The rise of automotive hacking & the vulnerabilities of modern vehicles

What is automotive hacking?

Automotive hacking or cyber carjacking is when malicious actors gain unauthorised access or control of a vehicle's electronic systems and networks. Hackers have been known to exploit vulnerabilities in software, communication systems like Bluetooth or Wi-Fi and navigation systems. Automotive hacking can endanger drivers, passengers, and even pedestrians.

Why are modern cars more susceptible to hacking?

A modern car today has over 100 interconnected electronic control units (ECUs), countless lines of code and various communication protocols and networks. This makes them an open invitation for hackers to take full control of it. According to a computer science researcher from New York University, any car manufactured after 2005 can be hacked and remotely controlled.

The most infamous example is when two professional hackers, Kevin Mahaffey and Marc Rogers, showcased how they could take control of a Tesla Model S at the 2015 DEF CON hacking conference. That same year, cyber researchers Charlie Miller and Chris Valasek hacked a Jeep Cherokee and took remote control of it from a house 16 kilometres away using a laptop.

The incidence of automotive hacks increased by about 225% in the last five years, and remote attacks accounted for about 85% of all breaches, according to the latest Upstream Global Automotive Cybersecurity Report.

Types of automotive hacking

Here are the most reported types of automotive hacking.

Key fobs

Most cars have some keyless entry or a smart key system convenient for everyday drivers and malicious actors. Hackers are known to often use a method known as a relay attack, which intercepts signals from key fobs and transmits them to a car to unlock and drive away with it if doesn’t require key ignition. Some hackers also use car hacking devices to unlock vehicles. These are readily available online and on the dark web.

Mobile apps and remote control

Mobile apps are integral to our everyday lives and can now unlock car doors and start car engines. However, poorly secured mobile apps are the perfect entry point for hackers. By exploiting vulnerabilities in these apps or their associated cloud services, hackers can remotely control a vehicle's functions, such as unlocking doors or disabling safety features.

Wi-Fi and Bluetooth vulnerabilities

Most modern cars have wireless connectivity through Wi-Fi and Bluetooth for services such as hands-free calling, music streaming, and over-the-air updates. However, these wireless technologies also serve as entry points for hackers, enabling them to control your vehicle remotely. If these wireless connections are not adequately secured, hackers can exploit a tiny flaw in a car's Bluetooth implementation to establish a connection and potentially control certain functions or even inject malicious code into the vehicle's system.

Hotspot attacks

Vehicles with Wi-Fi hotspot capabilities can be vulnerable to attacks if the hotspot's security is compromised. If a hacker gains access to the Wi-Fi hotspot, they might use it as an entry point to target other connected devices within the vehicle like your phone, tablet, and laptop. They can also exploit vulnerabilities in the vehicle's internal systems, which control its operation. A compromised hotspot can provide hackers with a gateway to manipulate various functions like navigation and potentially critical vehicle systems.

GPS spoofing

Hackers can jam your car’s built-in Global Positioning System (GPS) by broadcasting fabricated GPS data and feeding the receiver false time or coordinates. This technique poses threats in various contexts, from disrupting navigation systems and causing inaccurate mapping to remotely manipulating the movement of your car or even aiding criminal activities.

Server hacking

The central servers of automotive companies are also a goldmine for hackers as they contain rich data about mobile apps, sales data, and customers’ information, including their personal and financial details. Cyber criminals can exploit vulnerabilities in software, weak passwords, or other security gaps to gain control of servers. Once breached, they can steal sensitive information as part of a ransomware attack, install malicious software, or disrupt services. Server hacking jeopardises data integrity and user privacy, and can lead to downtime, financial losses, and reputational damage for car manufacturers.

USB port exploitation

Hackers use your car's USB ports as a gateway to its electronic systems which control ignition, sound, navigation, etc. For example, a malicious actor could insert a specially crafted USB device that contains malicious code into a car's USB sockets to gain control over various vehicle functions. In some cases, hackers might target ECUs with USB ports, potentially compromising safety features or taking control of the vehicle.

How to prevent automotive hacking

Here are some steps to secure your vehicles against hacking.

Regularly update your car’s software: Check and update your vehicle's software regularly. Outdated or unpatched software is more susceptible to hacking.

Secure your internet connection with a VPN: Use a virtual private network (VPN) to shield your internet traffic, especially when your phone is on public Wi-Fi and connected to your car’s electronic system.

Limit your GPS usage: Avoid GPS spoofing attacks by using GPS only when necessary. Turn off your GPS when not in use.

Install a firewall: Install an onboard firewall to deter initial cyber attacks. An efficient firewall restricts communication to unauthorised parties for V2V and V2X interactions.

Use password protection: Make all your accounts password-protected to manage access to your car’s information and to prevent unauthorised logins.

Only use the manufacturer’s approved software: Only use software endorsed by your car manufacturer when customising your wheels. Third-party programs can expose your vehicle to risks.

A final word

Car manufacturers are aware of the potential vulnerabilities of their vehicles with electronic systems and constantly implement new security measures to mitigate the risks. However, it’s up to car owners to remain vigilant and up to date with the latest cyber carjacking threats. For more information on how to prevent automotive hacking, contact us at enquiries@xiphcyber.com.