Cyber car crime: thieves turn to high tech
Image credit: Society of Motor Manufacturers and Traders Limited, Birmingham University, image source
Reports show that increasing numbers of thieves are using sophisticated means to break into and steal cars. But how big a problem is high-tech car crime? And what, if anything, can be done about it?
In August 2016, experts from Birmingham University and German security company Kasper & Oswald found a way to hack every Volkswagen (VW) made since 1995 using cheap radio hardware. They also found ways to break into a range of other cars, and there have been serious questions raised about the vulnerability of still more vehicles.
Modern cars are developed by software engineers as well as mechanical engineers, which may make them more resistant to crowbars and coathangers, but opens them up to attack from tech-savvy criminals armed with the latest gadgets.
Car security systems use electronic coded messages transmitted between the key fob and car to keep the vehicle locked. Radio frequency identification verifies the ignition key, and if a thief uses anything other than the actual key, the car should not start.
Birmingham University researchers showed that for some cars, however, this was not the case. VW cars manufactured between 1995 and 2016, including the company’s Audi, Seat and Skoda brands, rely on four global master keys. “If you can reverse-engineer the protocols, you can get into the cars,” says computer security expert Flavio Garcia, who worked on the study.
Garcia and company found that someone with a radio standing within 100m could intercept key fob signals. Once that person recovered the cryptographic algorithms, they would be able to clone a VW Group remote control and get into virtually every VW Group car sold since 1995. That’s around 100 million vehicles.
The researchers also came up with a second hack, one they say could affect Alfa Romeos, Citroens, Fiats, Fords, Mitsubishis, Nissans, Opel/Vauxhalls, Renaults and Peugeots. “With these cars, the cryptographic cypher is weak and has design flaws,” Garcia says. “If a thief runs a correlational attack, gathering information eight times from the key, they can get in.”
Birmingham University hasn’t released the reverse-engineering involved in its study, and Garcia explains that implementing the second hack would take more knowledge and skill than the average car thief possesses, and a lot of maths and statistics. However, he adds that if someone built a device that could do the maths, then the crook would just have to press a button.
A report published by security experts Traqueur in October 2015 showed that 74 per cent of cars stolen in France are electronically hacked. Last year, around 6,000 cars were stolen in London alone using keyless techniques. One London gang was jailed for hacking into and stealing £680,000-worth of luxury vehicles.
Many of these cars were stolen by criminals who employed simple jamming devices to block the signal between key and vehicle, as the driver attempted to lock it. When the owner walks away believing their car is secure, thieves enter the car and attach a diagnostic device to the vehicle’s computer. This device issues a new key code to one of their own blank fobs, which they use to start the engine and drive the car away.
BMW X5s, the Ford Focus and Fiestas are vulnerable to this trick. In 2015, Land Rover recalled 65,000 Range Rovers and Range Rover Sports to fix a software bug that left them particularly susceptible to keyless car crime. That same year, researchers from ADAC automobile club in Munich found that BMW Minis and Rolls-Royce cars were also vulnerable. These three makes of vehicle feature ConnectedDrive, a technology enabling owners to access internet, navigation and other services via a SIM card installed directly into vehicles.
The ADAC researchers created a fake mobile phone base station to intercept network traffic from the car, and then used the information to send commands to the vehicle, telling it to lower windows or open doors. They discovered that 19 other makes of car were vulnerable to a different attack, using two radios to amplify the range of wireless key fobs, which opened car doors and started the engine.
While none of this is great news for car owners, things could get a lot worse if a hacker tried to take control of a car’s steering, brakes or headlights while the car was actually moving.
Many modern cars come equipped with computerised driver assistance systems that include auto-parking, lane warning, intelligent cruise control and emergency braking. In 2014, half the cars sold in the USA were connected to the internet.
Tesla, the electric-car maker, has already sold tens of thousands of cars with a self-driving feature known as Autopilot. Last year, US start-up nuTonomy got permission from the Singapore government to test its self-driving taxis.
Former US Secretary of Transportation Anthony Foxx predicted that driverless cars will be in use all over the world by 2025. Ford and Tesla plan to have autonomous cars for sale by 2021. General Motors, Volkswagen, Toyota and Nissan, before that. Research firm IHS Automotive predicts that around 21 million driverless cars will be on the road by 2035. The IEEE says that 75 per cent of all cars will be autonomous by 2040.
Yet the death of Tesla driver Joshua Brown last year showed that the sensors which detect objects in the autonomous car’s path are not infallible. Brown’s car’s autopilot function failed to detect a white lorry against a bright sky and it hit the lorry at up to 75mph.
More worrying still is the fact that sensors like these could also be interfered with by hackers, who could take command of the car, or if not that, take control away from the driver and the automated system.
Twice last year, Chinese researchers hacked into a Tesla car. They controlled various functions, and interfered with sensors that enable the autopilot to detect obstacles, including other vehicles. The researchers found a way to trick the sensors into overlooking an obstacle and to perceive an obstruction when nothing was there.
Andrew Miller, chief technology officer at Thatcham Research, a company that carries out research on behalf of the Association of British Insurers, explains that a hacker’s potential ability to pass information into a digital system creates a problem for manufacturers down the whole supply chain, from chip providers to software developers who make components for the chips. “All of this has to be constantly checked,” he says.
So far, researchers, not criminals, have carried out these sorts of hacks – experts with lots of knowledge, resources and equipment, who want to show up the security issues so they can be fixed.
A UK Home Office report, Reducing Criminal Opportunity, published in January 2016, warned that thefts will rise once the knowledge that vehicles can be thus compromised spreads to more casual crooks.
“Potentially, thousands of cars could be hacked simultaneously, with just one hack,” says David Karamba of Karamba Security.
Authorities are taking this threat seriously. Last March, the FBI and the US Department of Transportation and the National Highway Traffic and Safety Administration issued a public warning about the threat internet hacking poses to vehicles. The US Justice Department has since formed a threat analysis team to investigate potential national security risks.
Regulations are beginning to emerge, too. In 2015, the UK government produced a non-statutory code of practice for autonomous car testing and created a joint unit at the Department for Transport and the Department for Business, Innovation and Skills to coordinate policy.
The US Department of Transportation’s 15-point safety standard for the design and development of autonomous vehicles contains guidance on how to prevent hackers from taking control of an autonomous vehicle. Recommendations about digital vulnerabilities are part of the Alliance of Automobile Manufacturers and the Association of Global Automakers new best-practices on automotive security. The Auto-ISAC, an industry group of major auto manufacturers and suppliers, recently released a best-practice guide for automotive cybersecurity.
Karamba believes the best way to protect cars against techno thieves and hackers is to embed protection into the car. “Cars have hundreds of electrical control units (ECUs), but you only have to protect those three or so ECUs that are connected to the internet, not all the ECUs,’” he says.
Do this, Karamba believes, and the car’s security system doesn’t have to predict an external attack, or gather enough information to stop the attack. He explains that Karamba Security’s technology uses a deterministic algorithm to block anything that is not factory settings from reaching the car. “Any anomaly is immediately detected and blocked before it can affect consumers,” Karamba says. “The technology continuously checks for threats.”
Argus Cyber Security executive Yoni Heilbronn thinks a car needs several layers of defence: one targeted at individual ECUs, such as the car’s brakes, another layer that protects the car’s internal network, a third for external connections and finally, cloud services which can detect and stop threats before they reach the car.
Despite the headlines, Miller thinks cyber car crime is only an emerging problem. “At the moment, it takes time and knowledge to take control of a car,” he says. He admits, though, that cars are vulnerable.
To stop it from getting worse, Miller believes that car manufacturers who tend to engineer their cars over six to seven years need to work harder to keep up with security risks and the increasing power of computing, advances in machine learning and artificial intelligence.
Some companies are already doing this. BMW issued a patch to correct the ConnectedDrive security flaw. Fiat Chrysler Tesla and General Motors reward individuals who find and report security flaws in their cars’ software.
Volkswagen has said it is aware of the problems the Birmingham University researchers highlighted and is working with them to resolve it. According to Garcia, VW has already added protection to the Golf Mk7 series. He adds that all other companies mentioned in the Birmingham University report say they are looking into protection.
“The automotive industry has to ask itself the right questions,” Garcia says. “How can we keep cars secure when they are exchanging information with each other? How can we prevent an attacker from feeding fake information into a car’s system?”
Miller thinks that the industry should try to emulate what the banking industry has done, and design procedures and intelligence systems that share information relating to threats. “Manufacturers have to constantly check, monitor and reassess systems so they can better react to emerging threats,” he says, adding that this is starting to happen in the UK and the USA, although the public is unlikely to hear about the specifics, as companies don’t give away secrets. “There has to be an element of secrecy,” he says.
Car owners too can combat the techno thieves. This is important, as manufacturers are not exactly falling over themselves to retro-fit protection into older cars.
In the US, the FBI and DOT have advised owners to keep software up to date, stay aware of any recalls that require manual security patches to the car’s code, and avoid unauthorised changes to software. The Birmingham researchers suggest that car owners might consider giving up on wireless key fobs altogether, instead opening and locking their car doors mechanically.
The UK police advise owners to park their cars in the garage, or if that’s not possible, in a well-lit area, or in view of CCTV cameras. They also suggest fitting an alarm or immobiliser, using a steering wheel lock and a gearstick lock, and getting an on-board diagnostics lock and a tracker fitted.