Published on April 30th, 2014 | by admin
Smart Cars Need Smart Owners
SYDNEY, AUSTRALIA, April 30, 2014 – Security software provider Bitdefender has shown how easy it is for someone to remotely unlock, track or locate a smart car using a stolen password for the Tesla Model S, an account on teslamotors.com and an iOS application.
Phishing attempts, malware attacks and data leaks have been shown to compromise Tesla accounts as simple passwords and an app with no account lockout policy or secret question system making it easy for breaches to occur.
Anyone who comes across the password for a teslamotors.com account and the iOS application can open or close the car’s roof, flash the lights, honk the horn or unlock the doors.
The Internet of Things has been developed mainly with minimisation and battery performance in mind however, this translates into great security challenges.
Bogdan Botezatu, Senior E-threat Analyst, Bitdefender says a phone app with information stored in the cloud will eventually draw the attention of people with ill intentions to the smart device and its owners.
“While it may be true that the online account does not allow a potential attacker to control the car’s critical systems, it could allow somebody to physically locate the car and unlock it,” said Mr Botezatu.
“Automotive manufacturers, though innovative in engineering, can often oversee the security aspects just because there was no need to digitally safeguard cars in the past.”
Up until the introduction of GPS tracking, there was little to no correlation between the user’s account and their corresponding GPS location. If an account is breached, the hacker can be tracked across the city and intercepted when they park their car. The online door unlock feature can also be used to pop the car doors open without triggering any alarm.
“There have been numerous reports about burglars using highly advanced lock picks to unlock car doors at night, but access to an application to remotely unlock cars would take the game to a whole different level,” said Mr Botezatu.
Below is a list of considerations for smart car owners who wish to protect themselves from such breaches:
– Users who choose to communicate with their car via a mobile app that requires a password, should never use that password for other accounts. The Tesla Motors accounts had low-complexity requirements which meant they were protected by simple passwords.
– Users should always ignore unsolicited e-mails to avoid phishing, or malicious spam attempts that might collect authentication data for the smart devices.
– It is recommended users apply a complex password, second factor authentication or secret questions to their accounts.
– Since smart cars will be remotely accessed via a mobile app, a laptop, a tablet or a desktop, users need to ensure these devices are secure all the time. An attack against the device used to access the smart car can result in an attack against the remote-controlled smart car.