Tackling Car Hacking With Software

Article By : David Barzilai

Car theft via keyless entry is becoming a headache for insurance companies.

Connected cars are a lucrative target for hackers. Such cars have bult-in internet connectivity, Wi-Fi, and Bluetooth interfaces, and they are equipped with sensors and cameras that enable cars to offer increasing levels of autonomy, from self-parking to lane correction to autopilot features. According to Statista’s research, 237 million connected cars were sold and operated by the end of 2021.

Each of those interfaces can be used by hackers to infiltrate the vehicle and run malicious activities, from switching the vehicle lights on and off to remotely turning on the engine and even stopping the vehicle entirely. Worse yet, because the vehicle models use the same hardware architecture and software version, when hackers identify a vulnerability that enables them to hack one vehicle, they can exploit all vehicles of the same car model by repeating the same attack.

For example, when a Jeep Cherokee was hacked in July 2015, Chrysler was required to recall 1,400,000 vehicles that use the same infotainment that was hacked.

Electric vehicles have increased car-hacking possibilities. EVs offer a modern user experience, which is based on richer software (i.e., more lines of code, meaning more vulnerabilities) and a dynamic way to update software.

Over-the-air updates represent a backdoor into the heart of the vehicle—the gateway and the advanced driver-assistance system (ADAS). Both devices have access to the vehicle’s safety systems and offer a direct path to remotely stopping the car while driving.

Years ago, car hacking was done by heavily funded teams. The Jeep Cherokee hack mentioned above was performed by a skilled tram funded by the NSA. In 2017 and 2018, hackers at the Tencent unit called Keen Labs showed how they stopped a Tesla car remotely.

With EVs’ increased adoption, we are seeing car hacking becoming more prevalent. Stealing cars by exploiting keyless entry vulnerabilities is becoming a headache for insurance companies. But more importantly, small teams and individuals are publishing how they have succeeded hacking electric and connected cars.

EV attack surface (Source: Karamba Security)

In April 2021, members of a small German team showed how they used vehicles’ Wi-Fi to infiltrate a car. In January, a 19-year–old teenager shared how he remotely hacked 21 Tesla cars in 15 countries, turning their headlights on and off and switching their engine on. In May, a U.S. hacker blogged how he hacked his Hyundai IONIQ car.

Risks are piling up. Regulators have issued rigid regulations, which require vehicle original equipment manufacturers (OEMs) to adopt strict cybersecurity standards throughout the vehicle life cycle and impose such standards on their suppliers.

OEMs and suppliers must prove that they conduct threat analysis and risk assessment during the product design phase, penetration-test their products before release, and monitor their cars in production to detect attacks.

Despite reducing attack surfaces thanks to such activities, cars remain vulnerable to widespread attacks.

Luckily, cars are more IoT devices than mobile phones. Software inside and applications on mobile phones can be dynamically changed by the end user. But cars are closed systems that run according to manufacturers’ definitions.

As such, the vehicle’s critical systems—those that may be attacked—can be hardened and locked down against changes, which are not delivered by the OEM.

Such an approach entitles consumers to a greater level of protection against hackers. Attackers seek to manipulate the hacked device to remotely control it. Locking the device or providing alerts about unauthorized changes to the device (such as installing foreign code, i.e., malware) has proven to be an effective way to protect IoT devices and vehicle systems.

As an example, HP announced in July that it protects its business printers against cyberattacks with software that offers a lockdown mechanism.

Prior to that, Alpine (a high-end vehicle infotainment supplier) announced a similar mechanism to protect its end customers. Adding such lockdown software enables EV OEMs and suppliers to block hackers’ infiltration in an effective way, and it is completely seamless to the end user.

Consumers can do little to prevent cyber-hacking of their cars. So it is up to automotive OEMs and suppliers to comply with cybersecurity regulations and to adopt state-of-the-art software lockdown mechanisms to harden vehicles’ attack surfaces.


This article was originally published on EE Times.

Subscribe to Newsletter

Leave a comment