Source: Getty Images

From Car-Jacking To Car-Hacking: How Vehicles Became Targets For Cybercriminals

As vehicles are increasingly connected to the internet, carmakers must learn to deal with a wave of new security threats.

The morning after Laura Capehorn parked her Saab 9-3 estate, all she could find of it was a car-shaped hole in the snow.

The interior designer had left the vehicle outside her mother-in-law's house in Shepherd's Bush, London, one evening in January 2014. By the morning it was gone, presumed stolen.

Police immediately asked to see the car's key, and weren't surprised to find out it was an electronic fob. They had seen an increase in tech-savvy criminals using a key-cloning system to gain entry to high-value vehicles. Once in, the thieves drive away within seconds.

"It's shocking how easy it is to steal a car in this way," Capehorn says. "Especially given that nearly all new cars use these sorts of keys."

Laura Capehorn's Saab was stolen and then driven into a wall and dumped
Laura Capehorn's Saab was stolen and then driven into a wall and dumped
Source: Laura Capehorn

Automotive cybercrime is a burgeoning business. Some 6,000 cars and vans were stolen using this keyless entry hack last year in London alone - that's 42% of all vehicle thefts, according to the city's Metropolitan Police.

As cars become increasingly hi-tech, with Internet connectivity and automated parking, braking and obstacle detection, they become more vulnerable to cyber-attack - whether by people looking to steal the vehicle, harm an individual, or carry out activism.

 A recent Jeep Cherokee cyber-attack saw hackers remotely take control of a car's steering and brakes while it was on a motorway. That put cybersecurity at the top of carmakers' agendas. It was a controlled experiment carried out by two "white hat" hackers, and not a malicious attack. However, the potential risks were clear to see, and Jeep manufacturer Fiat Chrysler recalled 1.4 million vehicles to fix the security flaw.

As more and more automobiles come online - with Japanese electronics giant Hitachi predicting that 90% of all vehicles will be connected to the Internet by 2020 - it's critical to consider some of the vulnerabilities already at play.

"Anything connected to the Internet can be hacked - including cars. What hackers can do depends on how much the Internet connection interacts with different aspects of the vehicle," says Stuart Hyde, a former chief constable of Cumbria Police, a regional force in England.

Cloning Electronic Keys

Criminals can clone electronic keys like this
Criminals can clone electronic keys like this
Source: Getty Images

For less than 20 pounds ($31), would-be criminals can buy a device online that allows them to drive off with a prize worth tens of thousands of dollars. 

Many models are at risk, including BMW, Mercedes, Audi, Land Rover and Saab. In theory their modern keys make the cars very secure; the car can't be started unless it receives a unique signal from the fob. However, the unregulated sale of key-programming equipment means that criminals can easily create copies.

Typically a thief will plug a device into the car's diagnostic port in the passenger footwell - following instructions on one of many YouTube tutorials. The information gleaned from the car can then be used to reprogram a blank fob and start the car. To get into the car, thieves can either smash a window or use a second device to block the signal from the fob at the point when the owner is locking their car, so it's unwittingly left open. 

To fix this gaping vulnerability, car manufacturers are adding additional layers of security to the key to make it more difficult to copy the signal, while also tightening control over how the handling of key credentials and information between the factory and the customer. Police have a less hi-tech recommendation: installing a mechanical steering wheel lock.

Hacking the infotainment system

The Jeep hack involved targeting the Internet-connected entertainment and navigation system via a mobile phone network.

The problem lies in "truly stupid wide-open doors" in the car's on-board 'telematics' computer (used for navigation and diagnostics), according to Jens Hinrichsen, general manager of Interface Products at NXP, which makes microchips for connected vehicles. Internet-connected add-ons now make cars much more vulnerable to cyber-attack from afar, he says.

Our increasingly connected 'infotainment' systems are leaving our cars more vulnerable to attack
Our increasingly connected 'infotainment' systems are leaving our cars more vulnerable to attack
Source: Getty Images

Experts say cars need better security architecture to keep entertainment systems, telematics and critical functions separated by firewalls and with encrypted communication between them.

"Typically cars' networks are like a house where you can walk freely from one room to another. Carmakers need to build in security so that there's a lock on each room and special locks for special rooms. There might even be a safe in the bedroom with the most precious stuff inside," Hinrichsen adds.

GPS spoofing

As we move towards driverless vehicles, having reliable GPS systems will be increasingly important. GPS signals - which power smartphone mapping apps and other location-based services - usually come from satellites orbiting the Earth.

That signal can be spoofed to deliver fake or altered maps to the car's navigation system to send the vehicle off course.

"Hacktivists could have lots of fun causing traffic jams, while terrorist groups might want to direct a person's car to the point of ambush or kidnapping," says Tim Watson, Director of the Cyber Security Center at the University of Warwick.

This is not just the realm of theory: security researchers from the University of Texas managed to change the course of an $80 million super-yacht, shifting it onto a potentially dangerous path. The captain never knew.

Google is one of several companies putting huge resources into driverless car research and development
Google is one of several companies putting huge resources into driverless car research and development
Source: Google

While human drivers can defer back to paper maps or local know-how, this type of attack might be effective against autonomous cars, which rely heavily on satnav systems. The risk can be reduced, however, by combining GPS with other positioning techniques, such as dead-reckoning, and cross-referencing Wi-Fi networks.

Risks versus threats

Not all security risks will be exploited by attackers - particularly when there is no financial incentive for criminals or shock value for terrorists and hacktivists, says Watson.

Car manufacturers should be focusing on plausible threats, he adds: "Cybersecurity is a human-centered activity and we have to mix good safety with insightful protections based on attacker and victim behaviors."

For the time being there are plenty of cars with hackable electronic fobs to steal, and there are easier ways to hurt someone than hacking into the infotainment system of their cars to take control of the brakes.

Watson says: "It comes down to experience. We've learned to create a well-governed space in our cities. Yes we have muggings and crime but we feel reasonably well-protected. We will need to do the same for our cyber-environment."

In the meantime, advocates such as Watson say we shouldn't forget the great benefits connected vehicles can offer. 

Connected cars offer many benefits, such as autonomous valet parking
Connected cars offer many benefits, such as autonomous valet parking
Source: Getty Images

"If your car breaks down, you'd much rather have a system that's completely connected so your carmaker knows you've broken down, and knows where you're supposed to be going, has a list of authorized garages and can even talk to you from control room," says Watson.

Advocates say autonomous cars will allow large swathes of the population to feel less isolated, including those with epilepsy, the elderly and the infirm.

"It's not a horrible Frankensteinian new age - it's wonderful and will bring us greater prosperity," says Watson.

How Vulnerable Are Today's Cars, Trucks to Hacking?
Before it's here, it's on the Bloomberg Terminal. LEARN MORE