Behind the Man-in-the-Middle Attacks For Connected Cars: Real-Life Interception of Network Traffic Between Connected Car and Back-End Platforms

As the automotive sector continues to integrate connected technologies in their vehicles to offer customers higher performance and advanced experiences, the risk of cyber-attacks against cars increases, making automotive cybersecurity vital. Our cybersecurity research shows that the modern European electric car connects with more than 100 different external OEM Back-end and Third-party Back-end platforms for receiving updates for operating systems, firmware, and applications in Infotainment, Gateways, ADAS, T-Box, Engines, and other modules.

Man-in-the-Middle (MITM) attacks are one of the most dangerous threats for connected vehicles because it allows to intercept communication between the car and back-end platforms, record and modify the network traffic, extract credentials, and install malicious updates.

Image 1: Connection of the car to external OEM back-end and third-party back-end platforms, representing emerging cyber-risks to connected cars

What is a MITM attack? How does it work on a connected vehicle?

MITM attacks occur when a hacker secretly relays and alters the communication between two connected targets. Modern connected vehicles are equipped with plenty of wireless interfaces such as Wi-Fi, Bluetooth, cellular communications, Near Field Communications (NFC), and proprietary radio interfaces, making it very feasible for hackers to organize MITM attacks. For example, one way a hacker can intercept cellular communication and data in connected vehicles is by establishing rogue base stations that the vehicle’s modem will connect to and therefore facilitating the MITM attack.

Image 2: Scheme of a Man-in-the-Middle attack

Hackers may also run into challenges when conducting MITM attacks on connected vehicles, as interception of cellular 2G/3G/4G communications is a difficult and time-consuming task. This is due to the hacker having to create rogue 2G base stations which is a fake cell tower and establish software implementation for GSM and GPRS traffic interception. Additionally, modern connected vehicles are made to prioritize connection to 4G networks, as opposed to 2G or 3G, therefore, the car’s modem will ignore the rogue 2G base station if there are 3G or 4G networks around. Thus, the hacker must downgrade the vehicle’s 3G or 4G signal to 2G in order to establish a connection and begin the MITM attack.

Image 3: Man-in-the-Middle attack for connected cars

There are several ways a hacker can downgrade the signal and force the car’s modem to use rogue 2G base stations:

• jamming the 3G/4G signals of nearest base stations
• creation of Faraday garage for the car’s cellular modem

Another big challenge for MITM attacks is ciphered traffic between cars and connected platforms.

Hackers need not just intercept the network traffic, but also bypass the PKI, certificate pinning, resolve the issues with ciphering of application level.

What are the consequences of a MITM attack for a connected vehicle?

Once the hackers have established connectivity to the vehicle, they will begin the process of intercepting the vehicle’s data and communications. Some of the vehicle data that can be intercepted include OTA software updates and network traffic using the MITM GPRS protocol. Hackers can also intercept SMS messages using GSM protocols and can also access data transmitted between the vehicle and the OEM’s platforms. These attacks have various levels of danger, for example, hackers can also gain control of the steering wheel, adjust the speed of the vehicle, and manipulate the brakes, which creates an unsafe environment both for the passenger and the other drivers on the road.

How can you prevent MITM attacks?

The danger that cyber-attacks, and MITM attacks in particular pose to the automotive industry can’t be underestimated. As technology in connected vehicles advances and becomes more sophisticated, so do the methods used by cyber criminals to attack or threaten victims worldwide. To tackle this, OEMs can rely on Penetration Testing (or pen-testing) which is performed by authorized professionals in order to exploit vulnerabilities in connected devices to determine whether malicious activity is possible. It allows organizations to gain deep insights on their system or vehicle’s possible vulnerabilities, comply with security standards, and verify staff awareness.

Image 4: The purpose of pen-testing

Pen-testing is typically performed using manual or automated technologies to gain access to potential points of exposure, where a hacker might be able to intercept the customer or OEM’s data. In this process, pen-testers will mimic the maneuvers of cybercriminals and demonstrate the potential risk that they can pose to OEMs, customers, and the vehicle itself. Pen-testing is done in controlled settings and does not pose any real dangers to the outside world and aims to provide valuable recommendations to OEMs to ensure their vehicles are secured.

Conclusion

The automotive cybersecurity landscape is shifting rapidly, with each layer of new connected features and customer experiences adding a potential risk for OEMs and customers. Recognizing the need for penetration testing to expose the vulnerabilities of their vehicles will allow the automotive industry to take a preventative approach against cyber-attacks.

NavInfo Europe’s Cybersecurity team can perform penetration testing on vehicles, in a safe and controlled environment. The information collected will be provided to the OEM as insights that they can utilize when ensuring the security of the vehicle. This allows the automotive industry to safely head towards the autonomous, connected future, and build strong trust-based relationships with customers who no longer worry about potentially fatal attacks. Learn more about our penetration testing service, or contact us to collaborate with our Cybersecurity team.