According to new research from Pen Test Partners, hackers could attach an ELM327 Bluetooth module to analyse the traffic and read CAN messages. If left in, a hacker could shut the car down.
https://twitter.com/OBD16shop/status/636424859526926336
Dennis Kengo Oka, Senior Solution Architect at Synopsys:
“Car manufacturers and suppliers should incorporate security in the entire software development lifecycle. Car manufacturers and suppliers should perform security requirements reviews, design reviews and risk analysis before software development event begins. During software development, code reviews, and automated tools for static code analysis and software composition analysis should be used to detect software vulnerabilities in own developed code as well as open-source software used in the car. Additionally, to detect unknown vulnerabilities in the implementation of automotive components fuzz testing should be executed. Finally, to test how well the car or automotive component holds up against a real attacker, penetration tests should be performed. Car manufacturers and suppliers need to improve their engineering processes to incorporate cybersecurity at every step in the development lifecycle.
“To protect their cars from hacking, vehicle owners should ensure that the software on the car is up-to-date (e.g., if car manufacturer provides software updates that have to be manually applied by the owner, apply them as soon as possible). Disable any unused communication interfaces (such as Wi-Fi, Bluetooth), avoid plugging unknown devices into the car (e.g., USB memory sticks, OBD-2 dongles).
“There are currently several standardization activities ongoing such as ISO21434 and UNECE WP.29 which will assist car manufacturers and suppliers to improve their cybersecurity posture. This would also for example include monitoring for new threats and attacks not only during development but also after vehicles have been sold. Since vehicles are on the streets for 10-15 years, it is imperative that cybersecurity encompasses the entire lifetime of the vehicle.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.