Your Carmaker is Hacking You!

Although some people think that hacking modern cars rather belong to Hollywood scenarios, we advise you to take preliminary measures and prevent bellicose surprises.  

MERCEDES has recently sparked a privacy row by admitting it spies on drivers with tracking devices covertly installed in its cars. The secret sensors, fitted to all new and used cars sold by the firm’s dealers, pinpoint the vehicle’s exact location. The carmaker admits sharing car owners’ information and vehicle location details with third-parties dispossessors and recovery firms who repossess the cars.

What a paradise for surveillance agencies as the Central Intelligence Agency (CIA) wasalready “looking at infecting the vehicle control system used by modern cars and trucks. The purpose of such control is not specified”. Though Mercedes says they do not sell tracking information but the location sensors fitted by the carmakers can be used by surveillance agencies to breach the customers’ privacy. 

Nonetheless, Mercedes and other carmakers having similar practices can decide to make additional business by selling the location and other data to the third parties, notably to the marketing companies.

Insurance companies would also pay decent amounts of money to learn about the car owner’s driving habits such as average driving speed, parking locations, and the like.

Hacked by your car dealer

Modern cars are stuffed with computers, which are regulated by the Controller Area Network (CAN) protocol. It is built on the principle of a master control unit, with multiple slave devices. These slave units are, for example, car lights, audio system, steering wheel, or breaks. No wonder that it is common to refer to modern cars to as computers on wheels.

Having access to your car’s computer system means that the carmakers can control your car on the premise and remotely. But you can also be hacked by your dealers. It seems that we should be more worried about dodgy dealers than one-off hackers with criminal intent.

Compare to a complex remote hacking, the CAN bus protocol is far more vulnerable when physical access is granted to your car. That typically happens when we take our vehicles for regular services or repairs.

By Accessing the On-Board Diagnostic (ODB) port of the car’s computer system, a mechanic is able to modify parameters such as the odometer count or the service schedule of certain parts. These are, however, Mickey Mouse games compare to the possibility of inserting a malicious algorithm that opens a back door for remote hacking and controlling of your car.  

Hacked by an expert

Tracking your car by the car manufacturer or dealer can serendipitously allow skilled hackers easy access to the targeted victim’s car. In this case, not just will privacy be breached but security will also be jeopardised. This hazardous hacking practice has already been reported by researchers and security practitioners.

Which parts of a car can be remotely controlled? Well-known researchers Miller and Valasek confirmed that the following part of modern cars can be remotely controlled:

  • Radio
  • Digital display
  • Air conditioning
  • Windshield wipers
  • Wiper fluid
  • Transmission
  • Brakes

The researchers particularly stressed that the last two are especially frightening as “from anywhere in the world, a maliciously minded person could hop on the Internet and disable a car’s transmission, rendering it un-driveable. Or its brakes, rendering it… Scrap metal”.

Protecting your security

Some car manufacturers told recently the NBC news that protecting vehicle access and security continue to be top priorities. But can we solely rely on this promise? We would not bat on it – not yet.

For building a seasonable security environment, we suggest that you regularly check if your car’s computer system is up-to-date. If not, update it immediately, but definitely before you commence driving.

The FBI has released a warning to drivers about the threat of over-the-internet attacks on cars and trucks. The agency suggests staying aware of any possible recalls that require manual security patches to your car’s code, as well as avoiding any unauthorised changes to a vehicle’s software. Also, be careful about plugging insecure gadgets into the car’s network.

Cybersecurity researchers Miller and Valasek suggest further security steps:

  • Store your keyless remote in the Faraday bag as this bag prevents thieves to break into your car by amplifying the signal from your keyless remote controller.
  • The steering lock can be also used to prevent car theft.
  • Turn off your car’s Bluetooth and Wi-Fi when not in use as an open wireless connection could allow criminals to walk up to an unpatched car, connect to its entertainment system, and take control of one or more parts of the vehicle.
  • Hide your car’s Wi-Fi password as leaving it visible could expose you to attack if your car is ever broken into.
  • Scan USB drives before plugging them into your car since an infected USB drive could contain malicious code designed to compromise your car.

If you think that someone has hacked (or tried to hack) your car, you should immediately contact legal authorities and your car dealer. They should be able to give you further advice.

In regard to protecting the CAN protocol of your vehicle, the Airbus Defence and Space researchers Arnaud Lebrun and Jonathan-Christofer Demay suggest that verification and transparency could be a solution. This entails an audit log that could assist in assessing the risks to any unauthorised changes to our vehicle.

Governments join the game

In 2016, the US Department of Transportation introduced cybersecurity best practices for modern vehicles. The Department urges carmakers and the service providers to follow the National Institute of Standards and Technology’s (NIST) cybersecurity framework.

The European Union Agency for Cybersecurity (ENISA) also published Cybersecurity and Resilience of Smart Cars in 2017, which provides a list of recommendations, which includes a focus on communication protection, access control, cryptography and user data protection.

A while ago, the UK Department for Transport has also issued cybersecurity principles for smart car manufacturers and retailers. The principles, aimed at preventing hacking and data theft include, among others, accountability and training.

Other governments are also contemplating similar regulations.

And it’s all up to you

Instead of a conclusion, we would like to remind you that, although some people think that hacking modern cars rather belong to the Hollywood scenarios, we advise you to take preliminary measures and prevent unwanted surprises.

Leave a Reply

Your email address will not be published. Required fields are marked *