Cybercriminals are inventing new ways to compromise different systems all the time. As devices connected to the internet and internet platforms, such as personal computers, servers, mobile devices, and websites, for example, are a common target for hackers and, still remain the main targets for them, there is a growing risk for modern cars that are using various technologies to provide additional functionalities.
New cars provide us with more safety when it comes to accidents and regular car burglaries. They are designed to help us in every situation possible and are doing a pretty good job. All this requires more technology which cars were already full of. Actually, a modern car can have around 100 microcomputers and of course, some of them are connected to the outside world with some way of communicating.
The fact that Wi-Fi, Bluetooth, GPS, RFID and other means of communicating are used by the radios, maps, and whatnot, but they are also used to lock, unlock and start the car. This is something car thieves find very interesting obviously.
Modern supercars are also introducing technologies that allow the car to drive by itself. A big threat for these cars are hackers who are capable of taking control of these systems. It will give them the access to throttle, brakes, and steering, basically allowing them to drive the car.
The fact that cybercriminals are also targeting cars is not a very new thing. There have been criminal gangs that have figured out how to steal specific vehicles and people driving that exact car model has felt it in their skins. Cyber attacks against cars is a growing hot topic and should be taken seriously, by the manufacturers and consumers.
How is a car hacked in practice
There are different ways to hack a car, depending on what kind of technologies the car is using. Different manufacturers implement different technologies in different ways. This means that cars from various manufacturers are probably not affected by the same vulnerability.
However, if the car manufacturers are ordering the car key systems from the same vendor and there is a vulnerability in the car key system, it means that it is possible that all the cars have the same vulnerability. Vulnerabilities in car key systems are probably the most common way of hacking into a car.
Indirect physical access
Some attacks require a physical connection to the car’s systems. This can be done by a mechanic as new cars are very often plugged into a computer through the OBD (On-Board Diagnostic system) to determine what the problem in the car is.
If the hackers can breach the mechanic’s computer, there is a chance that they are able to compromise the car when the mechanic plugs it in your cars OBD. On-Board Diagnostic system is the port of your car to the outside world.
CDs, USB sticks, media players or mobile devices that are infected can launch the attack as well.
For electronic or hybrid cars that use electricity as one power source could be attacked by compromised charging stations. Stopping to charge the car could lead to hackers taking control of the car.
Wireless access
Wireless access attacks can be divided into two categories, long-range and short-range.
The long-range attacks include:
- GPS
- Satellite radio
- Digital radio
- Cellular connections
These can be exploited in different ways as they are different technologies. The important thing to know is that the hackers can attack via these technologies from 1km away (0.6214 mi).
The short-range attacks include:
- Bluetooth
- RFID
- Wi-Fi
- Tire pressure monitoring systems
These technologies offer different attacking methods but require the attacker to be at the range of the access point. The distance can vary depending on the technology and strength of the signal.
The attacker might need to get as close as 1 meter (3.28 feet) but depending on the attack, it’s enough to be at the same parking lot. The use of extenders and signal strengtheners allow the range to vary.
Threats of using the remote car key
At the moment the most common threat to modern car owners, when it comes to cybercrime, is the theft of their car. This is most commonly performed by capturing, jamming and repeating the signals sent between the car and the car key when locking and unlocking the car from distance. Very simply put, the car and the car key are going through a quick conversation to verify that the key is allowed to perform the requested actions.
The attacker has a couple of options. They can jam the signal sent so that the car doesn’t lock at all. This will allow them the access to the insides of the car. They can simply steal your belongings that are left in the car or access the BUS drives (used by mechanics) to either start the car.
The attacker can also capture the signal and perform calculations based on the method used by your car to be able to produce a new signal that can unlock the car.
Keep in mind that these are attacks requiring planning and a lot of work, but after that are rather simple to perform. The examples above are extremely simplified in order to make this material understandable to everyone. If you are seeking some more information on these kinds of attacks, feel free to search the internet for more advanced content.
So far there hasn’t been too much attention to the attacks that compromise the whole car, without the attacker physically stealing the car. But I believe that in the future, these kinds of attacks are becoming more and more common as it gives the attackers the possibility to control the cars. That’s a very good reason to invest in your cars cybersecurity and cybersecurity in general.
How to mitigate the cyber threats
To avoid cyberpunks gaining access to your vehicle, there is only so much a consumer can do. Using common sense takes you far, but decisions made when buying and maintaining your car also have an effect on the security side of things.
- Avoid using remote keys to lock and unlock the car, use the actual key instead, if possible
- If your car key doesn’t have a physical key at all, like Tesla’s keys. As a short-term mitigation, it is advised to keep the key in a Faraday box or bag. These keys are sending signals all the time as they don’t have a button to activate the signal. As this is not a convenient way of dealing with this problem, it is considered as a short-term mitigation before you can apply a stronger and more convenient way of dealing with this problem.
- Some cars, like Tesla’s can disable the passive entry method (referred above). Instead of using the key, enable the PIN to drive. This is available in Tesla cars, if you are driving a different car, ask the manufacturer for alternative methods of dealing with this problem.
- If you are handy enough, you can be able to modify the key so that the signals are sent only when pressed the button
Some other mitigations methods are:
- Using a wheel lock
- Reduce the attack surface. Buy a car which doesn’t have all the latest technology solutions implemented or disable them when not in use. This leaves less attack surface for the attackers.
- If you desperately need or want the car to have media features, get a car with Apple CarPlay or Android Auto Systems, these two are considered more secure than the ones that are developed by some other vendors.
- Get an OBD-lock to lock down the access to the port.
- Do not plug or let anyone to plug anything you are not sure of to the OBD or USB ports of your car
By following these instructions, you should be relatively safe, but as everything will be hacked at some point, it is important to implement new security measures when the old ways are deprecated. Do not fall into a belief that after following these rules you are completely secure from any hacks as this threat is always present.
There are companies focusing on the security of cars and they are providing the car manufacturers with penetration testing, code review, threat analysis and many other forms of services. These companies are working to help the companies to create more secure vehicles for the markets. This is important from the customer perspective as the mitigations customers can do to secure their car are very limited and might even require a lot of effort.
Conclusion
Keeping your car secure can seem like an impossible task and a lot of work. This is partly correct but being aware of the possible threats is a good start. This way you get an understanding of what can pose a threat to your car but also other systems.
Car cybersecurity isn’t too far from cybersecurity in general. Common sense will get you far and implementing the newest patches and following the newest rules on what and how to do things will get you far.
All this can be summarized as getting used to routines. This also applies to more than just the security of your car in the cyber world. Create and follow a routine based on the newest available information on how to use your car, for example, do not use the remote key to lock and unlock your car and disable the communications of the car when you are not using them. This won’t cost you more than a maximum of one minute and is totally worth it. By creating a routine of this, it will make the process a lot easier in the future and keep you more secure as well.