Modern vehicles are equipped with a manifold of sensors in order to provide functionality, such as lane keeping and even more automated functionalities often referred to as pilot assist or autopilot. The array of sensors includes radar, lidar, ultrasonic sensors, but also cameras which increasingly have been subject to security concerns recently.
More specifically, the concern raised by the German police authorities is the fact that many cars, in their example Tesla cars with enabled Sentinel/Sentry mode, have a number of cameras installed which send the recordings to a Tesla owned server abroad, i.e., the Netherlands [1]. The Sentry mode is Tesla’s alarm system which records its surroundings as soon as it detects potential threats. They stress that it is not understandable to the users, nor the them, how this data is further processed and used*.
After this internal email about the intended ban of Tesla vehicles on certain police properties leaked, the police acknowledged said email, however, backed down and communicated that the audit is not finished yet [2,3].
Another example about vehicle bans due to security concerns is the ban of Tesla vehicles in the Chinese district Beidaihe for at least two months starting from 1st July due to a summer conclave of China’s senior leaders hosted there. There is no official statement why, but the Beidaihe Traffic Police Brigade said it’s because of national affairs. This is not the first time Chinese police and military ban Tesla cars from certain areas, for instance, Tesla cars got rerouted from certain areas in Chengdu earlier this month (not formally announced) [4].
From a security perspective it is not only interesting, how this data is being transmitted and stored, but also how to manage access to this vast amount of data generated by each vehicle. Furthermore, it is an interesting question how to ensure trust between vehicle OEMs and countries or government bodies, as, for instance, Tesla already ensures that the data generated by their vehicles in China stays in China. A good read talking about surveillance, technology and the potential impact of Chinese cars on Western roads is Justin Ling’s article on WIRED [6].
*Tesla states that the recordings in Sentry mode are only stored locally on onboard memory or pen-drive (Model Y) [5]
Short News
- Rolling Pwn Attack. Researchers found yet another vulnerability in keyless entry systems, which affects all Honda vehicles (from 2012 to 2022) and potentially others as well [7].
- TB Kawashima hit by cyber attack. Another automotive supplier for Toyota got victim of a ransomware attack [8].
- Nichirin-Flex USA hit by ransomware [9].
This is the last AutoSec newsletter before the summer break. Happy holidays and see you back on 19th August!
[1] https://www.bz-berlin.de/berlin/tesla-verbot-bei-der-berliner-polizei
[2] https://www.bz-berlin.de/berlin/polizei-macht-rueckzieher-noch-kein-tesla-verbot
[3] https://twitter.com/polizeiberlin/status/1539939152174764035
[4] https://www.reuters.com/business/autos-transportation/chinas-beidaihe-district-bar-tesla-cars-driving-july-local-police-2022-06-20/
[5] https://www.tesla.com/ownersmanual/modely/en_us/GUID-3C7A4D8B-2904-4093-9841-35596A110DE7.html
[6] https://www.wired.com/story/china-cars-surveillance-national-security/
[7] https://rollingpwn.github.io/rolling-pwn/
[8] https://www.bleepingcomputer.com/news/security/automotive-fabric-supplier-tb-kawashima-announces-cyberattack/
[9] https://www.bleepingcomputer.com/news/security/automotive-hose-maker-nichirin-hit-by-ransomware-attack/
—
Written by Thomas Rosenstatter
