How Cars Are Hacked
Here's what you can do to protect your vehicle.
Capital One
Article QuickTakes:
Security updates on most people's smartphones are a regular occurrence these days, and it seems as though there's always a recent news report of compromised systems exposing our data. It's scary stuff, especially when we're talking about cars.
Modern vehicles are driven by more than engines and/or electric motors. It takes dozens of microprocessors and more software code than a Boeing 787 Dreamliner to run today's automobiles. And with a growing number of cars receiving software updates wirelessly, connecting to networks via built-in Wi-Fi or 5G modems, our vehicles are easier to access than ever.
But are they easier to hack? And how exactly does one hack a car, anyway — what are car hacks? To find out, we spoke with a couple of experts: Ayyappan Rajesh, a University of Massachusetts Dartmouth student and cybersecurity ace who hacked a 2018 Honda Civic at last year's DEF CON hacker conference in Las Vegas, and Justin Montalbano, a cybersecurity engineer at Boom Supersonic and the Car Hacking Village lead at DEF CON.
Car Hackers Look for Attack Vectors
A key concept of cybersecurity is figuring out and addressing a system's weak points, also known as attack vectors. "An attack vector is essentially an entry point for an adversary into any system, through which they can launch an attack and compromise the target system," Rajesh says. Wireless connections, access ports, smartphone-connected apps — all of these are possible attack vectors. They're like doors to the network of your car.
Vehicles today have more virtual doors than ever before, increasing the opportunities for hackers to enter the system and wreak havoc. As Rajesh explains it, "In the past, the attack vectors were limited to the key fobs and physical access to the CAN [controller area network] bus, which is responsible for ensuring seamless communication between various systems and sensors in a vehicle, such as the engine control unit, transmission control unit, ABS, airbag system, power steering, and many others."
These days, though, someone looking to take control of a vehicle doesn't need to plug a control unit into the OBD-II port (the entry point to a vehicle's onboard diagnostic center); they can access the CAN bus from afar — as two security researchers proved in 2015 when they gained control of an at-speed Jeep Cherokee through its Wi-Fi-connected multimedia system. While that system doesn't talk to the CAN bus, "the researchers found a way to remotely flash [an intermediary] module that had internet connectivity and direct access to the CAN," Montalbano said. From there, they rewrote portions of the vehicle's code to manipulate a few vital systems, including the transmission and brakes.
Common Automotive Hacks
That Jeep hack (which was quickly patched by Chrysler, by the way) is pretty terrifying but thankfully also rare. The most common hacks are used not for remote control of a vehicle but rather to steal it, sometimes with a car-hacking device. According to Rajesh, "There is an underground market for devices such as key grabbers — relay devices that focus on exploiting the key fob attack vector — and other devices that use known exploits on the CAN bus to bypass the immobilizer."
A relay attack is when "an adversary captures and replays the signal being transmitted by the key fob," he said. This is the aforementioned hack that he demonstrated at last year's DEF CON; it gave him the ability to unlock and lock a Honda as well as remotely start the vehicle. Teslas have also proven susceptible to car-hacking attacks like this.
Staying Safe From Car Hackers
While much of your vehicle's security is going to depend on software updates and other core functionality that car owners aren't meant to control, Rajesh has a few suggestions that anyone can take to add a little extra security.
The first should be obvious: Choose a secure password for any app or system that interacts with your car. That most certainly includes your phone. If your PIN is 1111, you're asking for trouble.
Second, cover your vehicle identification number. Security researcher Sam Curry recently demonstrated an exploit where he was able to unlock and start cars simply by knowing their VINs. Yours is probably just beneath your windshield on the front left corner of your dashboard. Putting a piece of black tape over it will do.
Third, use a simple, signal-blocking Faraday bag to protect your key fob when it's not in use. This will help prevent anyone from accessing it remotely. You can get one online for less than 20 bucks.
Finally, don't leave anything connected to the OBD-II port. This includes driving monitors available from some insurance companies, which, if hacked, could allow attackers direct access to your car's most crucial systems.
While all of this might sound alarming, Rajesh says vehicle manufacturers take the risk of hacking seriously: "OEMs [original equipment manufacturers] are proactive with their security. They engage with the hacker community and have hackers test their systems before their product is launched in order to prevent possible vulnerabilities." Still, there's no harm in taking a few precautions.
