Critical infrastructure

Vehicle hacking: A history of connected car vulnerabilities and exploits

October 5, 2021 by Graeme Messina

Vehicle hacks have become increasingly popular over the years. The Wired Jeep hack was one of those big splashy stories. Tesla and other models also had less publicized vulnerabilities. Tesla has a program where it rewards hackers for finding vulnerabilities.  

There is a rapid increase in cars connecting to the internet. Automakers are increasingly adding onboard features that require a connection to operate, from wireless phone charging to in-car entertainment systems.

Every time you connect to the internet, hackers can take advantage of new vulnerabilities. The prevalence of car hacking also makes it easier than ever for malicious parties to break into vehicles remotely.  The possibility exists for damage or injuries by doing things like speeding up or slamming on the brakes when they’re not wanted.

What are vehicle hacks, and how do they happen?

What exactly is a vehicle hack? Vehicle hacking is when someone takes control of your car or some of the car’s auxiliary systems remotely over the internet. 

Vehicle vulnerabilities have been exploited for many years, but new vehicle hacks are now possible thanks to the now-common internet capabilities of modern vehicles. They might do this by accessing your car’s computer systems through software like CAN bus, Bluetooth pairing, or via physical access to connectors and ports.

Technology advances have not kept up with the regulation of this type of vulnerability. Therefore, it is important to understand how vehicle hacks work, what is being done about them, and their potential impact on drivers. One of the most infamous car hacks was demonstrated in 2015 when two security researchers were able to kill the throttle to a Jeep

Other vehicle hacks include data breaches, such as the 2018 Calamp privilege assignment incident where user details were accessible via a misconfigured IoT server.

The history of connected car vulnerabilities

With the advancement of technology, our cars have improved as well. From wireless phone charging to in-car entertainment, more onboard features depend on a connection to function. Hackers are exploiting many new vulnerabilities that have resulted in vehicle hacking becoming mainstream.

Cybercriminals aren’t the only ones hacking cars. Several hacker and research groups are also concerned about the danger of connecting your car to the internet, causing it to be vulnerable to external attacks.

In 2016, Hackers found flaws in Tesla’s Model S, giving them the ability to control some of the cars’ systems. Tesla quickly patched those vulnerabilities via an over-the-air update, which is impressive considering that many vehicle manufacturers require that customers visit a dealership to have software updates completed. 

Types of attacks that have happened in the past

There have been many different types of attacks happening over the years, not just the example of the Wired Jeep hack or the Tesla Model S that we have already mentioned, although these are the most well-known ones. Tesla has introduced a Pwn2Own scheme that encourages cybersecurity testers to hack their systems with the hopes of winning a Tesla vehicle.

In most of these cases, the hacks were determined to result from a third-party system that a vehicle manufacturer uses as part of their systems. However, key FOB attacks are on the rise as well.

Key FOB hacks with relay attack units have been in the news over the years, such as units from Evan Connect. They work by catching signals from keyless entry vehicles and then relaying the intended unlock signal back to the vehicle. They are intended for personal use and security testing, but they can also be used for criminal activities, even though the devices themselves are not illegal.

Another key FOB attack procedure has been created by a security researcher that takes advantage of Tesla’s firmware update procedure. By using a series of hardware elements such as a Raspberry Pi and an old ECU module from a scrapped Tesla, attackers can read a victim’s key FOB ID from a safe distance and then clone that signature. A full video of this technique can be found here on YouTube.

The list goes on and on. The point here is that there are just too many vulnerabilities in connected cars (or Jeeps or BMWs) to discuss in this article. That being said, there have been a variety of interesting things happening around connected car vulnerabilities over the years.

Ways to ensure your motor vehicle is safe from hackers

Unfortunately, there are no guaranteed methods for protecting your vehicle from hackers that will work all the time. Instead, you will need to employ a series of safety measures that coalesce into a safety strategy.

  1. Keep your vehicle’s software up to date as much as possible. OTA updates are becoming more commonplace, so this doesn’t need to be a tedious process.
  2. Pay attention to advisories from your vehicle manufacturer, such as update notices and potential recalls. If your manufacturer suggests steps to correct potential security issues, it is always best to follow them.
  3. Be aware of your surroundings when you leave your car unattended. Please note any strange behavior from people nearby, and report anything suspicious as soon as you notice it.
  4. Protect your home Wi-Fi and systems. If your vehicle connects to your home Wi-Fi, it will be exposed to anyone connected to your network. Make sure that your Wi-Fi is secure and not open to anyone who tries to connect. Creating a separate hidden SSID for your vehicle is also not a bad idea if you take extra precautions. 
  5. Allow only certified, qualified and authorized people to work on your car. While unlikely, you don’t want to risk installing additional hardware into your vehicle that could allow hackers to connect to your system remotely. 

What to know about vehicle hacking

Vehicle hacking is a growing problem, and while many of the vulnerabilities have been fixed, there are still more that need to be addressed.  Car manufacturers have started offering over-the-air fixes (OTA), which efficiently ensures that customers can keep their vehicles updated with the latest security fixes.

Protecting yourself against hacks can be difficult. Even if you’re diligent and download all new software from your manufacturer, they may not have patched an issue in their code. As we have seen, not all vehicle hacks result in physical damage to the car or its passengers. Information can be accessed in some cases, which leaves users vulnerable to identity theft and fraud if enough confidential information is stolen.

 

Sources

Defensive Driving, https://www.defensivedriving.org/dmv-handbook/11-ways-your-car-can-be-hacked/

Wired.com, https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Venturebeat, https://venturebeat.com/2019/12/22/what-to-expect-from-car-hackers-in-2020-and-beyond/

Forbes, https://www.forbes.com/sites/stevetengler/2020/06/30/top-25-auto-cybersecurity-hacks-too-many-glass-houses-to-be-throwing-stones/?sh=2b5e9b4f7f65

Fortune.com, https://fortune.com/2016/09/20/tesla-security-bug-hack/

YouTube/Top Electric, https://www.youtube.com/watch?v=qms2ETqbrqw

Posted: October 5, 2021
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *