I have worked in the auto industry for over 27 years for both OEMs and Tier 1s. Now I'm a Principal Consultant at Kugler Maag Cie helping companies improve their product development.
Former coworkers used to bet the Over/Under of how many times the picture of a hacked Jeep would appear during a given day of an automotive cybersecurity conference. FCA is and has been the poster child of cybersecurity for six years since NHTSA’s forced recall, and all the king’s men would point their disdainful fingers at them from their proverbial glass houses. “None of us want to end up like those poor suckers.” But here’s the nasty truth: nearly every manufacturer has been hacked. “We have seen a general increase in attacks,” says Daniel Lewis, CEO and Co-founder of Awen Collective. “Over the last twelve months around 70% of large industrial enterprises have received at least one cyber attack.” According to Upstream’s latest report, there was a 99% increase in cybersecurity incidents (150) in 2019 with a year-over-year 94% increase since 2016. Many such cybersecurity reports have gotten minimal attention, and society is collectively, wholly-ignorant about how many clandestine auto hacks have truly happened. Insurers are just awakening to the seriousness of the threat, and some are wondering if auto cybersecurity is a national defense issue. Executives of all automotive companies will be faced with financial decisions later this year as the United Nations Economic Commission for Europe (UNECE) makes certification mandatory and a new joint SAE/ISO standard is officially released. How many threat models, audits and assessments must they do? How much protection is sufficient? Given that new threats are constantly emerging, how long to they keep reexamining designs? “We have seen susceptibilities all the way along the supply chain,” states Lewis. “There has been some Intellectual Property theft from Industrial Research and Development groups, hacks into manufacturing operations, customer data theft and even the electrical charging networks are susceptible.”
And, in the midst of deciding the financial tradeoffs, do those engineering and marketing leaders realize how lucky they are that their brands haven’t been deemed the poster children? 80% of automotive customers say they wouldn’t buy from a hacked company, which means the majority of the market would be driving an AMC, Tatra or DeLorean since those brands went defunct before cybersecurity became a reality. “At some point a brand will experience a massive hack,” says an automotive executive who prefers to stay anonymous. “And when they go bankrupt, that will be the true wake-up call.”
So to support the claim that all brands need to gear-up in advance, here is a list of the Top 25 automotive hacks listed chronologically by when they were conducted or announced, and each made this list based upon being significant or interesting:
Hack #1 (2002) VW, Audi, Porsche, Ford: 2002? Really?? If this started that far back, why did the national conversation wait another 15 years? These hackers, though, were actually being hired by aftermarket consumers to reprogram powertrain calibrations for more aggressive performance.
Hack #2 (2005) Chrysler, BMW, GM, Nissan: Thanks to a few Car Whisperers, Bluetooth could be hacked as you passed by, which allowed for listening to conversations or downloading contact information.
Hack #3 (2007) All Brands: Getting a little sick of hanging out in traffic? Inverse Path hacked into a radio-based traffic feed and could seemingly close European roads, thereby diverting traffic away from a given highway.
Hack #5 (2010) General Motors: This is possibly the most interesting hack since GM was afforded five, quiet years to fix a vulnerability where a bad actor could have “…basically [had] complete control of the car except the steering.” GM didn’t experience the same rapid-fire recall as Jeep since researchers at The University of California at San Diego and The University of Washington informed General Motors privately of the vulnerability. And, yes, if you read enough of these articles, you’ll see a theme: “Security experts say hacking a vehicle is easy.”
Hack #7 (2010) All Brands: Be thankful for these [white hat] researchers since they hack for the sake of the public good. This time researchers could disable the brakes among other things. Granted, there would need to be a connected dongle plugged into the service port, but that luckily doesn’t exist in mass quantities for another decade.
Hack #8 (2013) Ford & Toyota: Our boys (Miller & Valasek) engage Andy Greenberg (formerly of Forbes) for the first time, and take a Ford and Toyota for a ride. This one is wired to the vehicle – not wireless – and they show the ability to truly futz with the overall system. This hack is wholly ignored since … well … what hacker gets to sit in the backseat of a car?
Hack #9 (2013) Volkswagen, Porsche and Lamborghini: A group of Dutch and British scientists release an academic paper showing how to hack multiple brands, and the High Court of Britain immediately imposes an injunction to stop further publishing of the paper since wirelessly unlocking the vehicles was too easy.
Hack #10 (2014) Honda: This was a remote, moving target … not much unlike FCA. Yet, no recall. “All of these parts can be bought online for relatively cheap.” The hackers could control most of the vehicle.
Hack #11 (2014) BMW: Kaspersky Labs does a full threat assessment of the BMW ownership experience (e.g. websites, app’s) and finds serious vulnerabilities including opening and starting the car.
Hack #12 (2014) Ford, BMW, Vehicles With Push-Button Start: “Secure My Car” shows how smashing a window and plugging something into the service port allows a thief to disarm the security and start disarm security and start the vehicle.
Hack #13 (2015) Obscured Brand: DARPA and 60 Minutes obscure the make and model, but not the scary effects. Anyone recognize this car? Leslie Stahl and her connected vehicle should be deposed.
Hack #14 (2015) Chrysler: The infamous attack. This was the quickest recall in NHTSA history, and even got the attention of John Oliver. Why? Probably first and foremost since Miller and Valasek — who went on to become legends — were able to remotely disable the throttle of a vehicle.
Hack #15 (2015) Tesla: Down the hall from the Chrysler room, Tencent was revealing at the DEFCON conference that they had successfully hacked into Teslas. Why didn’t this make the news? Tesla had already updated their vehicles to eradicate the vulnerability.
Hack #17 (2015) VW, Honda, Audi, Hyundai, Kia, Porsche & Volvo: Millions upon millions of vehicles are vunerable to theft by a thief recording and reusing the keyfob’s communication. This one would’ve been higher on the chronological list (2013) if the British court didn’t yet again interfere; two years of being kept quiet!
Hack #18 (2016) Nissan: Halfway across the world, a hacker took charge of a Nissan Leaf in the north of England from a poolside in sunny Australia, which included controlling most of the instrument panel and stealing location history from the onboard computer.
Hack #19 (2016) Mitsubishi: The Outlander’s car alarm has an outlandish vulnerability: via hacking the vehicle’s WiFi an attacker can disable the security of the vehicle.
Hack #20 (2016) FCA: A real-world incident that was caught on a security camera by accident. The hacker just walks up, let’s himself electronically into the vehicle, starts the vehicle and drives away. He is now the (proud?) owner of a Jeep.
Hack #21 (2016) FCA: Miller and Valasek go after FCA again, but now show they can accelerate and steer the vehicle. Then they ironically control the cruise control.
Hack #22 (2016 & 2017) Tesla: The Chinese get into the act two years in a row and, once again, Tesla cleans up the mess in a seriously quick time.
Hack #23 (2017) Hyundai: The Blue Link app contained a vulnerability where hackers could enter via insecure Wifi and obtain private user information and start cars remotely.
Hack #24 (2018) All Brands: Just when the OEMs felt they had released a secure vehicle, Calamp releases a misconfigured server in 2018 that provided open access to more than 1.5 million IoT devices provided by Viper SmartStart, thereby allowing unwanted location of vehicles, password resets, door unlocks, alarm disables, engine starts and vehicle thefts.
Hack #25 (2020) Ford, VW: The consumer group “Which?” exposes security flaws that range from remotely exposing private, customer information (e.g. location history, contact info) to disabling the traction control system.
Believing “it’ll never happen to us” is the easiest and least expensive path for any company. History has shown, though, that attacks have happened to everyone. “The likelihood that someone attempts an attack on any vehicle is essentially 100%,” states Bonifaz Maag, Co-founder and CEO of Kugler Maag Cie. “Doing threat modeling, assessment and audits are wise investments to mitigate attempts turning into realized threats to a business or life.”