Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Rainer Link (Senior Threat Researcher)

    Car hacking is a reality the general public will have to deal with. Nothing can be as intrusive and dangerous as strangers taking over your car while you are driving it. Last week, Valasek and Miller’s digital car-jacking stunt using 3G connectivity on a Jeep Cherokee’s infotainment system illustrated how life-threatening this situation can get. The discovery of the bug has since led to the recall of of 1.4 million vehicles. A similar hack—but off-road this time—was also demonstrated a few days after, but this time via digital audio broadcasting (DAB) radio signals.

    Last week’s revelations are not the first time that car security has been in the spotlight, earlier in 2015, German security specialist Dieter Spaar discovered vulnerabilities in BMW ConnectedDrive. We have been monitoring and researching this security area as well (Automotive Security: Connected Cars Taking the Fast Lane).

    High Visibility Can Mean High Risk

    Currently, we are investigating the SmartGate System, first introduced by Škoda Auto in its Fabia III cars, which allows car owners to connect a smartphone to a car to read and display data such as how fast your car is going, how much fuel you are using on average, how many days till your next oil change or service and the like. Škoda Auto, more known as Škoda, is a Czech auto manufacturer that is a subsidiary of the Volkswagen Group.

    Figure 1. Škoda SmartGate sample telemetry screen

    During our research with the default Wi-Fi configuration, we discovered that any attacker can read more than twenty parameters similar to the above and even lock out the owner of the car from the SmartGate system. All the attacker needs to do is to stay within the SmartGate’s in-car Wi-Fi range (which is by default pretty long/wide), identify the car’s Wi-Fi network, and then break the password, which is secured quite weakly. Interestingly, staying within the Wi-Fi range would not be so difficult, because the attacker can be lurking within up to fifty feet of the vehicle and still be within range. The Wi-Fi range could be even wider if the attacker is using a high-gain antennae. From there, the attacker can read all the car’s data.

    In our real-world test, we were able to break into the Wi-Fi even as we were driving behind the target car. Both cars were moving at approximately 30 to 40 kph. Meanwhile, reading the car data worked up to 120 kph, as for safety reasons we did not want to try higher speeds.

    We also found out that Wi-Fi Direct makes it incredibly easy for attackers to determine the PIN.  SmartGate firmware shipped with recently built cars (or cars where a Škoda car owner or his dealer updated the SmartGate firmware) supports Wi-Fi Direct.

    You may say that this is more a privacy concern and less a severe security issue, i.e. we cannot stop the engine or blow up the gas tank or anything like that, however, unlike the possible attacks being discussed in the news which require the IP address of the car, which is quite hard to get, the Škoda SmartGate security issue has much less barriers to success: you only need the VIN (Vehicle Identification Number), which is often clearly printed on the car’s dashboard windshield. But, to make it clear, our attack is not just reading the VIN from the windshield. With the default Wi-Fi config we can connect to the SmartGate of a car even if we drive behind that given car, but for this attack to work we need that at least one smartphone is connected to the victim’s SmartGate system.

    Sufficiently motivated attackers can stalk targets using the leeched information. An attacker can wait for you to turn on the ignition in your car, and once your Wi-Fi gets online, the attacker can learn your SmartGate device password, change your Wi-Fi settings, and basically lock you out of the system. An attacker can then wait for you in some location knowing you will need to go back to your car dealer to have your settings reset.

    Škoda Car Owners and Maker Need to Act Now

    Furthermore, we found out that more recent versions of SmartGate support Wi-Fi Direct, sometimes called Wi-Fi P2P, which can provide an unseen advantage for the attacker: the system does not need the owner’s smartphone to be connected and, as mentioned earlier, the Wi-Fi PIN is easy to crack.

    Right now, Trend Micro recommends all owners of Škoda cars that support SmartGate (in Germany it’s the Fabia, Octavia, Rapid, Yeti, and Superb, but it may vary in different countries) to do the following, where at least step 1 is highly recommended:

    1. Change the Wi-Fi transmission (Wi-Fi TX) power to 10% 5%
    2. Change the Wi-Fi password and change the Wi-Fi Direct PIN (if Wi-Fi Direct is supported)
    3. Change the Wi-Fi network name

    Note: When setting the TX power to a lower setting, the attack still works, but the attacker needs to be (much) nearer to the car compared to the default Wi-Fi TX power of 50%. Changing only this setting reduces the likelihood of an attack to be successful from a farther distance. The advantage of doing just step 1 is that only the SmartGate settings needs to be changed, changes as described in step 2 and 3 require changes to the Wi-Fi settings of the smartphone(s)/tablet(s) being used. For improved security we recommend changing the default Wi-Fi password and the default Wi-Fi Direct PIN (if Wi-Fi Direct is supported).

    SmartGate is currently rolled out to other Škoda car models, so it is high time for Škoda to take action as well. These are good places to look into:

    1. Re-consider to set the Wi-Fi TX power to 10% 5% as default via a firmware update.
    2. Add a strong recommendation in the car’s manual for owners to change the password and PIN.
    3. Design an “on/off” switch for SmartGate.

    The SmartGate (Wi-Fi) is on when the ignition is on. But sometimes you just don’t need the SmartGate functionality. Admittedly, there is a workaround—you can unplug the cable of the SmartGate device which is located below the driver’s seat. However, that isn’t convenient for users, especially those who want to use the SmartGate function at times. There should be either a physical on/off switch or you can easily switch it on/off in the car settings menu of the on-board multimedia unit.

    Governments and other regulatory bodies have taken great strides in ensuring road safety throughout the years, where the impact of physical components on physical security are scrutinized. With the integration of smart devices into everyday lives, security conversations should include the impact of digital components as well. The Internet of Things may be a much-abused buzz word, but it is happening now and has clear and dangerous consequences if security is not built in.

    Vendor Statement

    We asked Skoda Auto a.s. for an official statement, but we have yet to receive one. According to an article in a Slovakia magazine, which quotes the PR manager of Skoda Auto a.s., future versions of the manual will include the recommendation to change the default Wi-Fi password. Furthermore, it seems the app(s) will refuse to work when the default password is used. We’re still trying to verify this statement from Skoda a.s., as the Google Translate version of this text reads a bit rough.

    We had been in contact first with Volkswagen AG (the parent company of Skoda a.s.) some time in mid-April and later with Skoda a.s., as the following vendor disclosure timeline shows:

    • Mid-April: Reached out to Volkswagen multiple times
    • May 29: Sent follow-up email to Volkswagen
    • May 29: Received response from Volkswagen
    • June 2nd: Received response from Skoda
    • June 18th: Meeting with Skoda

    All tests have been performed with a Škoda Fabia III car, SmartGate HW version 0004, SmartGate SW version 0884, and SW version 0928. As of this writing, SW version 0928 appears to be the latest version.

    More details and information about this security concern will be discussed at length in an upcoming entry.

    Updated on July 29, 2015, 6:36 A.M. PDT (UTC-7) to update the list of cars that support SmartGate.

    Updated on August 11, 2015, 1:36 A.M. PDT (UTC-7) to clarify the research details, the Wi-Fi setting recommendation, and to add a section regarding vendor interaction.

    Legal disclaimer: The information provided in this statement is only of a general nature and only meant to serve as information. It is not intended to give any practical or legal advice and must not be interpreted as such. Without any specific practical or legal advice obtained from a third party, the contents of this document must not be relied on or interpreted as instructions for any action to be taken. Trend Micro reserves the right to change this information at any time and without any previous warning. Trend Micro does not assume any warranty or liability, in whichever form, for this document or its use, neither expressly nor tacitly.

    Posted in Internet of Things |

    Hearing about vulnerabilities in your car’s operating system might seem strange. But it’s now something we all need to get used to.

    Last January 30, several security loopholes in BMW’s ConnectedDrive system, that could allow potential thieves to unlock doors and track car data using a mobile device, as the security gap may affect the transmission path via the mobile phone network were revealed. This was uncovered during a privacy assessment conducted by the German auto club ADAC, and is believed to affect 2.2 million BMW vehicles worldwide.

    According to a statement from ADAC, the vulnerable vehicles were prone to abuse of features like Remote Services (opening doors remotely), tracking the vehicle’s current location and car speed via real-time traffic information (RTTI), enabling and changing phone numbers on the emergency call function, and reading emails via the BMW Online feature in the BMW ConnectedDrive Store.

    BMW quickly acted on this finding and have sent out the update to address them. According to their press release, the update is carried out automatically as soon as the vehicle connects up to the BMW Group server and can also be triggered manually. The statement said that they are increasing the security of data transmission in their vehicles as they issued a patch, which would be applied automatically, included encrypting data from the car via HTTPS. Details about the actual security flaws and the patching process have not been published.

    (Theoretically) Hacking a Connected Vehicle?

    We need to ensure that we don’t jump into conclusions about the actual exploitation of these vulnerabilities without first knowing its full details. The issues raised in the BMW ConnectedDrive security flaws pose a few questions:

    • How often is a connection to the BMW server made automatically?
    • Wasn’t HTTPS already in use since 2010? Why wasn’t it enabled for the data being sent/received via ConnectedDrive (GSM)? What kind of information could be stolen by an attacker with their own GSM base station?
    • Does HTTPS mean SSLv3, TLS 1.0/1.1/1.2? Does this mean the BMW Group server was not checked before? Is it possible that a malicious “firmware” update entered the BMW car then?
    • And if the update is silent, how would the car owner know that the vulnerability was fixed? Does this mean the owner has no control what updates BMW is performing on this system?

    Getting answers to these questions would definitely shed more light on the severity of the vulnerabilities.

    Now, moving away from GSM to Wi-Fi, I will now use Skoda as an example for a theoretical hacking scenario without an actual analysis. Skoda, a Czech carmaker owned by the Volkswagen group recently introduced the car model Skoda SmartGate, which allows certain apps to download car data over Wi-Fi.

    The Skoda SmartGate system contains what is in effect a Wi-Fi router that devices can connect to to access car data. The default password is the vehicle identification number (VIN) of the car, which in some countries, can be easily found at the front window. However, WiFi is only on when ignition is on, and SmartGate is an optional equipment, i.e. you have to pay extra for this when buying the car.

    According to the owner’s manual (specifically on pages 100-1001), the WiFi network name is “SmartGate_<last-six-digits-of-VIN>.” SmartGate seems to run a web server on which provides information of the car and allows some configuration of the SmartGate system. It allows for example to change the default WiFi password, but the password seems to allow only letters (A-Z) and number (0-9), the minimum length is 8 characters, the maximum length is 17 characters. This follows the specification of a VIN, which cannot be longer than 17 characters (given the fact, that a WPA/WPA2 password can be up to 63 letters, it could be considered as a rather short password). SmartGate seems to allow connections without any password, if security is set to “open”, but we strongly advise not to do so.

    To locate the car you’re interested in, you can wait until the driver turns on the ignition to see if the Wi-Fi network comes up. Or, you simply ask erWin, or the Electronic Repair and Workshop Information service from Skoda Auto, as it’s able to show the complete configuration/complete list of equipment of a car by entering the VIN.

    You need to be registered for that and to query the system for an hour you need to spend 5 EURs. Of course, you need to be in range of that particular car.  So is stalking a Skoda car for fun and (probably no) profit something to worry about? It is theoretically possible.


    While we’re on this topic, let me mention two other things which popped into my mind when reading the story about BMW ConnectDrive:

    First, like in most other industries, the automotive world is moving away from dedicated /specialized/closed networks/bus systems (like CAN bus) to Ethernet/IP-based networks within the car. In the past, the car was completely “isolated”, think of an island which has no connection to the outside world. Nowadays, the car is connected to the outside world via GSM/IP protocol. You can see this from slide 8 of this official BMW presentation, titled Ubiquitous Networking In- and Outside The Vehicle With Ethernet & IP

    Secondly, in the past, radio was just a “stupid” radio. But now, modern infotainment systems are considered computers as well (and, are, of course, integrated more or less in the car network.). Did you know that the Mazda Connect infotainment system allows to connect to it via SSH, even as the “root” user?  The password  jci seems to be the first lower-case letters of Johnson Controls Inc., the OEM for Mazdas Connect infotainment system.

    The modern car is not just a mechanical machine, it is also a computer that is online as much as a smartphone or PC is. Therefore, it is something that users will have to protect moving forward, and car manufacturers should move to secure their products before any real-world attacks become apparent.

    Update as of February 6, 2015, 07:12 AM PST

    This blog entry was written when the full details were not yet released to the public. Full details on the BMW ConnectedCar vulnerabilities are available now at the following link:

    Update as of February 7, 2015, 21:42 PM PST

    Note that modifications have been made to this entry. We added a paragraph detailing the owner’s manual for clarification.

    Posted in Internet of Things | Comments Off on Automotive Security: Connected Cars Taking the Fast Lane

    This is the third (and last) in a series of posts looking at the threats surrounding smart grids and smart meters. In the first post, we introduced smart meters, smart grids, and showed why these can pose risks. In the second post, we looked at the risks of attacks on smart meters.

    In this post, we’ll look at the risks when smart grids are attacked. Smart grids pertain to an electric grid with digital information/communication capabilities for recording information on both consumers and suppliers. What differentiates an attack on a smart grid from an attack on a smart meter? Simply put, scale: an attack on a smart grid affects many more users than an attack on an individual meter. The potential for damage is proportionately much more significant.

    However, this also means that the attack surface is different. Not only can the smart meters be attacked, but the servers at the utility that controls the smart meters can also serve as an attack vector. However, these servers can also be defended with tools used to defend against targeted attacks.

    Perhaps the most obvious smart grid attack scenario would be: extortion. An attacker would take control of the smart grid in order to disrupt the provided services. The attacker might even choose to “update” the firmware on the devices if they choose to, making the attack more difficult to completely mitigate. Either way, the goal of the attacker would be to cause disruption in the service in order to get money out of the local utility company or government. Alternately, the chaos itself may be the goal, either for political reasons or to distract local law enforcement from other crimes going on at the same time.

    One slightly more subtle attack against the smart grid would be a denial of service attack. How would the smart grid cope with corrupt data? This data can either be completely corrupt (incorrect format and content), or perhaps the corrupted data could have the correct format, but incorrect or crorrupt data. Either way, like buffer overflows on other piece of software, vulnerabilities in servers may also pose a risk to the grid as a whole.

    Figure 1. Denial of service attack targeting an entire grid
    (A screenshot from our video highlighting attack scenarios)

    An attack with less dire consequences would be meter tampering. It is very possible for smart meters to be tampered with – in fact, it’s already happened in Malta. As all the reading is “electronic”, it’s trivially easy to modify the readings of the meters. Modify the reading too much and the discrepancy becomes too obvious, but a small modification might not raise eyebrows much.

    We raise these scenarios not because we want to frighten people, but to raise awareness against them. It is possible to defend against these attacks – by designing the systems with security in mind, by ensuring that the appropriate custom defense solutions are in place, etcetera. However, these can only be put in place if people recognize that the threat does exist.

    You can read the previous blog posts on smart meters here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

    Posted in Internet of Things, Vulnerabilities | Comments Off on Smart Grid Attack Scenarios

    In our previous post, we looked at how smart meters were being introduced across multiple countries and regions, and why these devices pose security risks to their users.

    At their heart, a smart meter is simply… a computer. Let’s look at our existing computers – whether they are PCs, smartphones, tablets, or embedded devices. Similarly, these smart meters are communicating via understood technologies: cellular connectivity, power-line networking, or the user’s own Internet connection.

    With that in mind, we have to consider the possible threats – what could happen if a smart meter is compromised? Similarly, what are the problems that could result if the connectivity of a smart meter is disrupted? Let us see.

    Perhaps the most obvious risk is simple: meter tampering. If a smart meter can be hacked, inaccurate information can be sent back to the utility, allowing an attacker to adjust the reading and resulting in an inflated bill. Let’s say, for example, that you have an argument with your neighbor. In revenge, if he can access your smart meter, you might see a rather large electric bill.

    Figure 1. Hacking a neighbor’s smart meter
    (A screenshot from our video highlighting attack scenarios)

    Of course, the bill can also change in the opposite direction. Let’s say you’re engaged in certain activities that require high levels of electricity… altcoin mining, for example. The biggest running cost for such an operation would be the electric bill. The smart meter could be hacked to have a lower reading – or, perhaps, in a location with time-varying electric rates, to make it look like the electricity was used at off-peak times?

    What are some other threats at the local, “retail” level when it comes to smart meters? Crime gangs (with smarts) may well find uses for smart meters too. Power savings are frequently promoted as a benefit of smart meter. However, power consumption is also a good way of checking if someone is in a home or not.

    Let’s say that a vulnerability made it easy for somebody other than the homeowner or the utility to see what the power usage was. (It could be as easy as a poorly-designed API, mobile app, or website.) The smart meter would then essentially become a giant “please rob me” sign for properly equipped thieves.

    Alternately, if that smart meter can be controlled remotely, you now have an excellent way to carry out extortion. Such a nice house you have there, it’d be shame if anything bad happened to its power…

    The connectivity of the smart meters can also be a security risk. Some meters use the cellular network to provide the connection to the main servers of their utility. The utility would, of course, be paying for the bills of these meters. A truly determined person could abuse this “free” phone to make calls, send text messages, even connect to the Internet.

    Alternately, the smart meter may use the same Internet connection as the home. This represents a potential risk: if somebody was able to hack the smart meter from the outside, then that attacker would have access to the house’s internal network. This would put your own internal network at risk of attack; it would be as dangerous as letting anyone connect to your home network.

    None of the above attacks are inevitable. You can build defenses against all of them. However, it is inevitable that somewhere, somehow, the defenses will fail. These attacks are possible, and we will have to figure out how to defend against them, especially once smart meters become more prevalent.

    All of the attacks I discussed above are essentially small-scale, however. What happens when you look at the security of not just individual meters, but the smart grid as a whole? That’s what we will discuss in the third post in this three-part series on smart meters and smart grids.

    You can read parts 1 and 3 of this blog series here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.


    While wearable personal technology may be the most “public” face of the Internet of Everything, the most widespread use of it may be in smart meters.

    What is a smart meter, exactly? It’s a meter for utilities (electricity, gas, or water) that records the consumption of the utility in question, and transmits it to the utility provider via some sort of two-way communication method. (Examples of these methods include a wireless mesh network, power line networking, or a connection to the user’s own Internet service.) Unlike simple home monitors, smart meters can collect data for remote reporting to the utility.

    One smart meter in isolation has limited uses. However, if the majority of meters in an area are now “smart”, the utility is able to reap large benefits. With the added information provided by large numbers of smart meters, a utility can adjust their services as needed to improve the efficiency, reliability, costs, and sustainability of their services.

    Deployment and Usage

    Some may think that smart meters are more theoretical than anything else. However, they are already in widespread use in some countries, and it is easy to see how in the next few years they will become even more widespread.

    Let me talk about the part of the world I know – Europe. For example, the former Italian electric monopoly, Enel, has rolled out smart meters to almost all of its 36 million customers. In addition, Enel has deployed a remote management system known as Telegestore, which allows the utility to carry out actions via the smart meter that would otherwise require a physical visit. 330 million meter readings and over a million other operations were carried out remotely, making this easier for both customers and Enel. Enel also owns 92% of the Spanish utility firm Endesa, and is rolling out similar products in that market.

    Italy and Spain are not the only countries in Europe leading the way in smart meter adoption. Other countries identified by the European Union as being “dynamic movers” in smart meters include Estonia, Finland, France, Ireland, Malta, the Netherlands, Norway, Portugal, Sweden, and the United Kingdom. In these countries, regulators and utilities are both making the necessary steps to move forward with smart meter adoption.

    Technical Standards and Risks

    There are a diverse number of industry groups and protocols that are promoting smart meter technology. In part, this is a reflection of the varying ways that smart meters are deployed and used: for different applications, different technology may be needed. However, this also means that there a wide variety of technical standards used in smart meters.

    Other such niche devices – such as home automation equipment and Internet routers – have proven to have serious security risks. It’s one thing to have, say, a light switch have some sort of vulnerability. It’s another thing for utility meters and controls to have vulnerabilities. Smart meters and smart grids have not yet been fully tested and vetted for potential security risks; we have to consider the potential scenarios if these devices are proven to have flaws – as some of them inevitably well.

    The video below highlights some of these potential scenarios. In future blog posts, we will look into some of these scenarios in some detail and discuss the circumstances that can lead into these issues.

    You can read parts 2 and 3 of this blog series here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice