THE $750 BILLION VEHICLE DATA GOLD RUSH – PIRATES AHOY!
Vehicle data may be worth $750b by 2030. Problem: vehicle security, privacy, and user awareness of risks are inadequate. Andrea Amico will share some exploits including his “CarsBlues” which exposes people’s personal data, affects 22 makes, and is still a 0-Day for tens of millions of vehicles.
6. • Is killing the engine of a car while riding on the highway the
only threat model?Who is best served by this narrative?
• Are we sure a few hours of tinkering aren’t sufficient?Why
use sophisticated approaches when simple does it?
7. Who commits the most crimes?
Adversary states or common criminals?
PIRATETIP #1: FOCUS
ON COMMON
CRIMINALS (THIEVES,
FRAUDSTERS,
STALKERS, ETC.)
What is an easy and established way to
make (illegal) profits using cars?
Rethink The Threat Model
Today the narrative on vehicle cybersecurity is about foreign
actors and terrorists trying to kill us or cripple the infrastructure
BUT…
8. PIRATETIP #2: FOCUS
ON NEW FEATURES
THAT HAVE BEEN
ADDED FOR
CONVENIENCE ORTO
OFFER NEW SERVICES
Gone in 49 seconds
9. German Automotive Club (ADAC)Test of 237
vehicles: only ONE resisted keyfob attacks
• Alfa Romeo (2/2)
• Audi (17/17)
• BMW (30/30)
• Chevrolet (1/1)
• Citroen (5/5)
• DS Auto (1/1)
• Fiat (2/2)
• Ford (10/10)
• Honda (2/2)
• Hyundai (15/15)
• Infiniti (1/2)
• Peugeot (5/5)
• Renault (15/15)
• Seat (5/5)
• Skoda (9/9)
• SsangYong (2/2)
• Suzuki (6/6)
• Subaru (5/5)
• Tesla (2/2)
• Toyota (8/8)
• Volvo (12/13)
• VW (15/15)
• Jaguar (1/2)
• Jeep (1/1)
• KIA (14/14)
• Land Rover (1/4)
• Lexus (2/2)
• Mazda (6/7)
• Mercedes (9/9)
• Mini (4/4)
• Mitsubishi (3/3)
• Nissan (8/8)
• Opel (10/10)
PIRATETIP #3: INCLUDE
PHYSICAL ACCESSTO
YOURTHREAT MODEL
What is even scarier?
IT’S NOT A BUG, IT’S A FEATURE
10. Most scary: strangers get in other
people’s cars ALL THE TIME!
Source Driver (# users) Incidence % # opportunities
Rental 1m/day 99% 350m/year
Used sales 40m/year, 5Xvisits 50% 100m/year
Wholesaling 25m/year, 8X visits 50% 100m/year
Repos + total loss 3m/year, 10X visits 86% 25m/year
Fleets (ex. rental) 2m/year, 6X users 66% 8m/year
Service 269m 2X/year 50% 135m/year
Valet 269m 2X/year 50% 135m/year
TOTAL >700m/year
Estimates: USA only!
11. Is car hacking like this?
(need huge, complex tools to drill
through a 6-inch plate of steel?)
13. Hi, my name is Sofia, I am 8 years old, and I am here
to teach you how to hack a car.
14. Working with the Auto-ISAC
• “Sealed” responsible
disclosure Feb-Jun ‘18
• Process guided by
Auto-ISAC
• 22 makes from many
OEMs involved (tests
conducted in NA +
EU)
• Agreed “weakness”
affects tens of
millions of vehicles in
circulation
15. YMMV: reactions to disclosure
That’s
cool!
That
sucked!
• <48h to
respond
• Met at R&D
center
• Had flown
people in from
across the globe
• Hack on video
• Very defensive
• Mocked hack
was nothing
new (so why
this “obvious”
vulnerability is
still around?)
• Unhappy about
not joining their
bug bounty
• Minimize risk in
front of
authorities
16. • Happens all the
time,
everywhere
• Worse with more
recently
manufactured
vehicles (people
sync more, more
data captured for
each vehicle
• Worse if vehicle
shared (rental,
carshare, pools,
etc.)
Plenty of Data to be Found
System absent
Percentage of sample
Not found or not
reported
System present,
personal info
present
396 vehicles
1
10 10
39
4
99
51
86
Rental US Auction UK auction
600+ vehicles 96 vehicles
18. Thoughts for future research…
CarsBlues gets
around three “pins”
Have working
hypothesis on
how to get
around 4th
layer of
defense and
hack ALL cars
CarsBluesII • Please use #CarsBlues
hashtag onTwitter if you
give CarsBlues (or
CarsBluesII) a go
• DM @Privacy4Cars if
you are interested in
collaborating
20. Thoughts for future research #2
While some have reported the fraudulent rentals as
“hacking” Car2go communications director Michael
Silverman made clear by email that no such hack
occurred. “None of our member’s personal or
confidential information has been compromised, and no
other SHARE NOW North American cities have been
affected,” Silverman commented.
Local investigative reporter Brad Edwards indicates that
the stolen cars were used to commit crimes, it would
seem he intends that to mean above and beyond grand
theft auto and alleged credit card fraud, I suppose.
The Car2go Mercedes were unlocked with the app, then.
Some speculate that this was done with stolen credit
card data. For their part, Car2go does not seem to
indicate that any app vulnerabilities existed, and claim
no customers should be worried about their data.
21. Our objective is to raise the public’s, industry’s, regulators’, and
advocates’ awareness on the issue of personal data collection, to
drive transparency, and to put safety nets in place for consumers
https://www.privacy4cars.com
PLEASE USETHIS INFORMATION RESPONSIBLY
Follow us:
@Privacy4Cars
Subscribe:
Privacy4Cars
Data should always be deleted before any vehicle handoff!