From a Single TCU to Full Control

Security researchers from Pen Test Partners¹ compromised an entire automotive corporation through the TCU (telematics control unit). They manipulated the TCU of a vehicle and discovered that they were able to utilize the telematics connection to infiltrate the corporate network and gain full control of the backend servers using admin credentials. Although not demonstrated in Pen Test Partners research, the researchers could have used network privileges to perform lateral movement and control thousands of vehicles by taking over the telematics server.

Are telematics control units secure?

A TCU refers to the embedded system onboard a vehicle that connects it to the telematics server, enabling vehicle tracking, telemetry collection, remote commands, and additional services.

The TCU used in the hack contained a cellular modem that provided connectivity to the device with the insertion of a SIM card. The SIM card was configured with a private APN (a private access point name) meaning a private cellular network that requires credentials to join, making it more secure than a public APN. The TCU also used a VPN (virtual private network) that connected the vehicle to the private services inside the corporate network (the telematics server, OTA server, etc.). Atop these security layers, HTTPS or HTTP over SSL tunnel was used.

Though secure, the TCU’s communication channel can be used as a backdoor to access backend servers

The researchers from Pen Test Partners abused the connectivity of the TCU by pulling the SIM card out of the TCU and inserting it into a USB modem connected to a laptop. By doing this, they connected to the private APN and were able to send messages to the telematics server.

The researchers found that in addition to the telematics server, they could reach other servers on the corporate network, including those outside of the telematics environment, as there was no network segregation between these environments and servers, firewall policies to block access, nor any security measures on the telematics channel.

Furthermore, the researchers discovered they could obtain Domain Admin credentials from systems outside of the telematics environment. Not only could they gain access to any other server (and services) on the corporate network, but also, with domain admin credentials they could execute arbitrary code on the telematics servers and potentially gain access to every vehicle in the fleet.

1. Extracting SIM-Card
2. Getting credential from different service
3. Gaining access to the domain controller
4. Gaining access to telematics server
5. Sending remote commands to the fleet (Lock, Start Engine, etc.)

Is this cyberattack method something that OEMs need to be concerned about?

Automotive cloud (and particularly telematics server) attacks are considered the holy grail of automotive hacking, as they provide malicious actors with the ability to remotely control the vehicles in the fleet. Motivated attackers could use this access ability to remotely disable the ignition of vehicles, send diagnostic messages that alter the vehicle’s behavior, track the vehicle’s location, and more.

However, the above case demonstrates only one way for attackers to gain malicious remote control over the automotive cloud’s backend servers. Other cases in recent years indicate that additional attack methods could be used to achieve similar goals, namely, malicious insider employees with sufficient privileges, exploited web session vulnerabilities, hard-coded credentials in connected car mobile applications, brute force attacks, and even utilizing credentials found in an exposed data breach to access the server.

Let’s take a look at some of those real-life attack methods:

In March 2010, a case of insider privileges being manipulated to access a backend server took place. A disgruntled employee of an Austin Texas car dealer remotely disabled 100+ cars by hacking a web-based remote vehicle-immobilization system used for alerting customers to late payments². In July 2016, web session vulnerabilities were found on a large OEM’s connected car service web portal. Users could add additional car VINs, take over the vehicle, and lock or unlock the vehicle via the portal or the corresponding mobile app. They could also access the car owner’s email accounts and other infotainment system data³.

In April 2019, the maker of a popular vehicle telematics system left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers. An attacker could have sent remote commands, and retrieve data from a target unit⁴. Additionally, in April 2019, a hacker used a brute force attack to hack into thousands of accounts belonging to users of two GPS tracker apps giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines of some while in motion⁵. In a May 2020 credential leak, a hacker discovered leaked passwords and API tokens for an OEM’s internal systems. The credentials could have been used to plan and mount future intrusions against the OEM’s cloud and internal network⁶.

So, what is the best way to detect and prevent attacks targeting automotive backend servers?

Implementing proper network segmentation and deploying access control security measures (e.g. network firewall) could be a good starting point to detect and even prevent corporate network and server infiltration. However, these steps are not enough to protect the telematics server, since usually telematics protocols are proprietary and IT security products (like network firewalls) are not designed to inspect and protect them. In addition, IT network security products do not “understand” the automotive context of the data such as, is the vehicle currently driving, did the car have a recent OTA update, etc? This automotive context is essential to detect automotive-related cyber incidents, and therefore, different measures are needed to address automotive cyber threats.

By monitoring the automotive telemetry data one could leverage protocol-deep analysis and big-data pattern extraction to profile the normal behavior of the telematics server and each component in the connected mobility environment. One could involve real-time detection of flawed messages, data, and transactional sequences using automotive-specific policies based on machine learning detection engines and domain expertise in automotive cyber scenarios. By working hand-in-hand with existing IT cybersecurity products such as SIEM and workflow solutions, one could automate the mitigations for cyber incidents.

There are two suggested methods to protect automotive servers against remote hacking via TCU or other attack vectors:

• Identify data anomalies to detect automotive cloud breachesWhen a vehicle’s SIM card is connected to a different device, one can detect it by monitoring the telemetry data. One could then design and trigger an appropriate action to this scenario, utilizing integration with existing SIEM solutions and thus prevent the escalation of a reverse engineering and further exfiltration attempts and block access to the corporate network. In the Pen Test Partners hack, an effective preventative measure could have been to block suspicious SIM communications with the telematics server.
• Utilize communications transaction analysis to prevent a remote takeoverVisibility across all mobility assets ensures that the functional and technical transactions follow the expected order. Threats can be detected within the system by recognizing commands that don’t follow the expected transactional sequence. An effective preventative measure for the Pen Test Partners hack would have been to block the telematics server’s ability to send commands to the vehicle until the threat is mitigated.

In conclusion, monitoring and responding to telematics data is vital to protect connected vehicles.

This Pen Test Partners hack highlights the importance of monitoring and responding to data anomalies on the telematics channel and applying active protection methods to mobility assets. While this incident was a white-hat incident (intended for research), without cybersecurity measures, similar manipulations could have been carried out by black-hat (cybercriminals), leading to the loss of security, business, and even life.

 

1. https://www.pentestpartners.com/security-blog/from-a-tcu-to-corporate-domain-admin/
2. https://www.wired.com/2010/03/hacker-bricks-cars/
3. https://jalopnik.com/bmws-can-now-be-hacked-through-a-web-browser-convienen-1783371533
4. https://www.wired.com/story/mycar-remote-start-vulnerabilities/
5. https://motherboard.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps
6. https://www.zdnet.com/article/mercedes-benz-onboard-logic-unit-olu-source-code-leaks-online/