One of the greatest risks to the owners of smart cars is that of cyber criminals: hackers working hard to discover vulnerabilities in the latest cars so that they can hijack, ransom, steal, and perhaps even use as weapons.
Reading press reports would lead you to think that the only cars that hackers can pull off an impressive piece of over-the-air hijacking on are the latest smart cars — internet-connected automobiles — that you’d have to break the bank to afford.
But the truth is that virtually any modern car can be subverted by cyber criminals as long as there is a microprocessor that can be accessed or interfered with remotely. Find this hard to believe? Read on!
1. Bluetooth and Internet Vulnerabilities
Modern smart cars come with Bluetooth built in, at the very least to give you the convenience of hands-free (and therefore safer) calls while you’re driving. More commonly, this feature is used to pipe music from a phone through your car’s audio system. Similarly, mobile internet is being introduced into new cars, turning them into giant smartphones with wheels.
Both of these communication methods offer an avenue for hackers to deliver attacks. The recent story of the Jeep killed remotely on the highway with a Wired journalist in the driving seat was only possible thanks to vulnerabilities in Chrysler’s Uconnect feature, which controls entertainment, navigation, phone calls, and wireless hotspots in hundreds of thousands of vehicles.
Worse still, the cellular connection employed by Uconnect lets anyone who knows the automobile’s IP address to gain access from anywhere in the USA. As Charlie Miller, one of the researchers responsible, observes, “From an attacker’s perspective, it’s a super nice vulnerability.”
The answer here, of course, is to disable Bluetooth (use a cable instead) and avoid cars with mobile internet — which should be fine since a quick check of the history books reveals that cars have managed fine for the past 100 or so years without being connected to a central computer.
Other connected cars have their own vulnerabilities to worry about. For instance, the Mitsubishi Outlander’s alarm can be disabled or even drain the car’s battery.
2. Radio Intercepts Remote Lock Signal
German car giant Volkswagen is not having a good time of it lately. Not only have they been found to have technologically suppressed emissions data, it seems that their cars are susceptible to a number of bugs.
But this time, it’s not new cars that are at risk from cyber attacks. Instead, we’re talking about older cars, from as far back as 1995, that are vulnerable to an attack that can be delivered using simple radio waves.
It’s estimated by security researchers — some of whom were involved in an earlier revelation that VW’s ignition was vulnerable — that the keyless entry systems of almost 100 million cars is susceptible to an attack that remotely unlocks the car.
This is done using an Arduino board and some additional components (up to $40 in value; alternatively, a suitably equipped laptop can be used) to intercept the signal as it is sent by the car’s owner, unlocking the vehicle. The signal is then cloned and used to unlock the target vehicle.
The fix? Lock and unlock your 1995-2016 VW manually, not remotely! Sadly, keyless theft isn’t limited to VW. Thieves targeting vulnerabilities in electronic locks accounts for a massive 42% of car theft in London alone.
3. Zubie and the OBD-II Vulnerability
We’ve looked at OBD-II a couple of times over the years. This is a system that makes it possible to communicate with your car’s computer — the integrated, under-the-bonnet device that controls the electronics, power steering, etc.
You may have seen the technicians at your local repair shop connecting a computer of some sort to a hidden port in the front of your vehicle. This is what they’re using.
Anyone can access this port using a cable or Bluetooth connector, and with suitable software installed on your computer (Windows software is available) or mobile device (it’s simple using Android), you can view some interesting fault diagnostic information as well as tune your car.
Unfortunately, however OBD-II has its weaknesses. The Zubie is the most popular way to connect to your car’s OBD-II port, and this included a vulnerability (now closed) that enabled attackers to spoof the remote Zubie server (where car data was uploaded) and send malicious software to the Zubie, which might then have been used to disable the car or worse.
The key to safety here is to avoid plugging things into your OBD-II slot unless you’re confident that the device, and any related software, is trustworthy.
What Is the Risk to You?
As of this writing, the hacks featured here are almost all in the development stage. For hackers and automobile firmware developers, it’s like the Old West at the moment as boundaries are established and methods of intrusion are tried and tested.
For now, you’re probably safe. Thanks to security researchers, the kinds of holes that lead to these kinds of hacks can be plugged as each generation of smart car is released. It’s unlikely that the majority of the vulnerabilities listed here will be used against you.
However, by the time the self-driving car becomes commonplace, they may already be compromised and their potential for cutting emissions suddenly becomes an unattractive option if driving becomes a lottery.
But the fact that comparatively old vehicles are at risk of such a simple radio-based hack — one that will immediately relieve you of your much-loved car — will come as a major concern to anyone using a remote lock.
But what do you think? Do you feel as though you’re at risk? Will you stop using your remote unlocking key fob on your VW? Tell us what you think in the comments.