Automotive Telematics/Infotainment Systems: Security Vulnerabilities and Risks

21 07 2012

Audi Chairman Rupert Stadler was spot on when he said:

 There is a revolution taking place. Some of the most exciting new consumer electronics aren’t the ones in your living rooms or in your offices. They’re the ones in your cars.” [1]

However with the rapid advancement in the development of vehicle telematics/infotainment systems and integration of numerous technologies in them the scope of security vulnerabilities in vehicles are exponentially expanding and the risk of potential hacker attack are rapidly growing.

A number of latest and upcoming telematics/infotainment systems in today’s automotive include the following features and technologies:

  • Vehicle Communication Systems: The main purpose of these systems is to establish an external data connection of the vehicle with telematics service provider using existing cellular technologies such as LTE, GSM, CDMA, etc. that practically makes the vehicle as a mobile node and provides it access to the cloud.
  • Radio User Apps: A number of new and almost all upcoming future vehicles are planned to be equipped with In-Vehicle Infotainment systems that support a wide variety of user apps. The user apps provide a variety of services that include audio/video services, access to social media, internet browsing capabilities, etc. A number of these app services are subscriptions based and typically contain sensitive user information.
  • Wi-Fi/Bluetooth/USB Mediums: A variety of connectivity mediums are supported in the latest vehicles that include Wi-Fi, Bluetooth and USB technologies that allow the vehicles to communicate and pair with external consumer devices such as user smart phones, cameras, entertainment systems, gadgets, etc. as well as with external data hotspots for internet access.
  • Web-Based Services: A number of web-based features are also available for the latest vehicles that offer services such as vehicle location capabilities, locking/unlocking vehicles remotely, remote start features, remote diagnostics, software updates, etc.

Now let’s look at some of the challenges and security vulnerabilities these services/features pose to the vehicle owner, service providers or the automotive manufacturers…

Firstly, when the vehicle is connected to the telematics service provider, it becomes a network/cloud node and usually gets assigned an IP address that allows it to communicate over the cellular link. This makes the vehicle as an interesting target for hackers as it can provide them with potentially free access to internet or backend systems through which they can perform all sorts of illegal cyber activities as well as allow them to potentially steal sensitive personal information of the user. Also, having a public IP address makes the car vulnerable to all sorts of cyber viruses and security attacks. Furthermore, a hacker can use networking hacking techniques such as port scanning, firewall loop holes, etc. to get unauthorized access to the vehicles as well as the service providers.

The other important security vulnerability is how the communication between the vehicle and telematics service provides is secured and protected. A hacker can potentially sniff the communication between the vehicle and backend service provider and can potentially steal sensitive user information such as account numbers, contact information, user names, and passwords along with other billing related information. This information can then be used by hacker on web based services to track user activities, vehicle usage, location of vehicle, etc.

Another interesting challenge/vulnerability that the new features pose is the management and storage of the static and dynamic data that is generated with the use of these telematics services in a secured manner. [2] The main challenge is to identify the different types of data services used and to manage them in a way that security of sensitive information (important personal data) is not compromised. If certain data is not stored in the automotive itself, the user needs to be notified where and how their data is getting stored and what security protocol is followed in order to address privacy concerns.

The other series of security vulnerabilities arise from the inclusion of a variety of web based apps in the infotainment systems on the vehicles. A number of apps included are supposed to provide access to social media sites to the user. Any unauthorized access to these apps can expose personal information of user to the hacker that may include usernames, passwords and other personal information. Also, a number of other apps are subscription based services that contain user information with respect to the purchased subscription. Any vulnerability or unauthorized exposure of this information to the hacker would allow him to use it in a way that would result in financial losses to the user.

The integration of different connectivity technologies brings another set of security vulnerabilities for the telematics/infotainment systems. For example, any security compromises in the Bluetooth protocol can result in the hacking of personal contacts information by the hacker or unauthorized access of user’s phone by the hacker. Any vulnerability in the USB stack can potentially result in hackers accessing the operating system of the telematics/infotainment systems that can expose sensitive system information of the user or vehicle.

Conclusion

In summary, the security vulnerabilities discussed above can result in the identity theft of vehicle users, loss of critical information such as usernames/passwords, unauthorized access to the internet by the hackers that can result in cybercrimes which can get the user in legal complications. Also, any loopholes or security weaknesses can result in legal complications and bad media publicity for the automotive manufacturers as users can potentially sue them if their security or privacy is breached or compromised.
____________

[1] Telematics Update. (Jan 12, 2011). Telematics and security: Protecting the connected car. Retrieved July 10, 2012 from < http://analysis.telematicsupdate.com/intelligent-safety/telematics-and-security-protecting-connected-car >

[2] Sastry Duri, Marco Grutese. (2002). Framework for Security and Privacy in Automotive Telematics. IBM Thomas J. Watson Research Center.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: