Connected cars are not the security problem we have been told they are. There are more important issues to focus on.
In the past two decades, we have heard stories about how researchers have “discovered” security flaws in cars. Marketers, journalists, and script writers stoke fears of a car being hijacked to kidnap or kill the occupants of the car. The problem is, outside of security research, it’s never been done. There’s a good reason for that. It’s difficult to do with little upside for the attacker.
The concern for “virtual” carjacking began back in 2013 when Charlie Miller and Chris Valasek, demonstrated how they were able to spoof fuel levels and vehicle speeds, trigger the pre-collision system, take limited control of the electronic power steering system, honk the horn, tug at the driver with the seat belts, and even deactivate the brakes. However. to do that they had to dismantle the dash of the car and plug a laptop directly into an electronic control unit (ECU), “remotely” controlling the car from the backseat.
Much was made of a 2019 hack by Tencent researchers in China of a Tesla in self-drive mode, but what has been ignored by the press since then was that the “hack” merely involved placing orange dots on the road to fool the car’s sensors into thinking there was another lane. The experiment had nothing to do with actually hijacking the car electronically. It merely demonstrated that the Tesla AI was flawed (which was not news then or now).
Last year, another group of researchers found that they could get a group of electric scooters to sound their horns simultaneously via a Bluetooth connection. However, other than making the scooters annoying, it was not dangerous to drivers or pedestrians.
In every reported experiment, researchers needed physical access to upload code or had to be within range of Bluetooth sensors to access the systems. They couldn’t just hack a random car. That hasn’t changed and, to date, there are no reports of successful attacks in the wild. The reason may be the lack of motivation to hack individual cars or entire fleets.
Motive is lacking
Criminologists refer to three things that must be present to establish a crime: Means, opportunity, and motive. Cybercriminals have the means if they have the skills and tools, which are easily acquired. Weak security in a system provides the opportunity. Motive is something harder to come by and depends on the crime.
Cases involving ransomware, phishing, online fraud, and password cracking are mainly motivated by financial gain. In fewer cases, the motivation can be pranks, activism, cyber theft, and espionage. Cyberstalking, cyberbullying, trolling, and revenge pornography are likely to be motivated by hatred, and desire to inflict pain and harm to either known or unknown individuals, groups or communities. But in all cases, having a successful outcome is more important than how the crime is committed. That is what limits the potential for virtual carjacking.
If you want to sabotage a car to intimidate, injure, or kill someone, there are easier and cheaper ways to do it that don’t involve hacking a car or multiple cars. Same with fraud, theft, and stalking.
VicOne, a division of Trend Micro focusing on automotive security, reported in 2022 that security flaws in automotive systems “might lead to data corruption, systems or programs crashes, denial of service (DoS), and code execution.” However, it had no data on cars being taken over by hackers by anything other than researchers. After several weeks of research, Cyber Protection Magazine could find none, either, even though we have published stories that might inflame false concerns. In spite of all the publicity virtual carjacking is not the problem.
The real problem
“I think that’s a whole pile of BS FUD,” said Ian Thornton-Trump, CISO for Cyjax. “What is certainly not FUD is the connected car being stolen by replay attacks, loaded into a faraday sea container, or some other isolated environment, and stripped down for parts to be sold into the black market. There is more value in the parts than the working car. So the attacks that lead to stealing of connected, next generation, 5G cars will go on until the car manufacturers invest in far better security and introduce authentication, authorization, and encryption into the control systems.”
Auto theft and burglary are the most immediate concerns for car owners. There are devices available online for less than $50 (US) that can clone key fobs and other keyless devices like garage doors and digital door locks. https://arstechnica.com/information-technology/2015/08/meet-rolljam-the-30-device-that-jimmies-car-and-garage-doors/
Thornton-Trump pointed out that the biggest security threat in connected cars is the “autopilot” threat. “I mean who does not like an Instagram video of a dog driving a Tesla? But the problem here is people doing stupid things for likes and shares plus every Tesla that crashes and/or explodes is a “machine learning” experience. If the data from each catastrophic event is input into a neural net and the ML is trained to figure out the least-worst option then all the other Teslas benefit from the Tesla that gave its life in the name of profit … er, progress.”
All of that pales in comparison to what havoc is done to the automotive supply chain with a common ransomware attack. We’ll get into that in the next article.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.