Do you need to worry about a car hack?
Do you drive a car — or a computer?
A car is actually many computers — some cars have more than 100 of them.
And if you’re connected, you can be hacked.
What’s Your Worry?
Your biggest enemy right now probably won’t be an attacker who “makes it rain,” like the bad guys in the 2017 movie “The Fate of the Furious,” sending parked cars flying out of a parking garage.
“Attacks against cars currently only happen in labs in tests,” said car security expert Kai Thomsen. “I mean, cars don’t get hacked on the road.”
Attackers can indeed take control of some cars, but these kinds of hacks are not realistic for the typical driver, Thomsen told Archer News at the 2018 CS3STHLM cybersecurity conference in Stockholm, Sweden.
“Steering people off left and right, like in Die Hard 4.0, I don’t see that happening,” he said.
Attackers “make it rain” cars in “The Fate of the Furious.” Image credit: “The Fate of the Furious” Universal Pictures
It’s not for lack of ability.
Researchers have already hacked a Jeep in motion, cutting the transmission and brakes.
They’ve even composed musical attacks.
“We built an exploit that worked by re-encoding songs put on a CD that will play fine on a laptop but if you put it in the car it will take over the car,” said University of California at San Diego Professor Stefan Savage at the 2016 USENIX Enigma conference.
UCSD researchers say they hacked a Corvette & made it hit the brakes. Image credit: Ian Foster
Still, Savage said chances that your car will be hacked in a catastrophic way are slim.
“Things like targeted car hacking aren’t likely to be a threat for normal citizens until there is a way to monetize them,” Savage told Archer News. “And I see zero evidence of that.”
Are you home free?
A gang of car thieves used computers to steal 150 Jeep Wranglers in the San Diego County area, the Department of Justice announced last year.
They picked out their target cars, obtained illegal copies of the keys, and cut the alarm cables under the hood, the DOJ said.
They opened the cars with the illegal keys, then used a computer to reprogram the illegal keys and drive off.
Total time? About one minute.
Thieves steal a Jeep by reprogramming an illegal copy of the key, according to the USDOJ. Image: USDOJ
Now, thieves have it even easier thanks to your keyless entry, which allows you to open the car door without key in hand.
Many people leave their key ring inside by the front door at night.
“If you go up with a radio, a two-way radio, to your front door and pick up the signal of the key and your buddy has another radio right next to the car, the car thinks the key’s right there,” said Thomsen.
“You can open the door, turn on the car,” he added. “Hit the ignition button and drive away.”
The thieves can disable trackers and keep driving until they turn the car off.
This hack is fueling an epidemic in Britain, police said, with one region, West Midlands, seeing car theft rates nearly double.
Thieves hack a car with keyless entry in West Midlands, UK. Image credit: West Midlands Police
Many Cars Vulnerable
A German driver’s organization, Allgemeiner Deutscher Automobil-Club or ADAC, tested more than 100 cars and motorcycles and found they could use the keyless entry hack to get into all but the 2018 Land Rover.
Sme Fords, Hondas, Toyotas, Subarus, Volvos and more are vulnerable, ADAC reported.
A number of car companies are working to make their cars more secure and some have already updated their systems.
For example, after researchers for KU Leuven University in Belgium found a way to clone Tesla Model S keys in this attack announced in September, Tesla released new keys, according to WIRED, and advised owners to set up a PIN code for driving.
“Theft will continue to be the biggest ‘cyber’ concern for the next five years,” Savage said in an e-mail. “Mainly because, in a Darwinian fashion, our anti-theft measures are now effective enough that they require thieves to use cyber means.”
“Moreover, theft has a clear business model and an established mechanism for monetization (chop shops),” he added.
Researchers at KU Leuven show how they hacked & cloned Tesla key in about a second. Image: COSIC
What do we need to think about?
Looking forward, Thomsen said you’ll be able to use an app to let your kids or friends drive your car without giving them the key.
But that will also give bad guys a way in.
“That’s how hackers usually think,” Thomsen said. “What if i can pretend I’m your smart phone app? So, just use that channel to try to take control of the car.”
Also coming? Ransom notes.
Savage sees attackers freezing your car for fun or ransom money.
Thomsen sees them holding up entire fleets of cars, making fleet managers pay up to get back on the road.
Car security expert Kai Thomsen predicts attackers will use apps to try to steal your car & personal info. Image: Skitterphoto
How Do You Protect Yourself?
Be careful what you connect to your car, Thomsen advised, whether it’s an app, a device for insurance or an after-market part.
Attackers could use them to take control or steal your private info — where you go, how fast you drive, who you call and more.
Rental cars or car shares are already a risk.
“Does any car have a forget about me button? No,” said Thomsen. “Do you remember to delete that once you leave the car at the curb and go about your way? No, you don’t.”
Think of your car like your phone — but with higher stakes.
Updating your car is even more important.
And experts recommend you try to keep your car in a garage, disable keyless entry and use physical locks — like steering wheel locks — for more protection.
An example of a steering wheel lock. Image credit: pastie
There is debate about how you can protect your keys even further.
Some say wrap them in tinfoil or put them in a metal box or special pouch.
Others say that doesn’t always work.
Police say the physical lock is the best option.
Less convenient, but more likely to keep your car in place — and under your own control.
Main image: Jeep on side of highway. Image credit: RJA1988