Car hacking: public concern is high, but what’s the risk?

Ashley Coates

Most cars on the market today will contain between 50 to 100 electronic control units or computers and many now come with apps capable of operating windows and locks, some even have the ability to remotely summon the car.

As vehicles become more “plugged in”, technology experts are concerned that the cars we are driving today could be susceptible to being hacked either directly through the car’s own systems, or through apps on mobile phones. It’s a particular worry for researchers looking at the progress of self-driving technology, as several models now come with some level of autonomous capability, which could be open to sophisticated hacking in the future.

Several hackers from cybersecurity firms have already shown they are able to wirelessly access cars that are on the market today, taking control over acceleration and braking, even steering in certain circumstances.

New research out this week suggests that this has become a worry for the public as well, with 59 per cent of respondents to a Satrak/YouGov survey saying they regard vehicle hacking as a future problem for connected vehicles.

From the 2,000 people surveyed by YouGov, 40 per cent said they felt hacking is a “fairly serious” issue for new cars.

Asked about the brands they most trust to keep them safe, BMW and Mercedes came out on top, trusted by 29 per cent of those surveyed. The French carmakers Renault and Citroen fared less well, with only nine per cent of respondents saying they trusted those brands.

According to Dan Walton, MD of Satrak Plant Security, the firm organising the survey, car makers need to ensure that IT security keeps up with the pace of technological change.

“It’s important that people realise how sophisticated criminals are getting in regards to vehicle crime and thefts — whether plant commercial or private,” he said.

“When we think about a car being broken into, we tend to imagine smashed windows and coat hangers being jammed into doors, but times are changing,”

“Vehicle technology and security is like an arms race and it’s important that manufacturers keep ahead of sophisticated criminals who know how to undermine the security of a vehicle through its digital components.”

These risks were highlighted last month when researchers from the Russian cybersecurity firm Kaspersky Lab found they were able to hack nine variations of car-connected Android apps, giving them access to a range of onboard capabilities. Kaspersky say they were able to locate the cars, unlock them and activate the ignition in a few instances. The car apps that were hacked have been downloaded hundreds of thousands, if not millions of times.

Viktor Chebyshev, a Kaspersky researcher who worked on the project, questioned why app developers were not providing the same level of security to car apps as that applied to online banking apps.

“Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible — one day they can act like normal adware, and the next day they can easily download a new configuration, making it possible to target new apps. The attack surface is really vast here.”

Two years ago, researchers Charlie Miller and Chris Valasek showed they were able to hack into the electronic systems of Miller’s Jeep Cherokee, and take control of certain key aspects of the Jeep’s digital functionality.

Miller and Valasek then took Wired’s Andy Greenberg out for a spin in their hacked Jeep, remotely switching on the air con, activating the brakes, reducing the throttle, operating the radio, even pasting a picture of themselves onto the vehicle's display panel.

The results of their year-long research was supplied back to the automaker, and resulted in Jeep’s parent company, Fiat Chrysler Automotive, issuing a software patch and recalling 1.4 million vehicles. In a statement, FCA said:

“The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.”

“No defect has been found. FCA US is conducting this campaign out of an abundance of caution.”

Last year, Keen Lab, Chinese security firm attempted a similar hack on a Tesla Model S, gaining access to the indicators, windscreen wipers, car seats, and the brakes. Tesla responded by quickly issuing a remote fix to their cars, which solved the problem.

“The issue demonstrated is only triggered when the web browser is used,” Tesla said in a statement.

“[The hack] also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.” In addition to employing a significant team of security experts, Tesla runs a scheme known as a "bug bounty programme", inviting security experts such as those at Keen to test their car's security, in return for cash prizes.

Kaspersky Labs say today’s threat from criminal car hackers, rather than well-intentioned "white hat" security researchers, is currently minimal, not least because the majority of cars on our roads are not yet equipped with the level of technology required to be vulnerable to a hack in the first place. But the use of connected cars is already increasing, with the number of cars connected to the internet by default rising from 2 to 151 between 2011 and 2016, according to the Kelley Blue Book.

“In several years the situation will be far more dangerous,” Kaspersky said in a blog post.

“What’s worse, the car industry is organised in such a way that manufacturers would probably be solving these fundamental problems for decades. So if we don’t want to lose the rush completely, it’s high time to act; fortunately, many manufacturers understand that as well.

“A criminal would have to study out a lot of technologies and devices to hack a connected car. It’s a big and complicated task. That’s not the all: they would also need to invest money into a car and some special equipment.”