LOUISVILLE, Ky. — During a presentation on automotive hacking at DerbyCon last month, security consultant Craig Smith said that a malware-infected vehicle coming in for service could potentially infect a dealership’s testing equipment. In turn, that malware could spread to every vehicle the dealership services, WIRED reports.
Smith, who founded the open source car hacking group Open Garages, unveiled a tool at the conference to find security vulnerabilities in the equipment dealerships use to update car software and run vehicle diagnostics. Using the tool, Smith said he has identified multiple security flaws, including dealership equipment that doesn’t check for the length of a VIN — which would allow an infected vehicle to submit a much longer number, potentially breaking the diagnostic tool’s software and allowing a malware payload to be delivered.
Cyberhacks on connected vehicles are a growing concern for the auto industry. In July, Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) introduced the Security and Privacy in Your Car Act, or SPY Car, would also establish a rating system — or “cyber dashboard” — that informs consumers about how well the vehicle protects their security and privacy beyond minimum standards, among other things.
Also in July, Fiat Chrysler conducted a voluntary recall of 1.4 million vehicles, citing hacking concerns. The OEM implemented network-level security measures in response to another WIRED article showing two hackers taking control of a Jeep Cherokee using a cell signal and the vehicle’s entertainment system.
To read the full story, click here.