igor - Fotolia

Land Rover praised for recall over software security bug

BT Security head Mark Hughes says Land Rover's recall of vehicles to fix a software security flaw is a sensible step to address evolving criminal threats

Land Rover has been praised for its decision to recall more than 65,000 vehicles affected by a software flaw that could be exploited to unlock vehicles.

The recall of Range Rover and Range Rover Sport vehicles sold in the past two years follows reports that car thieves were targeting these vehicles because of the ease of opening their electronic locking systems, reports the BBC.

Car thieves were reportedly using a handheld "black box" to unlock and start cars that had keyless ignition systems, prompting some insurance companies to refuse to cover Range Rovers unless they were kept in secure, off-street car parks.

The software vulnerability meant that anyone who got access to a vulnerable vehicle could plug a device that enabled car thieves to re-program a blank key so it could be used to start the car.

Land Rover is not the only car maker to be targeted by car thieves exploiting weaknesses in keyless locking and ignition systems. Ford Focus and Fiestas, Audis, some light commercial vehicles and BMW X5s have also been targeted.

In February 2015, BMW released a security patch for the group’s BMW, Mini and Rolls Royce models using its ConnectedDrive technology that allows car owners to access internet, navigation and other services using a SIM card installed in the vehicles.

In 2013, Volkswagen requested a High Court ban on UK scientist Flavio Garcia and two other cryptography experts from a Dutch university from publishing an academic paper on how he cracked the security codes used to start cars, including Porsches, Bentleys, Lamborghinis and Audis.

The court ruled that publication of the Megamos Crypto algorithm that allows the car to verify the identity of the ignition key using radio frequency identification (RFID) could lead to the mass theft of vehicles.

Volkswagen went to court after the scientists had refused to publish a redacted version of their paper on dismantling the Megamos Crypto at the Usenix Security Symposium in Washington DC.

In a statement, Land Rover said no accidents or injuries were reported to have occurred as a result of the software flaw and that Range Rover owners do not need to pay for the software updates.

Read more about ethical hacking

  • Nick Lewis explains what an ethical hacker is and what skills such a hacker needs to be successful and compliant with the law
  • Kevin Beaver gives detailed information about how to ethically hack into your systems to expose security vulnerabilities
  • While 96% of UK firms have been hacked, 9.1% have not acted to protect themselves from hacking, a survey has revealed

BT Security president Mark Hughes described the recall as sensible and said it is positive to see car makers taking the proper steps to address evolving criminal threats.

“This is an increasingly common attack now that vehicle crime, like so many other things, is going digital. The challenge is that systems are now getting connected that were not originally designed for that purpose," he said.

“There is a need to carefully test vehicles, identify possible vulnerabilities and fix them before criminals exploit them. We believe there’s a need to adopt established methods from the IT industry, like ethical hacking, for connected cars.”

In April 2015, BT launched a new security service to test the exposure of connected vehicles to cyber attacks and help car makers make vehicles secure, despite their increased reliance on Wi-Fi, 3G or 4G mobile data links, Bluetooth and other wireless technologies for new features and services.

The proliferation of these technologies has raised concerns about the ability of hackers to gain access and control to the essential functions and features of those vehicles, and for others to use information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.

The BT Assure Ethical Hacking for Vehicles service includes a range of tests targeted at the attack surfaces of the vehicle. These cover interfaces that are accessible inside the car, such as Bluetooth links, USB ports or the DVD drive, as well as external connections such as links to mobile networks or power plugs.

BT tests and verifies all the systems that interact with the connected vehicle to identify vulnerabilities that would allow unauthorised alteration of configuration settings, or that would introduce malware into the car. These remote systems can include the laptops of maintenance engineers, infotainment providers and other supporting systems.

Read more on Hackers and cybercrime prevention