Is Your Car About to Get Hacked?

In the past, cars have been a low priority for cyber criminals. The payback wasn’t worth their effort because vehicles didn’t contain much salable data.

Not so with new models. They’re part of the Internet of Things with connections to the cloud, the infrastructure and a growing number of gas stations, pizza joints and other third-party sources.

This creates a treasure trove of data about you and everything you do, which is exactly the type of intel that keeps the hackers hacking.

How Concerned Should We Be?

The latest BlackBerry Cylance “Threat Report” lists vehicles as one of the primary new targets for hackers. It’s the first time that cars have been included in the annual study, which Cylance started before it was acquired by Blackberry last year.

Source: Getty Images

The issue has been a growing concern since 2015, when so-called “white hat” researchers were able to remotely take control of a Jeep Cherokee. This prompted a lot of hand-wringing, talk and action—including the formation of the Automotive Information Sharing and Analysis Center—to bolster vehicle security and thwart bad-doers.

But the authors say not nearly enough is being done. Most OEMs still test less than half of a vehicle’s hardware and software for vulnerabilities, according to BlackBerry.

Citing data from Israeli startup Upstream Security, the study says malicious vehicle hacks surpassed those performed by white hatters for the first time in 2018.

The Weakest Link

What makes cybersecurity so challenging in a vehicle are the number of companies involved and potential entry points that can be breached at various stages. These include:

• A carmaker’s touchpoints
• The entire supply chain
• IoT connections
• Dealerships
• Aftermarket providers
• Smartphones and other portable devices

As with attacks on other industries, hackers can use a variety of methods to access vehicle systems and personal data. This includes phishing for passwords and confidential information, installing malware and exploiting shared cloud-based databases.

Personal Information Inside Your Car

The main attraction to drive a hacker to attack a vehicle is to get a user’s personal information, notes Eric Milam, vice president of BlackBerry Cylance’s research operations. In many cases, drivers inadvertently provide such access themselves by plugging a new device into a UBS port or linking the car to a smartphone after downloading an infected app.

Rentals and used cars have their own risks if smartphone data isn’t wiped for every new owner or driver. In addition to a user’s contact list, a vehicle may have stored geolocation data, garage door access codes and various login credentials.

Hackers also could wreak havoc by remotely controlling steering and throttle functions through autonomous vehicle systems. A more likely scenario, Milam says, would be to disable the vehicle and hold it hostage until a ransom is paid.

How To Protect Your Car From Hackers?

There’s no question that attacks on cars will increase as they become more connected. Combating the threats will take a concerted and ongoing effort.   

BlackBerry, which offers its own security toolkit, advocates:

• Implementing cybersecurity measures at the initial design and development stages by carmakers and their suppliers
• Using data encryption on any vehicle system that stores vehicle or driver information
• Developing a system of updating vehicle software and firmware securely and remotely
• Making security patches publicly available on a website (although doing so creates other potential risks)
• Using AI and machine learning tools

It won’t be easy. Hackers only need to break in once to hit pay dirt. Carmakers, Milam points out, have to constantly defend against such attacks at every potential point of entry.

“It’s a monumental task,” he underscores.