Encryption – A brand new „Feature“ for Cars
At DeepSec 2011 Constantinos Patsakis and Kleanthis Dellios held a presentation titled “Patching Vehicle Insecurities”. They pointed out that the car is starting to resemble more to a computer with mechanical peripherals (incase you haven’t seen their talk, please do!). This is true for all types, not only the modern cars powered by electricity alone. But there is more. Modern cars are connected to networks (i.e. the Internet or the mobile phone network). This means that your method of transportation is part of the dreaded Internet of Things. Given the design flaws we have seen in talks given at DeepSec, there is no surprise that this is a breeding ground for major trouble. The Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, discovered a lapse in the communication between BMW cars and the servers being responsible for crucial commands such as unlocking the car.
The ADAC team was able to reverse engineer the protocol being used and to manipulate commands. Why? Because the communication did not feature any kind of encryption or authentication. This means that your Connected Car of the future uses the protocol standards of the 1990s Internet. Apparently BMW fixed the security issue by adding HTTPS. The implications are bigger than you might expect. In the case of stolen cars insurance companies might also be interested in what exactly happened to the car and which security vulnerabilities were involved.
Security should be part of the design right from the start. This is especially true for “simple” features like encryption and authentication. If the brakes, the passenger protection, and other aspects are taken seriously, then this must also be true for the communication protocols. There can be no exception.