An Internet-Wide View of Connected Cars: Discovery of Exposed Automotive Devices

Abstract

As the number of connected cars increases, cyber-attacks targeting them become significant risks. Especially, On-Board Equipment (OBE) that is directly accessible from the Internet can be an immediate target. However, it is not known what kind of and how many connected automotive devices can be remotely accessed from the Internet and, if compromised, become an entry point for further attacks on in-vehicle networks. In this study, we investigate the prevalence of such exposed vehicular devices. We propose a discovery method that utilizes an Internet-wide scan engine and a regular web search engine to find Internet-facing OBE. Using the proposed method, we discovered 2,532 devices of 12 different OBE products across 27 countries. We also investigated the potential cyber-attack risks against the discovered devices. 11 out of the 12 products have security concerns for remote compromises, such as running Telnet or outdated server programs. Moreover, we found that nine products have the capability to connect to the in-vehicle network. We could confirm from the information displayed in their user interface that at least two of them indeed connected to the in-vehicle network. Additionally, we noticed three products expose privacy-sensitive information such as GPS location. We believe this result provides a lower bound of the security risk of Internet-facing vehicular devices.