Connected Car Security with Android

Open Automotive Alliance

Open Automotive Alliance

As you may have recently read, Google started a new alliance together with parts of the automotive industry. The new alliance is called Open Automotive Alliance and it is based on the idea to bring Android into the car’s electronics. Just imagine what you could do with a technology like this? There are two lines you could work on:

  • The car as an android device itself (always connected to your home WiFi)
  • The car as a gadget to your android devices (not only smart watch but also smart car)

The idea is pretty logic because our society starts to connect all devices and with that all data to get an even larger picture of its world. But this comes to a cost and it could be very dangerous if you are not carefully enough. I am talking here about security aspects.

Remote Car

What could you do with an android enabled car? Imagine you drive a large car (nothing like Smart or VW up!). You want to park in but it is pretty complicated and yes you have sensoric fields which help you but you can’t get out of the car because the parking slot is to narrow or whatever the case is. No problem: Step out, take your device and remotely drive your car with your device into the parking lot. Shut the engine down, close the doors and walk away. Nice right?

All your car belongs to us

What could go wrong? Since you can use yor android device to control the car other people have android devices, too. This means they could also control your car, right? I do not want to talk here whether someone does this or not. We all know that crime is comitted daily in a widely range and if someone has the possibility to remotely control a car he or she will do it!

The problem is that the technology we use privately like WiFi and Bluetooth are not the safest and they nearlly everyone has used at least one them. This technological spread brings a lot of positive and negative effects with it. One of the negatives is that everyone understands how to deceive security aspects. And since your car uses WiFi an attacker doesn’t care. Maybe if it is a car or your access point or any other device. The communication is the same. No one needs new software or new attack vectors, they are all known.

Ressources

What about ressources? Embedded systems usually do not have the same ressources as your desktop PC has. A car therefore wouldn’t also have ressources en masse to be able to do all it’s work. Maybe this could lead to a weaker WiFi encryption algorithm. Remember, sometimes the car’s engine is shutdown but the WiFi could be possibly online. This consumes battery power and strong WiFi encryption will use more ressources then weaker ones.

It could go even easier. Write a script that connects to the car’s WiFi with false passwords, just keep the device busy until all power ressources are gone. The car owner won’t be able to start the engine with empty batteries. Or just exploit the weak WiFi implementation, like WPA or even worse: WEP

Conclusion

I am curious about how the Open Automotive Alliance will solve those problems. Maybe we will have two different power sources for the android part and the car itself? There are even more problems which could be solved by a proper design. I am happy to know that people want to make our life with cars even smarter but I really hope they also think about security and what could go wrong. I really would like to have one of the first android enables cars and evaluate what could go wrong and how to make those systems really safe.

The Mobile Device Flood

Have you spotted the ammount of types of mobile devices within private sector? Ages ago you propably had a mobile phone and this evolved to a smartphone which was a really big step. But ask your friends what they have or take a look at what your family uses. Let’s analyze this:

  • Smartphone
  • 7″ Tablet
  • 10″ Tablet
  • Notebook
Employee and mobile devices

Employee and mobile devices

The only devices I do not want to count here are the Smartwatch and Glassdevices. I don’t think they are as usual as the others. But let’s get back to the device list. Modern companies provide you either with their hardware or with BYOD. This could mean for you that all your devices are getting managed for this, except the private Notebook. Let us assume you have 100 employees which want to use modern devices to get work done, stay in contact with the company, the customers and be able to work wherever they are.

Let us assume that half of your employees have everything from the smartphone to the large tablet. This would make 80 devices on which sensitive company data is stored. But what about the other half. There are still 50 employees using a smartphone. It all counts up to 130 devices. Just one has to be stolen and you propably loose large ammounts of data.

How can I manage this?

Mobile Device Management Scheme

Mobile Device Management Scheme

Managing is the first step of the process. You will have to take further steps to ensure the security of your companies data. What does managing mean? This will give you control over the device. There are simply some steps you could do to prevent any data loss but it will not be very good for your employees (with BYOD). If their device gets stolen you could wipe it remotely. This will destroy all data, even the private. You could also just retire a device remotly which will only deinstall the connection to your company.

You see managing is more about answering the following questions:

  • What devices have company data on them?
  • Who is the owner of the devices?
  • What is done with the devices? (Exchange etc.)
  • What is the status of the devices?
  • How many are active?
  • Which are retired or wiped?

A good solution might be this: MobileIron

I want control over my data!

You do not have really full control of your data by using the management tool. You need two morge things. Split private and company data and a content management tool. But how can a device know which data is private? Blackberry did it already, Samsung does it and others are doing it too: Using containers!

MDM: Container Solution

MDM: Container Solution

A container will provide your employees a safe workspace, secured and encrypted. If you retire or wipe the device only the container disappears. this will get the private data untouched and is a good way to get back control of your data when employees leave the company. The container has it’s own private access to the companies network. Private data will never flow over the secure connection of your container

What about accessing data on fileservers and sharepointservers? Containers do not really provide this often. You just get your calendar and your mails safe. But no one will be able to work only with this ammount of information.

But your container is still not enough. Let us assume an employee is pretty angry because of he or she’s been fired or whatever happened. There is no problem for the employee to have access to important mails within the container and just send them over to their private mailaddress.

Possible Solutions:

Managing mobile content

As long as you have implemented the solutions up here, you already have a very good solution to protect your mobile device environment. It will be hard for an attacker to gain valuable information out of a stolen device. But you still could have the problem of people betraying you. How? Well you send sensitive information across the internet via Mail, don’t you? You do not want to have others view your files forever because you do not know which contacts your partner coul have. Maybe a competitor?

MDM Content Management

MDM Content Management

In this case you need a content management solution for your mobile devices. You want your employees work mobile so they need synchronized files or at least remote access to fileservers, workspace, sharepoint servers and so on. But all data should not be able to leave the company unsecured. At least I am talking about a good approach on getting your employees working efficient whether they are in the office or on mobile devices like tablets.

Example: WatchDox

Conclusion

It is up to you to decide whether it is ok to use smartphones and tablets or not. In case you want your customers to be efficient just consider that you don’t only can buy devices and give it to your IT. You need a concept, since you do not want your data to be available to your competitors or other external institution. I would advice you to test the following:

“We are not a target to hackers.”

I have always heared the words that someone sees itself as “not a target to hackers”. Let us assume that this is true and only important people or companies and the largest of them are only a target. I want to proove this wrong and show you that everyone is a target and the fact that people do not realize this comes simply from a knowledge gap. The question you have to ask yourself is: “How valuable is your data to others?”

The self-attempt

The easiest way to check if you personally are a target is to think about what you are doing with your devices. Just look at this list and answer it with “yes” or “no”:

  • Do you shop online?
  • Do you use online banking?
  • Do you store pictures of you and/or your family on your devices?
  • Do you store financial data like spreadsheets or others on your devices?
  • Do you save passwords within your browser for auto-login?
  • (Enterprise only) Do you store any data within databases like MySQL, MSSQL, Oracle?

I bet you answered at least one answer with yes. If no, then I would like to know why you actually use computing devices at home. But let us examine the questions:

Data at risk

This question is very important because if you do this, it requires authorization for financial transactions. Ok they are based on SSL but as we now there have been incidents regarding SSL. Just to name some:

This means that your encrypted communication can be recorded and deciphered. Others can see what you buy or sell, how your account balance looks like. You maybe ask: “But why are they interested? I do not care!” Well they could check whether they give you a larger credit for your house based on how you buy, sell and pay your bills. Do you really want to give others that much control over you, even without you knowing of them? I do not want this and since this is only something in private, it could be worse for within enterprise environment.

Some of use may answer every question with “yes”, because it is what most of us actually do with computing devices. And this is the attacking surface for the bad guys. They produce sophisticated malware to circumvent any defense and at least a part of us will loose their data.

The holy grail

But let me just get more into detail for one question, the last one. Do you store data within your databases? I bet you do because it is a very good way to store files in a structured manner. Well, I do not want to disucss now why databases are good, they are, but they are not safe. Just ask yourself questions like the following:

  • Do you know how many databases are running within your IT landscape?
  • Do you know what kind of data is stored on all databases?
  • Do you perform regularly updates on your databases?
  • Have you any databases within the DMZ?
  • Do you use one user for accessing all data?

This time your databases are at high risk if you answer with “no”. Just think about the first two questions again because they are the most important ones. Where are your databases? If you do not know this, you do not know whether they are patched or running under an old operating system, like Windows Server 2003. Unpatched, unsecure but it could a database you and your entire company is using allday without knowing this.

Remember, to gain access to your data, the attacker has to win ONCE. To be able to protect your data and be compliant you have to win EVERY TIME. And this is hard to get if you do not think about what you want to defend and why it should be stored in a safe manner.

You might say: “No one wants to have any database from us!”. I will ask you: “Do you use any CRM or ERP system?” SAP for example is using databases to store data. Mostly important data. The attacker often doesn’t care if it is accessible via SAP if your database is accessible to every one on the network. I am sure that the database is not patched because it is a very important, ever-running system which will kill the entire company if it goes down. Well either it goes down by this or your company will pay ultimativly large ammounts of money for not protecting your data, in case it is stolen. The EU is just working on some new law situation which is handling this.

It doesn’t cost me that much!

Have you heared about the Hack of millions of customer data, which is usually stored in databases? In Germany, as a company, you have to inform every customer about breaches where your data has been stolen. Names, Adresses, Accountnumbers, Banking Information, Your passwords, and so on. Let us assume you loose something like the data of 2 million people which is ok for a very large company.

Sending a letter to a person costs recently 0,58 Euros. Without even considering more damage than this, just calculate what 2 million letters are costing:

1.160.000 Euro is just the cost for the information letters to your customers. Nothing else.

Have you heared about other hacks where login data was stolen? Well think about your programming time or about how a login is stored for a website? Exactly, within a database, accessed by your webapplication for example. This is terrible and I hope that you will consider on protecting yourself, at least not only your databases but those are very important.

Solution

There are many solutions on the market for this. I don’t know all of them but just a few and those are the ones I am working with. All products here are from McAfee. If you have any further advice on maybe better products, send me an E-Mail!