Today’s cars have more in common with powerful computers than with their mechanical machine ancestors. And as more and more cars become internet-connected, cybersecurity has become a pressing issue for the automotive industry.
Most of the industry’s security efforts is rightfully dedicated to protecting the car’s numerous components. But as smartphones have become integrated into our lives, an entirely new type of vulnerability has been introduced, one with which car manufacturers are much less accustomed to coping. The apps that allow drivers to control their cars from their phones are a new entry point for attackers to breach.
These apps allow drivers to execute various functions, from starting and stopping the engine, locking or unlocking the doors or disarming the security system, etc. The apps can also track the vehicle’s location using GPS.
Most of these apps don’t connect directly to the car. Typically, a cloud service takes requests from the app and forwards them to the vehicle via cellular link. The car trusts any request it receives from its cloud service, so it’s crucial that requests are initiated from the right person.
But smartphones and apps of all kinds can have vulnerabilities and unpatched security holes. If an attacker were to compromise the car’s smartphone app, hackers could pass commands to the cloud service that would look like they were issued by a legitimate user, and the car would obediently follow them. Hackers could unlock the vehicle, start it up and drive it away, all without ever needing to break in. On some models, they could even preset the A/C and music for their trip.
This is a major change for car companies, because the security of the vehicle depends on the security of components that are totally separate from the car itself. The security of the smartphone determines the security of the car.
Say, for example, you’re putting off your smartphone’s latest update. Or, say you’ve accidentally installed a malicious application or entered your login info to a scam website. It’s not just your personal information that’s at risk: it’s now your car as well. But that is not the worst-case scenario.
There’s a bigger concern here. If a hacker managed to compromise the app’s security, this attack could be replicated to all users of the application, granting control to tens of thousands of cars through the cloud service.
Online marketplaces already exist for email scamming tools and fake website kits, so it’s not a leap to imagine a hacker operating a service that unlocks an app user’s specific car on demand. Or worse, a hacker could remotely start the engines of thousands of cars, many of which would be in unventilated garages, resulting in serious injuries and potentially death.
This issue is far from a speculation -- we’re beginning to see these types of attacks already. One hundred drivers in Austin, Texas found their cars disabled or the horns honking out of control after an intruder ran amok in a web-based vehicle-immobilization system. And just recently, a British car owner woke up to a missing vehicle after two hackers used an iPad to unlock it and drive it away without the owner’s key fob. While both of these attacks had unique vulnerabilities allowing hackers to gain access, the risks will continue to grow as more and more functionalities are added to smartphones.
Protecting cars from cyber attacks will remain the responsibility of car manufacturers, but we should keep in mind that vehicle thefts and attacks may soon no longer require physical access to the vehicle or its components.
Manufacturers should take note of the risks involved and protect their apps from reverse-engineering and tampering. Strong user authentication and securing application keys are important. After all, keeping users’ credentials safe from theft should be a grave concern to auto manufacturers, just like it is to us, the users.