You’ve never been more connected to the world than you are right now. Every day, we use smartphones, smartwatches, smart TVs, smart homes—and our newly-smart, connected cars are no exception. The technology underpinning things like smartphone integration and over-the-air software updates is hardened against bad actors, but a recent hack of nearly 30,000 cars in which the attacker claims he can turn off a moving vehicle's engine shows the automotive world could still become a digital deviant's playground.
This latest event, first reported on by Motherboard, affected 27,000 cars located in South Africa, Morocco, India, and the Philippines, all of which had been set up to run one of two fleet-management GPS tracking programs: iTrack or ProTrack GPS. Ideally, these programs allow owners of large fleets—think company cars, rental/car-sharing facilities, or even used vehicles with a lien—to keep track of their vehicles. However, they also function as easy backdoors for hackers, one of whom used a simple password trick to uncover personal data on thousands of drivers and the ability to turn off a car's engine while it's driving.
Motherboard couldn't directly confirm that the hacker was actually able to brick a moving car, though the iPhone and Android apps do offer a "Stop Engine" function for compatible cars that can be activated up to 12 mph. The site also spoke to several users of the apps, who corroborated the personal details purloined by the hacker. Scary? Yes. But isn’t an uncommon event.
Last week, we reported on a different hack that allegedly saw the BMW and Daimler-backed car-sharing service Car2Go breached; upwards of 200 cars went missing from its Chicago fleet. The company then suspended service in the area. Though details are still vague—Car2Go claims the cars were actually rented under fraudulent terms—the event helps illustrate a more worrying picture of application access and the lack of security on the increasingly connected car.
Though car-sharing companies have been recent targets, these same types of access software and access applications are becoming increasingly common for the public market. Nearly every major manufacturer has implemented some sort of cellular-based software that helps the user monitor the car’s functions and remotely access its systems. Today, in a number of vehicles, you can remotely change the car’s climate controls, access vehicle information, schedule maintenance, honk the car’s horn, and yes, start or stop the engine. To single out Tesla—the first automaker to really embrace the idea of OTA updates and smartphone controls—it's even begun allowing customers to remotely drive their cars (slowly) via the app.
And yet, the overall security of these applications doesn't seem to be a high priority for most manufacturers. There have been a number of low-profile hacks that have occurred over the last few years, flying under the radar even though their scope affects hundreds of thousands of cars on the road. Singling out Tesla once again, a Chinese firm called Tencent found that the Wi-Fi system on the Tesla Model S could be used to gain access to the car’s driveline; specifically, Tencent could remotely activate the car’s brakes while moving. Tesla later fixed the hole in the security, but questions remain.
Fiat-Chrysler’s Jeep brand had one of the more widely-known breaches. Like Tesla’s Wi-Fi security hole, the Jeep’s Wi-Fi had a vulnerability in its infotainment system that allowed hackers to actually change the car’s engine management settings on the fly and while in motion. Jeep’s breach was later fixed, but only after the hackers went public with the knowledge and a class-action lawsuit nearly made it to the U.S. Supreme Court.
It's not just the cars themselves, either. In 2016, Volkswagen found that nearly 100 million of its cars were vulnerable to attack via their key fobs. According to our reporting, “The bug, discovered by a team from the University of Birmingham and researchers from German engineering firm Kasper & Oswald, enables tech-savvy thieves to clone a car's key fob by capturing just two radio signals.”
What’s slightly more frightening, however, is the rise—or at least theoretical rise—of autonomous cars. With everything from steering to acceleration to braking, handled by the computer, the possibility of a hacker acquiring total control of a vehicle becomes that much more realistic. According to Charlie Miller, a former engineer at Uber and member of the National Security Agency’s Tailored Access Operations team, and one of the brains who hacked Jeep’s operating system, it’s a fact that should terrify manufacturers.
Speaking with Wired, Miller’s message to the industry at large is that defending autonomous vehicle systems from intrusion is exceedingly difficult and could lead to terrible consequences without the proper safeguards. "Autonomous vehicles are at the apex of all the terrible things that can go wrong. Cars are already insecure, and you’re adding a bunch of sensors and computers that are controlling them..." Miller told the publication. "If a bad guy gets control of that, it’s going to be even worse."
And with companies pushing autonomy in less-than-advised ways to the public, it's a potential recipe for disaster. Some have seen these reports, events, and warnings and received the message; Toyota, Ford, and Mitsubishi are all working on building better firewalls for your car, as well as challenging white-hat hackers to see if they can break encryptions, find data weak points, or locate and strengthen the security for backdoor access in their respective automobile’s operating systems. Patches to a vehicle’s software are also quite common, though that doesn’t address the initial weak points of a system’s architecture.
Though we can’t halt the progression of connectivity, we can and should be doing much more from a security standpoint. Manufacturers need to get serious not just about a system’s in-vehicle architecture but also the phone-based applications that are increasingly becoming more common and capable. Pretty soon, nothing less than people's lives will be at risk.