Misconfigured reporting server gave hackers direct access to sensitive data
In May 2018, a bug led to a major security threat affecting CalAmp, a telematics service provider with millions of users, as well as numerous mobile apps that used their service. Luckily, this was a white hat attack that was promptly reported to the company. Had this been a black hat attack, accounting for 65% of incidents this year according to our H1 2019 report, it could have ended very differently. In this article, we’ll take a closer look at what happened, how the hackers found and took advantage of this vulnerability, and how companies can prevent this from happening again.
Earlier in 2018, Vangelis Stykas, a security researcher, got news that his father had a new smart car alarm system – the Viper Smart Start System. Together with fellow researcher, George Lavdanis, they attempted to see just how secure it really was. Vangelis details the entire process in this article, but the gist of it is this: While they were not able to find a vulnerability in the Viper app, they found a bug in the telematics server it was connected to. The researchers used the same credentials as the app to log into the CalAmp server, where they were then able to access and modify data (including passwords) as well as control millions of connected vehicles, user privacy, safety, and vehicles. This gave direct access to sensitive data such as vehicle locations, telematics data, and user information, and allowed them to potentially unlock vehicles, start engines, and more. With unauthorized remote-control access to vehicles, hackers could easily steal a car by just unlocking it, starting the engine, and driving away. What’s worse, they could also control vehicles while they’re on the road, potentially threatening the safety of drivers, passengers, and pedestrians.
Viper Smart Start wasn’t the only app affected. According to ZDNet, many other third party applications that allow users to track and remotely control their vehicles from their phone are connected to CalAmp’s servers. While the researchers quickly reported their findings to CalAmp, the potential damage that the company and users could have incurred is impossible to ignore.
Challenges exposed by the researchers
This incident sheds light on a number of interesting challenges:
- What cyber security solutions are effective in protecting connected vehicles, their telematics service, and their users? Can typical solutions which are used for enterprise infrastructure work effectively in the automotive space?
- How are vehicles protected when they are connected to the internet via an aftermarket device (such as OBD-II dongle)?
- How can business and operational policies in the telematics service be enforced in order to identify violations? By defining policies of what is and isn’t allowed in the service, can this help identify anomalies and potential hacks?
- How can a multi-vehicle attack be prevented when it only requires access to a telematics server?
The right cyber solutions for the automotive space
OEMs and aftermarket solutions use a lot of proprietary components and protocols in their communication. The applications in play such as telematics and OTA updates are specific to the automotive industry, contain proprietary logic and protocols, and are therefore not addressed by standard enterprise IT infrastructure solutions. Typically, non-automotive security solutions:
- Lack the ability to inspect the data – IT solutions can typically monitor the data traffic but can’t make anything of it, and in turn lack an understanding of telematics protocols
- Lack the automotive contextual understanding of the data – i.e., the different types of activities (e.g. if the vehicle is driving or parking) and activity patterns specific to the automotive space (e.g. if the vehicle has just applied an OTA software update.)
The only way to enforce rigorous protection over telematics data is to monitor the entire chain of communication between the connected vehicle, the apps, and telematics servers. This needs to be done with a solution that is able to monitor, analyze, and understand the many different streams and types of data coming in as well as behavioral patterns and protocols typical of normal activity vs. anomalies.
Protecting vehicles connected with aftermarket devices
The only way to protect vehicles in this situation, as well those already on the road, is to implement a solution that is not physically installed in the vehicles themselves. Since they are already connected to the internet and communicate data to backend servers, apps, etc., a cloud-based solution could collect and monitor the data for any anomalies.
Defining and enforcing policies to identify violations
Policy enforcement is an important part in identifying unusual behavior. Embedding and enforcing company policies and rules into an automated monitoring platform, that leverages telematics data and tracks the data flow of the entire vehicle communication chain, allows fleets to detect and report unusual behavior and policy violations.
Preventing multi-vehicle attacks via telematics servers
Accessing a telematics server can potentially grant unauthorized access to multiple vehicles and user accounts at once, which significantly increases the negative impact. Preventing this, requires a full view of every stream of data from every single vehicle, component, and app connected to the server. This allows customers to detect behavioral anomalies that indicate activity patterns unlikely to occur in a specific fleet of vehicles. For example, multiple vehicles in different locations being accessed at the exact same time from the same location could indicate a multi-vehicle hack. In this case, had the researchers changed the passwords for a number of users at the same time, or unlocked multiple vehicles belonging to users with recently changed passwords – this could have been seen as a behavioral anomaly that is atypical to the service’s normal activity.
Upstream’s C4 Platform
Upstream C4 is a cloud-based cybersecurity solution designed to detect anomalies and threats to connected vehicles by monitoring and analyzing every stream of data and the entire communication chain between connected vehicles, their components, mobility service apps, and telematics servers. Upstream’s C4 platform aggregates data that is already being collected by the existing applications in play, enabling protection of vehicles already on the road and with aftermarket devices. C4 establishes a baseline for what normal activity and behavior looks like, allowing it to detect various behavioral anomalies for single vehicles, entire fleets, and services. This includes anomalies in how backend servers communicate with apps and vehicles, which was the case in the incident we covered in this article. By detecting anomalies in real time and issuing timely alerts and red flags to the security analysts in the Vehicle Security Operations Center (VSOC), companies are able to prevent attacks and significantly mitigate the damage before it’s too late.