How to Protect Against Remote Multi-Vehicle Attacks

TEAM UPSTREAM

June 23, 2019
Hacker Gains Access to Thousands of Cars Worldwide

In April 2019, a hacker gained access to thousands of cars around the world via a location and fleet management service. In this blog, we’ll drill down into what happened and how this type of attack can be detected before causing any serious damage.

Overview

According to Motherboard, a hacker called L&M, took advantage of a security vulnerability in two GPS tracker apps, iTrack and ProTrack, used to manage and monitor connected cars. L&M used a script to brute-force “millions of usernames” via the apps’ API and was able to gain access to 27000 accounts, which gave him the ability to track the location of tens of thousands of vehicles around the world. He was able to access sensitive PII and even send commands such as “Stop Engine” that carry severe security implications.

A screenshot from iTrack product demo with the remote command’s options including “Stop Engine”

 

L&M shed light on four challenges

Early detection can enable service providers to stop such a hack or prevent it altogether. There are four main challenges we identified in this specific event:

  1. How do you protect vehicles already on the road when they do not have a dedicated cyber security solution installed in them?
  2. How do you protect vehicles that are connected to the internet via an aftermarket device like an OBD-II dongle installed by a service provider (not the car manufacturer)?
  3. How do you prevent multi-vehicle attacks when access to the server (like in this use case) grants access to the entire fleet?
  4. How do you protect against an attack on a service, like iTrack and ProTrack? By accessing the service’s servers, a hacker can control the vehicles remotely.

Let’s take a closer look at each of the above challenges and how to overcome them.

Connected vehicles already on the road and vehicles with aftermarket devices

The first two challenges go together and may utilize the same solution. In both cases, you need a solution that doesn’t require physically deploying technology in the vehicles. These vehicles are already connected and communicate telematics and location data to backend servers. By monitoring and analyzing the data that is already being collected, you can detect anomalies and possible threats.

Multi-vehicle attacks

Early detection of a multi-vehicle attack requires an “eye in the sky” view of the entire fleet of connected cars. The solution here would be a system that can monitor and analyze the fleet while using behavioral analytics to detect anomalies, or inconsistent behavior for the OEM or fleet. For example, a connected car service would have data that can be aggregated in order to learn the behavioral patterns of the vehicle and communications behavior. If a system is monitoring all of the data collected from the connected cars for anomalies, it could detect an unexpected command pattern, application behavior anomaly or vehicle behavior anomaly. L&M’s hack, in this case, would be detected, giving the service providers the opportunity to take action before any damage is done.

Attacks on services

As we saw in this case, a hacker can access and control connected vehicles from a service provider. So it’s not enough for a system to understand normal behavior for the vehicles; it needs to understand the service. This includes every single part of the service – the mobile app, telematics services, vehicle communication, etc. By understanding the communication being monitored, the system can detect anomalies and potential attacks. Do system-wide remote software updates (e.g. OTA updates) usually happen at specific times? Is it normal for a “Stop Engine” command to be sent when a vehicle is moving?

In this case, L&M gained access to the services’ servers and could send commands from there. Normally, commands to stop an engine would be sent from the mobile app user portal, so a system that understands “normal” behavior would alert the service of an anomaly when such a command is being sent directly from the server.

Upstream’s C4 platform

Upstream is a cloud-based cybersecurity solution designed to address the challenges of securing connected car services against a multitude of attack vectors including the ones in this post. The solution is entirely cloud-based and agent-less – this means that no components need to be installed in the vehicles to be protected. Instead the C4 platform analyzes and monitors data already collected from the connected car infrastructure (vehicles, application servers, mobile apps, APIs) using a normalized universal data format. Being cloud-based enables the solution to detect activity of vehicles already on the road as well as new vehicles. By establishing a normal baseline of connected service operation, the platform is then able to detect anomalous behavior on any part of the connected car infrastructure, including suspicious activity that affects multiple vehicles at the same time.

Upstream’s C4 platform is able to detect anomalies in real-time by using various classification techniques working in parallel and then issuing alerts to the security analysts in the Vehicle Security Operations Center (vSOC). The product fully integrates with existing SOC solutions such as SIEM and Workflows and allows the security analysts to leverage the C4 dashboard and incident investigation timelines to perform triage, investigate the incident, make informed decisions, and take necessary action.

For more information on how C4 works, watch our webinar “Automotive Cybersecurity: Protecting the Car from the Cloud” or schedule a demo.

Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

From Cost Center to Value Center: Monetizing Connected Vehicle & Mobility Data in the AI Era (Part 3)

In Part 1 and Part 2 of this series, we discussed the transformative journey of the automotive industry as OEMs evolve from traditional car manufacturers…

Read more

EV CPO Under Siege: A New Attack Exposed the Cybersecurity and Privacy Risks of EV Charging Networks

As the EV revolution accelerates, the spotlight often falls on sustainability, innovation, and range anxiety. However, an underexplored yet critical concern is the cybersecurity of…

Read more

Connecting the Dots: Integrating Auto-ISAC’s ATM with Deep & Dark Web Intelligence for Proactive Automotive Cybersecurity

In March 2024, Auto-ISAC released a significant resource for the automotive industry’s cybersecurity: the Automotive Threat Matrix (ATM). This is an important milestone for Auto-ISAC…

Read more

Breaking the (Supply) Chain: The Macroeconomic Stakes of Cybersecurity in Fleet Telematics

In an era where smart mobility and connected technologies are revolutionizing the automotive industry, reliance on telematics and IoT devices to manage fleet operations has…

Read more
Skip to content