Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/28/2007
07:50 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hacking the Car Navigation System

Italian researchers reveal attack methods on RDS-TMC navigation systems

If you find you're relying a little too much on your car's navigation system, beware: Italian researchers have discovered a way to hack into some of these systems and potentially "own" the messages your car gives you and where it tells you to go.

At risk are satellite-based navigation systems that use Radio Data System-Traffic Message Channel (RDS-TMC) to receive traffic broadcasts and emergency messages, a technology that is widely deployed in vehicles throughout Europe and increasingly, North America, says Andrea Barisani, chief security engineer of Inverse Path. Barisani and Inverse Path's hardware hacker Daniele Bianco built tools that let an attacker inject fake messages to the navigation system, or launch a denial-of-service attack.

RDS-TMC provides broadcasts on traffic conditions, accidents, and detours for the driver. (RDS is also used to display the name of the radio station you're listening to on satellite radio.) The technology doesn't authenticate where the traffic comes from, so an intruder could easily send a bogus message of a road closure, rerouting drivers to another road, Barisani says. Or an attacker could pummel the system with messages and cause a denial-of-service (DOS) attack, which could crash not only a car's navigation system, but its climate control system, and stereo, too, he says.

Barisani says the criminal or terrorist element would most likely be attracted to this type of attack. "If you're a hit man, you can use that kind of system to detour or ambush someone on any street you want," he says. "We can also send sensitive messages about security events, [weather conditions], or related to terrorist incidents."

He says he got the idea of trying to perform this type of hack from his new vehicle, which uses one of these navigation systems. "There is no authentication," he says. "So I started to wonder if you could inject false traffic information into them."

"We were amazed you could put in such powerful messages and they were not authenticated in any way," he says.

To execute the exploits, the researchers built a packet-sniffer that decodes messages sent to RDS, and they plan to release a full suite of the hacking tools at next month's CanSecWest conference, where they will present their new research. They also cobbled together a transmitter to send the bogus messages, which they built using an RDS encoder you can buy off the shelf at an electronics store.

So far, they've tested the hack on navigation systems in European TomTom and Honda, Barisani says, but it will affect any navigation system based on RDS-TMC.

Clear Channel Radio's RDS-TMC-based Total Traffic Network traffic data service is likely vulnerable, he says, although he has not tested it. MINI USA and BMW, for instance, offer Total Traffic Network services in their vehicles.

Meanwhile, the good news is user data or privacy is not at risk with these types of attacks, since the attacker could only send, not grab, data.

"We're basically trying to fuzz the navigator, send it some incorrect information, and see how it would react," he says.

The researchers tested the hardware within one to five kilometers of the vehicles. An attacker could also target a specific vehicle by using a directional antenna, Barisani says, or by tweaking the power output.

Meanwhile, there are some emerging technologies for car navigation systems that could provide some protection for drivers. One thing coming out: The Transport Protocol Experts Group (TPEG) is developing a successor to RDS that can be transported over XML or digital binary format (RDS uses analog transport). It doesn't add any authentication, Barisani says, but it would be more difficult for an attacker to inject traffic into this digital format.

There's also the Global System for Telematics (GST), a European effort that would add protocols for navigation systems that let cars communicate with one another, for instance, Barisani says. GST -- which is at least five years away from availability -- will include encryption, so it would be less susceptible to attacks, he sys.

For now, there's not much you can do to determine whether your navigation system is under attack. Not until you find yourself in some deserted road far from your destination, that is. "We wanted to expose this problem. We think it's a [potentially] pretty severe one," he says. "No one has bothered looking into this, and there's no other research about it."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Inverse Path Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-30477
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
    CVE-2021-30478
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
    CVE-2021-30479
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
    CVE-2021-30487
    PUBLISHED: 2021-04-15
    In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
    CVE-2020-36288
    PUBLISHED: 2021-04-15
    The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...