Cars, trucks, and SUVs are smarter and more connected than ever. You can’t find a new vehicle without built-in Wi-Fi, GPS tracking, and satellite radio — and those are just the features that come standard. These features are incredibly convenient, but as with any networked system, they create new vulnerabilities. In turn, that makes these vehicles potentially susceptible to hacking.
Is vehicle hacking a real threat? What can manufacturers do to protect the people who drive their cars?
The growth of automotive IoT
The Internet of Things (IoT) is quickly shaping every facet of modern life. Once limited to computers, networked devices are now appearing in everything from appliances to smart lightbulbs that you can control with your mobile phone. This technology is also influencing newer vehicles. Two decades ago, if you could find or afford a car with a CD player, you counted yourself fortunate. Today, CD players have been replaced by Bluetooth-enabled stereo systems, satellite radio and integrated GPS systems.
The automotive IoT industry is growing by leaps and bounds. It’s projected to be worth $82.8 billion by 2022, climbing from $20 billion in 2016. If you buy a new car, regardless of the make and model, you’ll have some form of networked technology at your fingertips when you’re behind the wheel. Unfortunately, one thing to remember is that hackers are always looking for ways to exploit these connected systems.
White hat warnings
In 2015, white hat hackers released a warning. Jeep Cherokees had a new and previously unobserved vulnerability that would allow someone with malicious intent to control the vehicle. They could change radio settings, alter the climate control, and even shut the Jeep off entirely while it was on the road. Security experts demonstrated this hack under controlled conditions, but it’s still terrifying to think someone miles away could control your vehicle.
Jeep released a firmware update soon after the demonstration, patching the exploit the white hats had used. With every fix that hits the market, though, hackers seem to find another backdoor to walk through.
In 2017, another security enthusiast found a vulnerability that allowed him to access data from Tesla Superchargers. Tesla was unhappy that he released the information, though they did eventually pay him a bonus for discovering the vulnerability before someone else could.
These are just two examples. In 2019, there were 150 documented automotive hacking incidents, from a massive data breach that leaked information from 3.1 million Toyota owners to an attack that targeted military troop transports. The smarter these vehicles get, the more vulnerable they get. Cybersecurity teams must be more vigilant to keep everyone safe on the road.
Integrated app vulnerabilities
It isn’t just the vehicles themselves that are vulnerable to hacks. GPS services like Protrack and iTrack come with a default password that users are supposed to change to improve application security. Unfortunately, most users neglect this step, leaving them vulnerable to an attack. Accessing these accounts could allow hackers to shut the vehicles off entirely if they’re stopped or driving at speeds less than 12 mph.
This vulnerability isn’t limited to automotive IoT devices. The 2016 DDoS attack that took down a large portion of the internet got most of its power from a botnet made up of unsecured IoT devices. These were all accessible because the owners didn’t change the default password that came with the devices.
Shops and networked fleets are all potentially vulnerable, especially if IT professionals don’t take time to do something as simple as change a default password.
One of the most popular growing trends is the push toward creating fully autonomous vehicles capable of driving themselves to and from your destination. These cars and trucks are already starting to appear on highways around the globe, though they aren’t yet fully autonomous. Even now, they rely on constant networking and communication with central servers and other smart cars on the highway to navigate the roadways safely.
As we’ve mentioned, there is always the risk of a security breach with any networked system. While it might not be as much of a safety risk for today’s commonplace low-level automation, once we reach level four or five automation where vehicles are essentially driving themselves, it could be dangerous or even deadly. Cybersecurity will be a priority as more self-driving cars hit the highways.
Hacking and thefts
Hackers are targeting more than just the vehicles themselves. The push toward keyless entry and push-button starts has also created a new door for hackers to walk through. It’s easier than ever for hackers to steal the necessary frequencies to unlock and start your smart vehicles and drive away with them. Some of these hacks are simple. One method uses an amplifier to strengthen the signal coming from the key fob in your house so it’s enough to reach the car in your driveway.
Others are more complicated, capturing the frequency the fob uses to communicate with, so the hacker can make off with the vehicle at their leisure.
While not as dangerous as having someone take over your vehicle while you’re driving it, this is another backdoor hackers can use to access your car and potentially put you and your investment at risk.
The future of vehicle hacking
Vehicle hacking might not be as big of a problem as traditional car theft, but as cars get smarter, the risk will continue to grow. It’s up to automotive manufacturers to take the necessary steps to protect their drivers and passengers from potential hacks.
No system will ever be entirely hack-proof — as soon as you create a hack-proof system, you’ll create better hackers. The point is to make it so that hacking into one of these vehicles isn’t worth the effort — and to ensure that any identified vulnerabilities get patched and repaired as soon as possible. Hiring skilled hackers and security experts can help these brands get ahead of any potential vulnerabilities, protecting their drivers, and keeping everyone else on the road safe.
Last Updated on February 3, 2021.