Car theft has entered the cyber age with more than one in three vehicles currently stolen in London being taken through sophisticated hacking methods, the Home Office has revealed.
According to Home Secretary Theresa May, criminals are turning towards digital methods to get hold of other people’s cars. Without having to steal the owner’s keys, break windows or damage locks, the hackers can create and programme their own keys to get into the cars. Frequently, they intercept the data needed to carry out the crime when the unsuspecting driver uses his or her securely coded key.
Speaking during an event organised by the Reform think-tank in Westminster, May said hackers can even use special malware to seize control over the vehicles through satellites, issuing remote commands to unlock doors, disabling alarms or starting engines.
May said the Home Office is working with the Metropolitan Police to find a cure for the emerging challenges.
"Because we have this understanding, we can now work with industry to improve electronic resilience, include this kind of resilience in the vehicle's overall security ratings, and work out the extent to which the same threat applies to other physical assets such as building security systems," she said.
Although the figures revealed by the Home Office may come as a surprise to the general public, the expert community has been anticipating and warning of the risks related to the spread of digital technologies in modern cars for quite some time.
“For instance proof of concept attacks against vehicle key security algorithms were conducted by academics nearly a decade ago and the necessary hardware has only become cheaper since then,” said Mike Ellims of the Institution of Engineering and Technology.
“Attacks where a duplicate set of electronics for a target vehicle is acquired, for example from a vehicle scrap facility and used to replace the electronics on the vehicle has also been known for a similar period of time. Attacks where the vehicle or duplicate key is reprogrammed in-situ is only a variant of this.”
Cases where cars have been stolen using this method were already described. Paradoxically, expensive luxurious cars packed with smart technology may appear more vulnerable then less high-tech main stream vehicles.
Since 2012, multiple owners of luxurious BMW vehicles reported their cars missing without their smart keys being touched. The smart keys use near field communication technology to exchange data between the key and the car and allow the driver to enter the car or even start the engine without having to insert the key. The technology was originally only available with high end models but has increasingly been spreading into the mainstream market.
Unfortunately for owners of cars equipped with smart keys, a device exists which allows anyone to access the on-board computer and programme a blank key. Although this device was originally sold to garages and recovery agents, it soon found another market among criminals.
“As vehicles become more connected attacks over wireless services could become more common if manufactures don’t respond,” Ellims said.
The IET’s Martyn Thomas agrees: “Whenever you introduce new technological features, you are opening up new vulnerabilities. It is therefore critical for the manufacturers to be using cutting edge engineering and computer simulation to assess the vulnerabilities before criminals could exploit them.”
Thomas described another scenario when luxurious vehicles could fall into the wrong hands using some rather exclusive features.
“There are ways to open a car remotely. They are usually available only for high-end models,” Thomas said. “These systems allow the user, in case he loses his key, to contact his garage or a dealership with some secure code and they can, following his request, remotely unlock the car.”
It is therefore feasible, Thomas believes, for a resourceful hacker to breach this secure communication link and gain unauthorised access to the vehicle.
Even more common, Thomas said, is copying of unencrypted car keys. In this scenario a hacker, equipped with a simple radio receiver, could be hiding in a busy car park, waiting for unsuspecting drivers to lock their cars with a remote key. After simply recording the radio transmission between the key and the car on a special device, the criminal can replay the signal after the owner has left and get into the car.
“The signal between the car and the key is transmitted through near field communication technology and should only be possible to intercept over very short distances,” said Thomas. “However, it frequently isn’t that simple. Then it depends on whether the car manufacturer is using keys with encryption. In the optimal scenario the key should be generating a different code for every transmission, but it’s not known how many of the manufacturers do that.”
With modern cars becoming ever more computerised and with driverless vehicles on the horizon, cyber security must become one of the focal points of car manufacturers’ research, probably as significant as crash testing.
Recent demonstrations in the USA have shown that hackers could theoretically temper with critical systems of the cars including brakes or engines, possibly causing fatal accidents.