Like technology itself, cybersecurity is ever-evolving and encompassing more areas of our lives, including transportation. Popular science fiction movies have led us to expect flying taxis and private space travel as the future of transportation. If that is going to become an eventual reality, the first steps towards that future are “smart cars” and automated vehicles.
Electric vehicles are expected to account for 58% of global passenger vehicle sales by 2040. The software and electrical components markets are also likely to face increased pressure and new challenges as they develop secure designs and equipment for these futuristic vehicles.
Of course, this progress has also attracted the attention of malicious actors. Electric vehicles are computerized systems just like any other, and they offer a wealth of user information and other data that make them lucrative targets for malicious hackers. Let us look at the types of cyber crimes that target modern cars and how drivers can protect their vehicles from these attacks.
Types of vehicle hacking
There are many well-known ways that attackers hack computer systems to access personal data. And as manufacturers add more Internet of Things (IoT) devices to their vehicles, the vehicles become more susceptible to similar vulnerabilities. This is because security mechanisms aren't yet equipped to match the relevant threats. Manufacturers and drivers should both be aware of the potential threats facing smart cars and automated vehicles.
Mobile app hacks
Automakers and app developers are turning mobile phone applications into vehicle remote controls, giving attackers new ways of accessing user information. In the last couple of years alone, Android has had to fix 75,000 mobile apps that exhibited vulnerabilities to cyber hacks. As these apps are commonly used in vehicles, this adds yet another way of exposing personal data.
Security researchers are starting to pay more attention to mobile hacks related to vehicles. Kaspersky found vulnerabilities in several apps that have been downloaded over a million times. Their research showed that these popular apps used by drivers lack even the most basic forms of security defenses. Criminals could trick users into providing them access to personal information. They could even use these low-security apps to lock, unlock and locate a car – and in some cases even turn on the ignition remotely!
In another startling example, a researcher found he could hack a Nissan Leaf electric car through the associated mobile app and the car’s vehicle identification number (VIN). The first few digits of a VIN are the same, referring to the brand, make of car, etc. The few unique digits at the end could therefore be brute-forced without too much effort, allowing a malicious hacker to control the car’s functionality remotely.
Malware in disguise
Other security loopholes in computerized car systems include unprotected Bluetooth devices and MP3 players. Attackers can use these as entryways, disguising a potential virus or malware as a music track and compromising the system when the user hits 'play.' This malware could also crawl its way through smartphone applications that use Bluetooth to connect with the car.
Besides the risk of hijacking, there are also rising concerns about the data and information collected about the drivers themselves. Habits, music tastes, and location data can be intercepted to build a pattern of a driver’s routine. It goes without saying that this scale of privacy violation could have wide-spanning consequences.
Server hacks can give attackers access to all the information from the app and the server system it's connected to. This would include all connected mobile applications, sales data and even the controls to secondary vehicles linked to it. This could lead to a fleet-wide domino effect affecting manufacturers, fleet management companies, and drivers.
A 2019 Toyota server breach, for example, exposed 3.1 million items of customer information. This attack came after the cybersecurity breach of Australian Toyota dealers, leading to multiple IT systems going down in the corporation.
Another recently discovered vulnerability involves an on-board diagnostic port found in most cars and particularly common in electric cars. The port acts as a central control, providing access to the car's entire management system. A remote attacker could intercept all data exchanged between the vehicle and the company's servers and gain control over the car's engine, posing a significant threat to the driver.
Measures to prevent automotive hacking
Those with cyber-savvy know that there are several necessary steps to take to keep a computer system safe. Unfortunately, despite the prevalence of electric vehicles, there is no governing body or standard protocol defining cybersecurity for cars. This puts the burden on drivers to look out for their own security when using their vehicles. There are a number of ways to turn smart cyber practices into secure habits, and your approach should be no different with your car.
Use secure APIs
Automotive vehicles use Application Programming Interfaces (API) to access third-party applications and software. It is critical to ensure these entry points are layered with security and authentication features. One way to do that is to use software like OAuth Device Flow which address cloud-based security vulnerabilities for car systems. It allows users to sign into their car's system through a secondary device, ensuring that the right user is in control of the system. It also integrates threat detection features and multi-factor authentication for greater security.
Additionally, before installing or logging in on a third-party app, it is crucial to ensure that the app has enough security measures to protect your data. Use virtual private networks (VPN) to create a more secure connection. VPNs offer multi-layered security and several protection protocols to provide anonymity to online users.
Turn off smart devices when not in use
Your car's connectivity ports including Bluetooth, mobile systems and music players provide services by picking up outside signals. Malicious hackers can easily intercept these signals to access your system. Make sure when you're not using these devices and that all of them are turned off if not altogether disabled. Eliminating these entry points will make your vehicle less susceptible to remote hacks.
Update your car's firmware
Just like with any computer system, updating your car's software is essential. Car manufacturers regularly introduce updates to vehicle software systems to fix issues and patch vulnerabilities, so remember to sign up for your manufacturer's update reminders and software patches. Over-the-air (OTA) updates are a modern way of delivering updates without connecting a device to your vehicle. It offers greater convenience and leaves users with no excuse for not updating their car's firmware.
Be vigilant when buying your vehicle
When buying your vehicle, ask as many questions as you need to feel comfortable with your purchase. Ask your manufacturer or dealer about the car features, how gateways are secured, which systems are/could be operated remotely, etc. It's always better to be clear on the terms before buying a vehicle to avoid dangerous and costly security breaches.
Staying safe on and off the road
Vehicular accidents are not the only threat when operating electric or autonomous vehicles. While the modern car has numerous benefits and conveniences to offer, it also means vehicle security has become more complicated. There is a plethora of vulnerabilities that are outside the driver’s control, and it's up to the manufacturers to lead the way in mitigating potential risks.
Vehicle cybersecurity should be the utmost priority for every manufacturer, dealer and driver. It is a multi-layered effort requiring collaboration and ongoing vigilance. Solutions should be flexible, secure and convenient across all ecosystems to maximize the security of the future of transportation.
About the Author: Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. He’s also a part-time blogger at Privacy Australia, where he discusses online safety and privacy.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.