Connected Cars Security Hacks: Hype or Real Cause For Alarm?

Dror Liwer Blog

In many ways the connected car was the automotive industry’s answer to the smartphone. This was an attempt to innovate and offer game-changing features which would make our lives more convenient and connected than ever before. And while these cars have done just that, they’ve also exposed us to vulnerabilities we never could have imagined. After all, who would have thought a car could be hacked?

It’s questionable whether even the biggest and most reputable car manufacturers, saw that coming. And with Chrysler recently recalling over 1 million vehicles following a security breach, it seems much of the industry is in shock. While disconcerting, there’s no need for mass hysteria. What car owners need now more than ever is some perspective.

The reality is that car hacking is nothing like carjacking. In fact, in almost all the recent white hat attacks the hackers were unable to steal the car. But what’s even more significant is that there are no recorded instances of malicious car hacking by anyone other than researchers and white hat hackers. That begs the question: would someone go to the trouble of hacking a car solely to cause havoc?  

What’s all the fuss really about?

Several car manufacturers have had security vulnerabilities in their vehicles exposed recently. However, perhaps most notorious of all was an attack on a Jeep Cherokee. This experiment hack proved that it would be possible take control of the car’s dashboard, manipulating everything from the windscreen wipers to the brakes, and could even be used to shut the car down remotely while being driven.

The attack was carried out by Charlie Miller, a Twitter security engineer, and Chris Valasek, a vehicle security researcher who have been working closely with Chrysler to improve the company’s security features. In fact it’s as a result of this team’s work that Chrysler has recalled many vehicles. The company has also issued a patch which could give cars added protection. Unfortunately, this needs to be manually implemented meaning many cars will remain vulnerable.

This attack was carried out by exploiting a weakness in the car’s Uconnect service. This relies on a wireless internet connection to control the car’s entertainment system, navigation and offers other features like phone calls. Interestingly, Chrysler released a statement to the effect that this security breach required extensive technical knowledge and time to both write the code and implement. There is nothing unique about this attack. In 2011 a group of researchers carried out something similar where they remotely disabled the brakes and locks on a sedan.

The other attack worth noting affected BMW and Rolls Royce cars. The security breach exploited the cars’ Connected Drive software which lets drivers open car doors using a smartphone app. Researchers were able to exploit this software by imitating BMW servers and in that way were able to trick the car into unlocking the doors. This was largely because the data sent between BMW servers and the car was unencrypted and thus easy to intercept and copy. It is believed that more than 2 million cars were left vulnerable by this security breach. It has since been fixed, and now all interaction between BMW, the car and the driver’s smartphone are encrypted using the SSL standard.

What makes the Chrysler and BMW attacks so terrifying is that they highlight where hacking is headed. Unlike the attack on GM’s GM OnStar dashboard system which required a device to be hidden under the car’s bumper, the other attacks were carried out remotely. As technology continues to advance so too will the nature of the attacks.

Confronting the misconceptions

People are afraid. There’s no denying it. A recent survey conducted by Kelley Blue Book found that of the 1,134 people surveyed, 41% said they were likely to take the latest string of hacking incidents into account when purchasing their next car. But for many of those surveyed it goes beyond that with 33% indicating that they saw cyber attacks on cars as a “serious” problem. When you consider that and the fact that 58% of those surveyed don’t believe a permanent solution to car hacking will ever be found, the outlook is rather bleak.

But is that the reality of the situation?So far there’s not a single reported incident of malicious car hacking. All the attacks were carried out by people connected to the cyber security industry.  Miller and Valasek admitted that their first car hacking stint in 2013 didn’t get the attention they had hoped. They realized that to make car manufacturers act they would have to pull off a showstopper. Their Chrysler hack, while terrifying, did the trick. And just like the attack on BMW and GM, they proved that cars are more vulnerable to attack than ever before.

An attack like the Chrysler hack took three years of intensive research, tons of skill and some pretty decent funding to carry out. Something the average hacker doesn’t have access to. There was nothing quick or on the fly about any of the attacks. Miller and Valasek have since published some of the code they used for their attack. While they claim this code can’t be used for anything other than pranking a driver or hijacking the car dashboard, it could cause serious damage. With this code now freely available, who knows what malicious hackers will do with it.

What does this mean for us going forward?

Our increasingly hyperconnected lives are making us vulnerable to attack. What many don’t realize is that every connectivity feature we use, whether it’s Bluetooth controls, a smartphone or car, can potentially be exploited by hackers. While cars may be riskier in some senses, hackers still haven’t found a way to exploit these vulnerabilities to their benefit. But it’s just a matter of time.

Perhaps all this is a much needed wakeup call. It has certainly made the automotive industry act with more and more car manufacturers taking steps to combat security breaches as quickly and efficiently as possible. However this is not enough. The industry needs to tighten up on security and start implementing preventative measures. The same applies to any devices and gadgets that make use of a network in some way. The IoT industry, for example, is particularly vulnerable with easily exploitable networks waiting to be compromised. The reality is that those that fail to take cyber security seriously are bound to regret it in the near future.