- “The advanced cars are equipped with cameras and GPS systems, and they can be hacked and the data can therefore go to the enemy,” one security expert told Breaking Defense.
- “Imagine you work at a chemical research part of a base. Its location is secret. But you have a smart car. Through other espionage activities, I found out you work there. I hack your phone or your car’s online account,” Keatron Evans said. “I track your location as you go to work every day. Now I know the specific GPS location of your work facility. It goes downhill quickly from there.”
Everyone who spends time around the military or embassies knows about tight restrictions on cell phones, smart watches, and cameras.
Well, there’s a new threat in town. The Israeli Defense Forces (IDF) are evaluating the danger from connected cars with cameras and global positioning systems (GPS) and may ban their entry into its bases. Senior IDF officers get leased cars and use them to drive to work. Many Israel Air Force officers drive near advanced systems, such as US-made fighters and other aircraft.
An IDF spokesman said: “The continuous improvement in vehicle safety systems — including cameras, positioning systems, and constant Internet connectivity — is essential for improving road safety. At the same time, this exposes the vehicle and its environment to cyber threats and information security. Therefore, the IDF conducts an ongoing situation assessment to validate the evolving threats and prepare the needed response.”
Several experts here say that civilians work in many IDF bases, adding to the potential threat.
The news of concerns about the car’s possible security threat was first reported by Israeli daily Calcalist.
“It is definitely a real threat,” Keatron Evans told Breaking Defense. Evans is a security researcher at the US company Infosec, as well as an experienced penetration tester who has trained and consulted for well-known automotive company’s cybersecurity personnel.
“Most connected cars have cameras and audio recording capabilities that can be activated remotely,” Evans said. “This is by design. Sometimes within the confines of a base, people will discuss classified things that they shouldn’t be discussing outside of a classified facility, such as a Sensitive Compartmented Information Facility. When they see other people, they are more careful. But cars are generally viewed as non-threats. Add to that the fact that you don’t really even need to compromise the car, but just the owner’s car account or cell phone, and it creates literally the perfect espionage vector.”
Dennis Kengo Oka, principal automotive security strategist at US company Synopsys and author of the book Building Secure Cars: Assuring the Automotive Software Development Lifecycle, told Breaking Defense, “It is important to note that often these attacks require multiple steps, from gaining remote access to the vehicle to traversing laterally within the in-vehicle network to finally reach the target in-vehicle system. Thus, attackers need to typically bypass several security countermeasures, which generally requires a high level of skills and a large amount of time and effort — for example, to reverse-engineer communication protocols, break authentication mechanisms, etc. So, while we have seen examples of possible attacks, it is important to note that such attacks often require multiple steps.”
Elon Musk’s car company Tesla began selling its cars in Israel three weeks ago, and the demand is high. “The advanced cars are equipped with cameras and GPS systems, and they can be hacked and the data can therefore go to the enemy,” one security expert told Breaking Defense.
“Some of these vehicles boast 4k or at least HD camera capabilities,” Evans notes. “That is not just a fancy name for a resolution. You can take a seemingly harmless photo of a building 1,000 feet away, but at 4k, zoom in really close with the resulting video or picture, and you can see secrets not meant to be seen from outside the building. 4k cameras are much, much better than our eyes at spying for this reason.”
As for GPS, Evans said, “This one is a little more simple, but knowing the GPS location of a military base is not hard information to find. But the GPS location of a specific secret building on that base is a different story. Imagine you work at a chemical research part of a base. Its location is secret. But you have a smart car. Through other espionage activities, I found out you work there. I hack your phone or your car’s online account. I track your location as you go to work every day. Now I know the specific GPS location of your work facility. It goes downhill quickly from there.”
The cars themselves aren’t the only place espionage could occur, Oka noted. “While connected cars may store some sensitive and private data that can be targeted by attackers, it is equally important to consider that some of this data may also be stored in the automakers’ backend systems and in some cases also in the mobile applications provided by automakers. Thus, attackers may of course directly target a connected car to identify and exploit vulnerabilities and try to extract sensitive data, but in some instances, it may also be possible to target the communication channel between a connected car and the backend, target the backend system itself, or target the automaker’s mobile app on the user’s mobile phone. An attacker will look for the weakest link in the chain, so instead of targeting a hardened vehicle, an attacker may target the backend or mobile app instead. Consequently, besides securing the connected car itself, it is imperative that automakers also employ approaches to secure their backend systems and relevant mobile apps.”
Alissa Knight, partner at the US company Knight Ink and author of the book Hacking Connected Cars: Tactics, Techniques, and Procedures, highlighted a threat beyond just espionage: adversaries remotely hacking and controlling vehicles.
“A lot of people mistakenly think they aren’t vulnerable to attack if they aren’t driving around in a Tesla,” Knight told Breaking Defense. “The fact of the matter is, your car is connected if it was made after 2001.”
Knight demonstrated this by hacking a law enforcement vehicle in which she took remote control to include starting and stopping the engine, as well as locking and unlocking the doors. She granted Breaking Defense permission to post a YouTube video of her hacking the car, which was permitted by law enforcement in advance. https://www.youtube.com/embed/Soj3P3S3i_o?feature=oembed
Knight summarized her methodology to Breaking Defense. “While most researchers focus on vulnerabilities in the [Controller Area Network] bus of the car — requiring physical access to the diagnostic port inside the car — I’m unique in the fact that I like to focus on remote attacks via [Global System for Mobile Communications] through the telematics control unit (TCU).”
The TCU is akin to a router for the car, Knight explained, allowing the backend from the automaker to send updates or communicate with the car, such as locking or unlocking the doors or starting/stopping the engine. The cars communicate via application programming interfaces (APIs). APIs allow applications (e.g., mobile apps) and embedded systems, such as those found in connected passenger vehicles, to communicate with backend servers, she said.
“As a vulnerability researcher,” Knight said, “I tend to focus on hacking connected vehicles through the APIs or, if I’m within proximity of the vehicle, using rogue base stations (fake cell tower) targeting the TCU in vehicle. The TCU basically turns the vehicle into a mobile phone with wheels. It contains a [subscriber identification module] chip, just like your mobile phone, that allows it to talk to cell towers. But if a hacker has a rogue [base transceiver station], it allows you to control the vehicle if certain security controls aren’t in place.”
Knight added, a “secondary ingress point to connected vehicles, from my perspective, is the Wi-Fi inside and outside the vehicle.”
So, what can automakers do to harden connected cars? “As with any adoption of new technologies, especially in the case of developing more advanced systems with complex software, there is a risk of introducing weaknesses and vulnerabilities in the designs and implementations,” Oka said. “In particular, handling external communication can be difficult as the vehicle manufacturers have no control of the surrounding environment.”
In this context, Oka said, one can assume that an attacker has full control of the input provided to a connected car — for example, an attacker can fuzz the Bluetooth or Wi-Fi interface by sending a large number of malformed messages to detect potential vulnerabilities in the implementation.
“Therefore, it is important for automakers to ensure that the software handling external input is robust and can perform input sanitization and input validation,” Oka said. “In addition, it can also be assumed that it is likely that new vulnerabilities will be detected on the automotive systems in the future. Therefore, it is imperative that automakers provide [over-the-air] update capabilities to allow for patching vulnerable systems in a timely manner.”
What should be done to better protect bases and other sensitive locations? Oka suggested automakers take the following steps:
- Review standards, regulations, and best practices relevant to cybersecurity and define the target for the organization, such as organizational structure, maturity level, and processes.
- Conduct a gap analysis to understand what is already in place in the organization and what is missing to achieve the target. The results can then serve to help define a roadmap for closing the gaps, including the creation of organizational structure, process documents, and establishment of policies.
- Work on practically closing the gaps, including, for example, considering solutions for automating the steps in the processes by deploying relevant application security testing tools — such as static code analysis, software composition analysis, fuzz testing, and vulnerability scanning.
“Moreover, defense-in-depth should be followed as a general principle,” Oka noted. “A typical attack requires multiple steps, so by applying multiple layers of security countermeasures, automakers can make it more difficult for attackers to achieve their goal. For example, an attacker may be able to gain access over a wireless interface by exploiting a vulnerability. However, thanks to internal network segmentation or in-vehicle network firewalls, an attacker is prevented from gaining further access into the in-vehicle network.”
Some countries, including China, have already banned Tesla cars from entering military bases. This has prompted Tesla and its CEO Elon Musk to publicly defend the company.
The company’s Beijing office issued a statement regarding its onboard cameras on Chinese microblogging site Weibo. Last month, speaking virtually at the China Development Forum, Musk said, “If a commercial company did engage in spying, the negative effects to that company would be extremely bad.” He added the company would be “shut down everywhere.”
But Tesla, the company, as a threat actor is only part of the concern for military services. Another, perhaps far more serious threat, would be other governments hacking the cars as a means of intelligence, surveillance, and reconnaissance on bases — or for more reckless or dangerous purposes. In particular, Iran has not shied away from conducting destructive and reckless cyberattacks against its regional adversaries in the past. Following an Israeli cyberattack on Iran’s Natanz nuclear facility on Sunday, tensions are high between Israel and Iran.
If the IDF does ban cars, the leased cars and those owned by the IDF and equipped with cameras and GPS may be parked outside the bases that will operate shuttle services from the main gate. The IDF and other sensitive facilities stopped the use of video equipment made in China several years ago after some experts said that some of these systems had a “backdoor” that could enable someone to see what the video equipment sees.
Other security experts told Breaking Defense that the danger of hacking military systems calls for “hardening” certain subsystems that may be affected remotely by hostile parties.
The IDF is operating a massive cyber defense operation, but experts who spoke with Breaking Defense said that while main systems are protected, the danger can be posed by “basic threats” like connected cars.
This story first appeared in BreakingDefense, https://breakingdefense.com/2021/04/israelis-may-ban-teslas-other-high-tech-cars-from-military-bases-the-perfect-espionage-vector/?utm_campaign=Breaking%20Defense%20Networks%20%26%20Cyber&utm_medium=email&_hsmi=121156601&_hsenc=p2ANqtz-__FniDB9KwoI7cYltbp3sq6UeU0kKNFrXae3Kts7mbtzcHc3pzk7m8XzeHcemNai5ME8NDFK-znC-q9QTzNxwfYx4grA&utm_content=121156601&utm_source=hs_email
