As vehicle technology advances and cars become more sophisticated, experts say they also will become more popular targets for cybercriminals.
Cybersecurity firm Insights reported recently, in an analysis titled “Under The Hood: Cybercriminals Exploit Automotive Industry’s Software Features,” that cybercriminals have been circulating data on the Internet that describe how to hack into car systems.
The information provides hackers with a de facto manual for how to infect vehicles with malware, interfere with their computerized systems or even steal them.
Cars and trucks have been at least partly computerized for decades, but recent leaps in auto technology present hackers with a serious target, experts say.
“We discovered easy-to-find online shops that sell car hacking tools on the clear web. These online shops sell services that disconnect automobile immobilizers, as well as services that sell code grabbers and forums that give bad actors a complete tutorial on how to steal vehicles,” the Intsights report states.
Analysts like Intsights say some of the primary reasons cars are now capturing hackers’ attention is due to the integration of certain, interruptible systems — like GPS navigation and Wi-Fi Internet access.
The most common types of attacks target a car’s Controller Area Network protocol — a component that can open access to all of a vehicle’s functions. Hackers also use devices known as “code grabbers” to copy or intercept the signals used to remotely open and start a vehicle.
Autos are most susceptible to hacking into the remote start system when the vehicle is not in motion. However, getting around that limitation — and hitting the car while it’s being driven — is doable.
“The biggest challenge for hackers attempting to exploit remote access points is the required proximity to do so,” the IntSights report notes. “Attacking a moving car can be near impossible if the hacker needs to physically connect to it.
“However, there are ways to bypass this problem: attacking a car via a cellular network, breaking into its WiFi access points or breaking in via the manufacturer’s back-end system, to which many modern cars are connected.”
Etay Maor, IntSights’ chief security officer and one of the report’s editors, said auto hacks can potentially take over vehicle systems and harm drivers. But he says the main objective is to steal items from inside vehicles or take the vehicles.
“A car represents a different type of attack surface for potential criminals, because when you think about computers, they’re not really reachable for the attackers,” Maor said. “But on the other hand, cars are all around us. Stealing one and monetizing it is relatively easier than a stolen bank account.”
With current automotive technology, experts say hackers can also use traditional computer-hacking tactics — like phishing — to infect cars with ransomware, which is basically a virus that hijacks access to the vehicle and holds it for ransom.
That type of cyberattack is rapidly gaining popularity, due to its relative anonymity and chances for success. Multiple governments in the United States this year have paid out more than $1 million in ransom to regain control of their systems.
As a result of the rising risks, automakers have taken many precautions in developing and updating digital systems.
Faye Francy, executive director of the Automotive Information Sharing and Analysis Center, said she isn’t surprised by the IntSights warning. Her organization shares, tracks and analyses intelligence about cyber threats in the auto industry.
Francy said automakers are aware of the potential issues and are taking a systematic approach to secure vehicle technologies. The industry is developing practices, like over-the-air security updates, for vehicle software and firmware.
Automakers also are taking a proactive approach to make owners, dealers and potential buyers aware of the more prevalent auto hacking risks.
“There’s a lot of activity for [a vehicle’s] full life cycle, from the design all the way through to the operation, and we know that these cars are usually out there for 12 to 15 years,” Francy said.
She added that vehicle security is not solely the responsibility of automakers. Owners, she stressed, must be cautious when plugging smartphones and other communication devices into their vehicles. And when selling a vehicle, she said, it’s critical that drivers delete all the device-linked data from the car’s computer so it can’t be exploited by the next owner.
“Cybersecurity is everyone’s responsibility,” Francy said.
Maor cautioned that gone are the days when cybercrimes only were a problem for the personal computer industry.
“I honestly cannot point to an industry today which is not being targeted by some form of cyberattack, whether [it’s] simple phishing or very advanced ones,” he said. “The car industry is definitely no different.”