Modern cars are computers on wheels, meaning hostile hackers can violate your car’s software and do what they want to it a lot easier than you might think.
Moshe Shlisel knows exactly how someone can hack your car. Fortunately, he’s one of the good guys. His company specializes in cybersecurity. His team looks for vulnerabilities in cars to pinpoint the risks and then help to guard against them.
In his experience, nearly all modern cars on the road today are extremely vulnerable to being hacked. And, it is happening in the real world, though it gets minimal attention and society is largely naive about how many car hacks and other industrial hacks have occurred, Shlisel said.
In 2019, for example, the U.S. Army’s Stryker armored vehicles were hacked, compromising some of their systems, according to reports in The Drive and Army Times.
In June of last year, Forbes reported that nearly every car manufacturer has been hacked and there has been a general increase in attacks over the years. Forbes cited Upstream’s latest Global Security report writing, “There was a 99% increase in cybersecurity incidents (150) in 2019 with a year-over-year 94% increase since 2016. Insurers are just awakening to the seriousness of the threat, and some are wondering if auto cybersecurity is a national defense issue.”
“The more sophisticated the system is, the more connected your vehicle is, the more exposed you are,” said Shlisel, CEO and cofounder of GuardKnox Cyber Technologies Ltd. in Israel with subsidiaries in Detroit and Germany. “We have taken whatever model (car) you think of and we hack them through various places. I can control your steering, I can shut down and (start) your engine, control your brakes, your doors, your wipers, open and close your trunk.”
Those are only a fraction of the vehicle safety risks. Cybersecurity experts say professional hackers can gain control of a vehicle’s systems or access a driver’s personal data in most modern cars pretty easily, even if they’re sitting on the other side of the world. All they need to do is find the unique Internet Protocol (IP) address for your car.
It presents automakers with a never-ending task of keeping up with advancing technology to stay a step ahead of the bad guys. And there are steps being taken.
“It’s a cat-and-mouse game, you have to be on the ball all the time to stay ahead, otherwise if you don’t move forward, you get hacked,” said Michael Dick, CEO of C2A Security, which is based in Israel and works with automakers on cybersecurity solutions.
In the past 15 years, car makers have increasingly added software to vehicles.
Today, there are 100 million lines of coding in a vehicle, more than in a jet, a laptop or a mobile phone, Dick said.
Some of that software is written by automakers and some by suppliers, which further complicates the process of securing it against malevolent forces, he said.
“If you ask a manufacturer what kind of software is in a vehicle, they wouldn’t be able to tell you. In part, that’s due to a complicated supply chain in automotive,” Dick said.
C2A Security has found there are constant attacks on car systems such as infotainment and connectivity, perhaps even safety critical systems that are not published since they are typically performed on a single car and remains between the hacker and the car manufacturer.
Dick expects that at some point there could be ransomware attacks on cars. That’s where a driver will try to start the vehicle and will get a message that says, “ ‘To start your vehicle, you’ll need to pay 500 bitcoins.’ There’s no way around it. You’ll have to get it towed and get all new software to start it,” he said.
It has already become popular to steal credit card or personal information, which is available in the vehicle’s infotainment system, Dick said.
“Those are two low-end examples,” Dick said. “I know for sure it’s happened ... in cybersecurity laboratories, they have been able to hack cars and then they publish it and tell the car manufacturer they’re doing it to show how good they are. That’s happened several times over the year.”
Late last year, ethical hackers put software in a drone and flew it over a Tesla and opened the doors to the car, Forbes reported.
“Theoretically you could steal a car,” Dick said.
“When these hacks are published, it means they told Tesla and Tesla fixed it,” Dick said. “But they were able to do it.”
It’s been shown, too, he said, that a hacker could theoretically take control of a vehicle or many vehicles at once, posing a threat to lives and infrastructure.
“Imagine you have this attack where you take the most busy highway at 9 a.m. and malicious software has been put into thousands of vehicles and everybody loses their brakes or turns left,” Dick said. “You would have thousands potentially killed and it would compromise the highway system.”
Hackers alert Detroit’s 3
One of the most well-known vehicle hackings came in 2015 when ethical hackers Charlie Miller and Chris Valasek ran a semi-controlled experiment and managed to remotely take over the controls of a Jeep Cherokee, activating windshield wipers, blasting the radio and turning off the engine in the middle of a highway, ultimately landing it in a ditch, according to a report from Wired.
The two got the attention of General Motors. In 2017, GM’s self-driving subsidiary in San Francisco, Cruise, hired Miller and Valasek.
A year later, GM launched Bug Bounty. GM brought 10 hand-picked “white-hat” hackers — tech lingo for an ethical hacker or security expert — to Detroit. GM paid them a bounty or cash payment for each “bug” they uncovered in any of GM vehicles’ computer systems.
GM ended its private Bug Bounty program in 2019, but does have an active bug bounty program through its HackerOne Vulnerability Disclosure Program. HackerOne is a forum for ethical cybersecurity researchers to report to companies various security weak points.
Fiat Chrysler, now called Stellantis, has had a similar program in place since 2016. According to Bugcrowd, a report provided to the Free Press by a Stellantis spokeswoman, the automaker has awarded 542 benevolent hackers for finding vulnerabilities over the years. It pays them $150 to $7,500 for each vulnerability discovered. In the last three months, the average payout per vulnerability was $422.98, Bugcrowd said.
Earlier this year, ethical hackers alerted Ford Motor Co. that its internal system filled with sensitive proprietary information was not secure against hostile forces. Ford said it believed it thwarted a security breach.
‘Must remain vigilant’
In 2016, GM started its Vulnerability Disclosure Program on HackerOne.
Since that time, researchers have reported to GM more than 2,000 vulnerable areas, which GM has fixed and, “over 500 hackers have been thanked for their support, so we value that relationship,” said Al Adams, GM’s chief product officer.
Adams heads a product cybersecurity team of about 90 engineers and internal hackers globally. GM has also hired eight to 10 third-party cybersecurity companies to find weak spots in GM’s cars.
GM practices a “defense in depth” strategy, Adams said.
“It’s a security strategy in which we design security controls that overlap each other,” Adams said. “So a vulnerability that exists, that exposes a security control, it has a backup to protect against that. It’s layers that overlap each other and protect each other.”
GM’s Vehicle Intelligence Platform (VIP), launched in 2019 on the Cadillac CT5, CT4 sedans and Corvette Stingray, is an example of GM’s evolving cybersecurity, he said.
The software in VIP is authenticated. That means if a hacker tried to put other software on the car’s system to say, take over steering or lock the ignition, VIP would block the foreign software because the system would know it is not authentic or authorized. Also, VIP has enhanced over-the-air update capability to further protect the car’s software. Adams said by 2023, VIP will be on the majority of GM’s models.
“If you consider the security controls we have in place now and the enhancements in VIP, we’re in a good position against the known attack today,” Adams said. “But we must remain vigilant and ensure that in the future we monitor the evolution of the attack and have an evolution of our controls in parallel.”
Drive a ‘60s car
Dick said, “If you want to be safe, you have to drive in a 1960s car.”
That’s a bit extreme, but Adams and Shlisel offer some other tips to car owners to protect against a cyber hack beyond what automakers are doing with cybersecurity.
—Consumers should demand that regulators make carmakers pass the same kind of scrutiny for cybersecurity as they must for safety ratings, Shlisel said.
—Do not connect devices through Bluetooth to your car, unless the device providers can assure you the device is protected, Shlisel said.
—Keep your mobile phone updated with the latest security controls available, Adams said.
—Create and use strong passwords for your OnStar account or the WiFi in the vehicle, Adams said.
—Do not insert untrusted devices in the USB port. If you find a USB drive on the ground, don’t plug that in to find out what’s on it, Adams said.
“There’s a lot of talk about cybersecurity these days because there’s a realization that the current situation is not good, it’s a dangerous situation,” Dick said. “There are lidar, radar and cameras and the more systems the car has, the more vulnerable the car is and it’s progressing in leaps and bounds.”