Don’t Customize your Car’s Home Screen

For the past couple months, I’ve been trying to upload images into the infotainment home screen of whatever car I have each week.

I’ve now tried 5 different manufactures, formatting the USB 3 different ways, using  jpegs/bmps, and each time I keep failing.

I can’t get them to talk, none of the five. Strangest thing. So my reasoning is – if that doesn’t work, there’s a problem, so don’t.

Because here is the possible attack:

The Attack

Download image from the internet to USB > there’s flaws in the code that reads jpegs/bmps that could be used to execute arbitrary code on the device > leading to you running bad stuff (malware, virus, etc.)

The Defence

Just don’t. Everything doesn’t need to be customized.

To be clear: I highly doubt this niche attack will happen to you, and if it does, it’s probably because you’re a target and likely have bigger things to worry about.

But it’s not always going to be this way. In the near future, we’ll be adding apps to our cars the same way we now do to our phones. Good habits start now.

Photo I’m trying to load is from the post: Got stuck in some PVC pipe yesterday here

***

Blog tag = auto security

 

 

Never Connect your Car’s WiFi to a Public Network

Staring this 2015 model year, cars will come equipped with internet and WiFi capabilities.

Here I am sitting outside a friend’s house in suburbia; I could connect to the houses around me.

You’ll soon be connecting your car to your home network to update it. Only ever connect your car to a known, safe network, like your home, and never a public network, like a coffee shop.

* = password

The Attack

You connect the car via a coffee shop > an attacker inside has MITM’d the connection > now all internet traffic runs through his computer first, before going to the internet

The Defence

Connect only to a network you fully control, like your home.

While this is unlikely to happen…

… that’s only for now. While car hacking is still in its infancy, now is the time to form good habits, because it only takes one connection, one time, to tank it all.

(see: ‘Keri on Driving’ column Dispelling Car Hacking Fears, and the lead press piece I wrote for last year’s SecTor Security Conference)

***

Further reading:

– how to secure your car’s internet connection

– my column: WiFi HotSpots are coming to Cars

– what is a MITM attack

– general WiFi security 

 

 

Solving Crimes using Car Clues

For sure search the car for physical clues like blood, hair and DNA, but also pay attention to the little things you can’t hold?

Things like radio presets, seat position, was the seat pressure sensor on or off, plus the EDR information of course, which is admissible in courts.

I’m speaking with Chris Pogue, current Senior VP at cyber-threat analysis software company Nuix, and former U.S. Army Warrant Officer attached to the Criminal Investigation Division.

Read it online at Autonet.

Favourite line:

It’s assumed the first instinct is to search the car for blood and hair, for physical DNA, but how about paying attention to the little things that could be clues.

2nd Favourite line: 

Then add in the footage from traffic cameras (everyone forgets those are always watching.)

That’s me in the lede photo, cornering a Subaru Legacy.

***

Back to ‘Keri on Driving’ – Index

 

 

Delete your Phone from a Car

Unpair your phone from rental, friend’s and relative’s cars, because until you do, your contacts database is driving around.

Would anything bad actually come from leaving it?  Probably not. In the same way, if you left a copy of your contacts on a USB key * at your friend’s house, it’d probably be fine too. But why do that.

Some infotainment systems can save more than one phone. This one saves 4.

Alena is clearly the most popular.

Don’t name your phone your name. Here’s why.

 

 (* if you say, ‘I use FB for my contacts list’, please leave my blog)

 

 

Dispelling Fears about Car Hacking

Real brief: the problem is cars operate on the CAN bus network, which was designed in the 1980s, when the internet didn’t exist. Learn about CAN here.

Speaking with Chris Valasek, physical access is still required to hack the car. For now. (I’d try coming in via Bluetooth.)

Read it online at Autonet.

Favourite line:

That’s how car hacking works: the system doesn’t ask where the message came from or who sent it, it just accepts and executes it.

Plus the ending, because it’s true.

To attack, it’d be more efficient to roll that newspaper into a baton, than go after the target’s car.

***

Back to ‘Keri on Driving’ – Index

Blog tag = auto security