Wireless

In this part, we talk about possible remote attacks on a car, according to the different areas of possible attacks. For each communication channels, we describe attacks and how to prevent them with some recommendations. The main recommendation is to always follow the latest updates of these remote communication channels.

Domain	Object	Recommendations
Connectivity-Wireless-1	Update	Always follow the latest updates of remote communication channels.

We will see the following parts:

Wifi
Bluetooth
Cellular
Radio
NFC

Domain	Improvement
Connectivity-Wireless-1	Add communication channels (RFID, ZigBee?).

For existing automotive-specific means, we take examples of existing system attacks from the IOActive document (A Survey of Remote Automotive Attack Surfaces) and from the ETH document (Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars).

Wifi

Attacks

We can differentiate existing attacks on wifi in two categories: Those on WEP and those on WPA.

WEP attacks:
FMS: (Fluhrer, Mantin and Shamir attack) is a "Stream cipher attack on the widely used RC4 stream cipher. The attack allows an attacker to recover the key in an RC4 encrypted stream from a large number of messages in that stream."
KoreK: "Allows the attacker to reduce the key space".
PTW: (Pyshkin Tews Weinmann attack).
Chopchop: Found by KoreK, "Weakness of the CRC32 checksum and the lack of replay protection."
Fragmentation
WPA attacks:
Beck and Tews: Exploit weakness in TKIP. "Allow the attacker to decrypt ARP packets and to inject traffic into a network, even allowing him to perform a DoS or an ARP poisoning".
KRACK: (K)ey (R)einstallation (A)tta(ck) (jira AGL SPEC-1017).

Recommendations

Do not use WEP, PSK and TKIP.
Use WPA2 with CCMP.
Should protect data sniffing.

Domain	Tech name or object	Recommendations
Connectivity-Wireless-Wifi-1	WEP, PSK, TKIP	Disabled
Connectivity-Wireless-Wifi-2	WPA2 and AES-CCMP	Used
Connectivity-Wireless-Wifi-3	WPA2	Should protect data sniffing.
Connectivity-Wireless-Wifi-4	PSK	Changing regularly the password.
Connectivity-Wireless-Wifi-5	Device	Upgraded easily in software or firmware to have the last security update.

See Wifi attacks WEP WPA and Breaking wep and wpa (Beck and Tews) for more information.

Bluetooth

Attacks

Bluesnarfing attacks involve an attacker covertly gaining access to your Bluetooth-enabled device for the purpose of retrieving information, including addresses, calendar information or even the device's International Mobile Equipment Identity. With the IMEI, an attacker could route your incoming calls to his cell phone.
Bluebugging is a form of Bluetooth attack often caused by a lack of awareness. Similar to bluesnarfing, bluebugging accesses and uses all phone features but is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 10-15 meters.
Bluejacking is the sending of unsolicited messages.
BLE: Bluetooth Low Energy attacks.
DoS: Drain a device's battery or temporarily paralyze the phone.

Recommendations

Not allowing Bluetooth pairing attempts without the driver's first manually placing the vehicle in pairing mode.
Monitoring.
Use BLE with caution.
For v2.1 and later devices using Secure Simple Pairing (SSP), avoid using the "Just Works" association model. The device must verify that an authenticated link key was generated during pairing.

Domain	Tech name	Recommendations
Connectivity-Wireless-Bluetooth-1	BLE	Use with caution.
Connectivity-Wireless-Bluetooth-2	Bluetooth	Monitoring
Connectivity-Wireless-Bluetooth-3	SSP	Avoid using the "Just Works" association model.
Connectivity-Wireless-Bluetooth-4	Visibility	Configured by default as undiscoverable. Except when needed.
Connectivity-Wireless-Bluetooth-5	Anti-scanning	Used, inter alia, to slow down brute force attacks.

See Low energy and the automotive transformation, Gattacking Bluetooth Smart Devices, Comprehensive Experimental Analyses of Automotive Attack Surfaces and With Low Energy comes Low Security for more information.

Cellular

Attacks

IMSI-Catcher: Is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. Essentially a "fake" mobile tower acting between the target mobile phone and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack.
Lack of mutual authentication (GPRS/EDGE) and encryption with GEA0.
Fall back from UMTS/HSPA to GPRS/EDGE (Jamming against UMTS/HSPA).
4G DoS attack.

Recommendations

Check antenna legitimacy.

Domain	Tech name	Recommendations
Connectivity-Wireless-Cellular-1	GPRS/EDGE	Avoid
Connectivity-Wireless-Cellular-2	UMTS/HSPA	Protected against Jamming.

See A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications for more information.

Radio

Attacks

Interception of data with low cost material (SDR with hijacked DVB-T/DAB for example).

Recommendations

Use the Radio Data System (RDS) only to send signals for audio output and meta concerning radio.

Domain	Tech name	Recommendations
Connectivity-Wireless-Radio-1	RDS	Only audio output and meta concerning radio.

NFC

Attacks

MITM: Relay and replay attack.

Recommendations

Should implements protection against relay and replay attacks (Tokens, etc...).
Disable unneeded and unapproved services and profiles.
NFC should be use encrypted link (secure channel). A standard key agreement protocol like Diffie-Hellmann based on RSA or Elliptic Curves could be applied to establish a shared secret between two devices.
Automotive NFC device should be certified by NFC forum entity: The NFC Forum Certification Mark shows that products meet global interoperability standards.
NFC Modified Miller coding is preferred over NFC Manchester coding.

Domain	Tech name	Recommendations
Connectivity-Wireless-NFC-1	NFC	Protected against relay and replay attacks.
Connectivity-Wireless-NFC-2	Device	Disable unneeded and unapproved services and profiles.