Report: Here Is How Criminals Can Hack Your Car So Easily

Fact checked

We have talked about the fact that criminals (and sometimes teens just wanting to play a joke) can hack your vehicle – but a recent article explains how they can do it so easily and asks the question: “Why aren’t auto manufacturers doing anything to fix this potentially deadly problem?”

From Reuters:

This summer all drivers learned their cars are vulnerable to attack. Wired’s Andy Greenberg made headlines with his article about two hackers who were able to take control of his Jeep Cherokee as he was driving.

Greenberg was working with the hackers. But he was still stunned they were able to mess with his windshield wipers, blast terrible music over his radio, jack up his air conditioning and even kill the engine as the car cruised down the highway.

This won’t be the last time that happens. Cars are particularly vulnerable to attack because their basic computer system is far too simple.

Most automobiles run on a relatively primitive internal computer network called the controller area network or CAN. It is the computer equivalent of a single-cell organism, uncomplicated and pedestrian. Yet this simple computer controls all complicated operations of a car, including the advanced systems that run the ignition, steering and anti-lock brakes.

The auto industry standardized the CAN chips in 2007. Since then — with some small variations — every car’s little single-celled brain has been largely the same.

Though car manufacturers are now adding fancy electronic upgrades such as Bluetooth access or OnStar, they merely added other CAN computers to a car to operate them. The CAN operating a car’s WiFi, for example, is separate from the CAN operating the transmission, but the two do communicate. Typically, the CAN running crucial components — like the brakes or engine — is read-only, meaning the car’s other computer systems shouldn’t be able to change or interfere with it.

It turns out, however, that most car companies have done a terrible job of protecting the tiny brains at the heart of virtually all cars. The most dangerous car hacks succeed by hijacking the CAN controlling a car’s brakes, engines and transmission.

Often the hackers need physical access to the electronics systems in order to break into the CAN, either through the hood or the dashboard. Increasingly, though, they are able to infiltrate it through the CAN controlling the comfort systems, such as Bluetooth or WiFi.

The bigger problem is the behavior of the auto industry when hackers reveal these exploits to the world.

Many hackers are tinkerers, curious computer enthusiasts who like playing with a system and puzzling out its defects. This type of hacker is labeled a white hat — a hacker for good. Most of the recent car hackers have been white hats. When white hats discover a flaw in a security system, they typically alert the owner of that security system.

Valasek and Miller weren’t the first to hack a car. Gearheads have long hacked their cars to bypass environmental restrictions built into engines. Back in February, 60 Minutes ran a story remarkably like Greenberg’s.

A team of computer science researchers at the University of Southern California, San Diego recently wrote a program that takes control of a car with a cell phone. The program exploits weakness in a common OBD2 dongle — often used to diagnose car trouble — that plugs into any vehicle. The researchers uploaded a simple program to the dongle via a cell phone. After that, simple text messages could start and stop the car.

Every car manufactured after 1996 has an on-board diagnostic port. It’s typically underneath the dash and right below the steering column. OBD2 dongles plug into that port and harvest data from a car’s various computer systems. Both Uber and various insurance companies use the OBD2 dongle to monitor drivers.

In 2012, researchers at Radboud University in the Netherlands figured out how to hack the security system of Volkswagen, Honda, Audi, Fiat and Volvo cars. The theft prevention system had been designed to prohibit cars from starting if the right key, with the right RFID chip wasn’t present. Radboud figured out how to bypass it.

The Radboud University researchers who uncovered the flaw in the luxury car security systems contacted the manufacturers to let them know. In response, Volkswagen sought an injunction against the Radboud research in British court. Volkswagen won the suit and stopped the researchers from publishing their findings for two years.

General Motors doesn’t want anyone tinkering with its products either. The U.S. car giant recently declared that when you buy a car from it, you’re just leasing the software the car uses to run its systems. According to General Motors, tinkering with its cars the way Miller and Valasek did with Jeep is tantamount to theft of intellectual property and a violation of copyright law.

If the goal of the world’s auto industry is to keep its consumers safe from malicious hackers, suppressing research and suing anyone who goes under the hood is a losing strategy.

The auto industry has long been a competitive rivalry among billion-dollar companies protecting trade secrets as if they were government secrets. But if manufacturers want to keep their cars safe from malicious hackers that must change.

The auto industry will have to become, god help me, more like the tech industry.

One of the oldest stories of Silicon Valley is of the basement-dwelling super hacker who gets caught, only to be hired by the entity attacked. Chris Putnam, for example, created a worm that ravaged Facebook. The social media behemoth hired Putnam after it discovered his code.

Michael Mooney ran a similar program through Twitter and Twitter hired him. Even the Department of Homeland Security hired famed super hacker Jeff Moss. The tech industry learned early that the best way to keep safe is to buy off the people who exploit its systems. It’s a winning strategy.

Tesla Motors, the electric car company founded by Elon Musk, knows how to deal with hackers. It offered a $10,000 bounty to anyone who finds a repeatable exploit in any of its cars.

Meanwhile, Uber just hired the now celebrated Jeep hackers Miller and Valasek to design and improve the company’s security infrastructure. Tesla and Uber’s policies stand in stark contrast to Volkswagen, GM and others who seem content to bury their head in the sand and sue anyone who points out that the emperor has no clothes.

If the older car companies don’t change something soon, then Washington will force them. On Aug. 24, the Federal Trade Commission won a case against Wyndham Hotels & Resorts. The FTC claimed it has the right to sue companies with poor data security on behalf of the public. The U.S. Court of Appeals for the Third Circuit agreed.

That case may set the precedent for the FTC and the Department of Transportation going after auto manufacturers for their poor information security. Losing your credit card info to hackers while you in a hotel is terrible, but losing control of your vehicle is far worse.