Dozens of vulnerabilities have been discovered in vehicle charging systems, in-car entertainment technology and modem subsystems from some of the world’s biggest automotive suppliers, including Tesla.
The vulnerabilities, which numbered almost 50 in total, were unearthed thanks to the Pwn2Own Automotive hacking competition, which took place during the Automotive World conference in Tokyo earlier this month.
The Pwn2Own concept, which was first launched in 2007, sees some of the world's leading security researchers and 'white hat' hackers gather to find security flaws in consumer technology. As of 2019, the annual competition added connected vehicles and their related infrastructure.
During this year's three-day challenge, the competition quickly uncovered vulnerabilities in Automotive Grade Linux, ChargePoint, JuiceBox, Phoenix Contact, and Ubiquiti Connect EV Station electric vehicle chargers. In-car entertainment systems from Alpine, Pioneer, and Sony (although these tended to be aftermarket head units, rather than manufacturer-fitted devices) and the modem in Tesla vehicles were also highlighted – the latter providing root access, according to Hackster.io.
Further into the competition, additional bugs were found in chargers from Autel and Emporia, bringing the total over three days to 49 “unique zero-day vulnerabilities”. The overall prize pot totaled $1 million, but Team Synacktiv unearthed the most security flaws and therefore took the greatest number of points, securing a total winnings of $450,000.
In order to maintain privacy and prevent future attacks, details of the vulnerabilities are kept firmly under wraps. The only information organizers of the Zero Day Initiative (ZDI) unveils is things like “Vudq16 and Q5CA from u0K++ successfully executed a stack-based buffer overflow against the Alpine Halo9 iLX-F509”. So not especially helpful for the average car owner, for now.
However, detailed information becomes the property of the ZDI and is subsequently disclosed privately to each of the affected manufacturers, giving them a chance to release patches and avoid future issues.
Analysis: Cars are digital security nightmares
One of the most popular buzzwords in automotive right now is the 'software defined vehicle' – a blanket term that relates to the burgeoning amount of connectivity found in modern cars.
Thanks to the increased data transfer speeds of the 4G and 5G network, the cars on today's roads can be updated remotely, they can 'talk' to existing infrastructure and even other vehicles.
Plug an EV into a public charging station and the vehicle, RFID card and/or smartphone app used during the transaction hands over a bundle of owner information, including names, email addresses and even location, browsing history and online behavioral patterns, according to an article published by the IAPP, the world’s largest global information privacy community.
On top of this, research by Mozilla revealed that modern cars are “the worst product category we have ever reviewed for privacy” thanks to poor practices on data protection, while vulnerabilities in infotainment systems have allowed some security researchers to gain access to restricted vehicle features, such as those premium paid-for features found in Tesla and BMW cars, for example.
More worrying still is the rise in vehicle theft thanks to criminals using sophisticated technology to mimic remote keyless systems. Canada’s Prime Minister, Justin Trudeau, recently announced it is to hold a summit next month to coordinate a national response to a shocking spike in auto thefts across the country in recent years.
Although events like the Pwn2Own Automotive competition help to expose flaws in modern vehicles and their related digital ecosystems, it only really scratches the surface of the privacy and security problems that face modern connected cars. If anything, it serves as further proof that a lot more needs to be done.
