked and in the world of cars and electricity grids and probably other things along these lines, there’s just less of that cultural institutional thinking. If you are in the world of automobiles, you are trying to make sure that if it hits a brick wall the occupants don’t die. And you’re very focused on that and you’re very good at that. But this other thing isn’t nearly as attended to.

  • Jason Soroko

    It’s not like the automobile manufacturers haven’t known about these issues for quite a while.

    Charlie Miller brought it to our attention X number of years ago and it was even understood before that that there were problems. But now we are talking about very, very computerized automobile systems and we are talking about a compounded problem. Not just a privacy or the risk of fraud, but we are now talking about personal and public safety. It’s all of these things and I think we should be thinking about these things at the critical infrastructural level, Tim.

    So therefore we are talking about culture. You know what? We know technologically how to solve a lot of these problems. PKI industry has been solving problems of strong personal identities, the ability to personalize mobile devices and computers, secure communication to APIs, all these things that has been pointed out in the blog post that we are referring to today and the car industry is also aware of that as well. The argument that I have heard, Tim, and I will end it with this – the argument that I’ve heard is, oh, we are very cost sensitive. One penny more on the price of a vehicle is too much for the market to bear. You know, when is that gonna end? It’s not just because I work in the security industry but I’d pay more than a penny to know that I was in a vehicle that some bad guy couldn’t just run me off the road.

  • Tim Callan

    And the struggle with that of course is that, in reality, these things are all charmed priced, which means that changing a dollar worth of cogs does not actually change the price to the consumer because that’s charmed price. That’s set at a certain level and so what it’s really doing is it’s affecting the margin on that vehicle and it’s affecting the margin to the tune of the cost of that security improvement, which is if you are losing a dollar a unit, it’s easy to imagine the trade off there where it’s worth a dollar a unit for the sake of preventing this kind of thing from occurring. I mean all one of these guys needs – and this in a way this harkens back to conversations we’ve had a lot about how companies pay $100-million in fines because they had an expired certificate and they could have solved the whole thing with a $10,000 automation solution. All one of these guys needs is for there to be a massive attack where all of the sudden every single one of a certain make a model does the exact same thing at the exact same time and it doesn’t even have to be the engine shuts off or the brakes don’t work. It could be the lights flash and the horn honks. And if every single 2021 make and model of this certain vehicle – I’m not gonna pick on a manufacturer – all of the sudden had horns honking and lights flashing at the exact same time at 2:00 p.m. on a Tuesday throughout the country that would be some pretty bad press and it would have been worth a dollar a vehicle to not have that happen. So this feels to me like it’s very similar to this fallacy that we see in the certificate management world which is that there’s this outsized risk that is very inexpensive to solve but because that particular company hasn’t had a problem with that particular risk yet that they don’t bother to eliminate the risk.

  • Jason Soroko

    Tim, it’s funny, we’ve talked about in the past about IoT legislation. It’s not like the government hasn’t stepped in when things got just insane. I think we’re here with the automobile industry especially as we become more and more and more connected and computerized. Maybe it will be regulation. But I think you are right. The impetus will probably be a disaster of some kind. I think that the nation states who know all of this stuff and know that they could use this to cause mayhem, huge mayhem on highways all across the world, well, they are biding their time hoping that regulation doesn’t happen. Hoping the car industry continues to sleep on this issue because they want to be able to choose their moment to cause mayhem when they need to down the road. But is that the kind of world we want to live in?

  • Tim Callan

    No. I mean and obviously, whether it’s the ransomware scenario or the terrorism scenario or the state-sponsored hacker scenario or some other scenario that we didn’t think of and bring up, obviously that outcome for everybody who isn’t one of those actors is bad. And just think about the havoc that could be wreaked if you could do a widespread attack on motor vehicles that are on the road. Nobody wants that.

  • Jason Soroko

    So good on the white hats for continuing this work because I guarantee behind the scenes the work of the automobile lobbyists against your white hats, automobile industry lawyers who probably have very awkward conversations or terrifying conversations with the white hats, I gotta tell you I bet you they are - -

  • Tim Callan

    I would hope not. I would hope that responsible disclosure was used here. Like responsible disclosure in the computer technology industry is, at this point, is so well understood and established and just about every manufacturer follows the rules of etiquette. I would hope that these guys would have their heads clear that they would rather a white hat showed them something that was wrong even if they publish it on their blog than have all their vehicles steering into pylons one day.

  • Jason Soroko

    Absolutely. I guess the pessimistic side of me is like there’s always forces that are gonna try to keep this - - so that they can continue to do nothing for longer. Anyway, I haven’t spent enough time in the automobile security culture for a while. I do know that a lot of good work had been done it’s just none of it has been implemented yet. And we will be on top of this topic.

  • Tim Callan

    We will be on top of this topic. It’s fascinating. So there you go. Probably enough for now. Thank you, Jay.