Europol busted up a keyless car hacking ring, the European law enforcement agency announced Monday, arresting 31 suspects and seizing more than a million dollars in criminal assets.
“The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away,” Europol announced. “A fraudulent tool … marketed as an automotive diagnostic solution, was used to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob.”
Theft of keyless cars is easier than traditional theft, which requires either physical access to a key and hotwire know-how or both, experts say. And while theft might be the most common threat hackers pose to automobiles, it isn’t the only one, as security researchers demonstrated when they remotely shut down a Jeep while it was driving along a highway in 2015.
In an increasingly internet-connected industry with electric cars and autonomous vehicles also poised to carve out a bigger share of the marketplace, and with few government requirements on the books, those risks aren’t likely to subside soon. (By one estimate, there were 84 million connected cars on the streets of the United States last year.)
“As cars become computers with wheels in a lot of senses, the threat from attackers gets bigger,” Rafal Los, head of services at cybersecurity firm ExtraHop, told me.
That doesn’t mean nobody has taken action to counter those threats. Cyber experts say the industry took steps to improve the cybersecurity of vehicles after the landmark Jeep hack. And the National Highway Traffic Safety Administration in September updated guidance it issued in 2016 on vehicle cybersecurity. It’s just that it’s not been enough, those experts say.
A theft spree
Nationwide crime statistics aren’t as reliable as they once were, owing to decreased local law enforcement submissions of data to the FBI, but signs point to an increase in auto theft in recent years.
“Keyless entry systems which allow users to enter a vehicle and start its engine without inserting and turning a key likely helped reduce vehicle thefts since the 1990s, but the dramatic 30-year decline has suddenly gone into reverse,” Sen. Edward J. Markey (D-Mass.) wrote in a letter to auto manufacturers in July. “Although the exact cause of this turnaround is unclear, a growing body of evidence suggests that keyless entry systems may play a role.”
But an industry group, the Alliance for Automotive Innovation, said in response to Markey that keyless systems enhance security. It also touted other security measures for keyless entry, such as features allowing owners to manually deactivate fobs.
“Theft mitigation is an evolving issue and prescriptive requirements are often an impediment to innovation,” wrote Garrick Francis, vice president of federal affairs. “It is important that manufacturers maintain flexibility in the design, evaluation, and implementation of security features for keyless entry systems so that the automotive industry can continue to quickly respond to emerging issues that could affect vehicle owners.”
Still, researchers frequently demonstrate their capabilities for hacking their way into cars and starting their engines, including with vehicles from Tesla and Honda in recent months.
“There are certain car companies where the security is laughable,” Robert Leale, the president of CanBusHack and founder of the Def Con security confrence’s Car Hacking Village, told me. “If you know how to [hack into] one car, you probably can figure out how to do it on every car in the manufacturer’s lineup.”
The shutdown threat has more dangerous consequences, even if they’re far less common — or in some cases, speculative:
A disgruntled former employee of a Texas auto center allegedly used repossession software to remotely disable cars for more than 100 drivers in 2010.
The 2015 hack featured researchers cutting a Jeep’s transmission and brakes, blaring the radio and turning on windshield wipers. It led Chrysler to recall 1.4 million vehicles in the first and only cyber-related recall. The same researchers hacked vehicles before and after to further demonstrate vulnerabilities.
Former White House cyber official Richard Clarke said the 2013 death of journalist Michael Hastings was “consistent with a car cyberattack,” although the coroner’s report and Hasting family members ruled out foul play.
Action, or lack thereof
While the United Nations and Europe have pushed cybersecurity rules for vehicles, the United States hasn’t gone as far. Last year’s bipartisan infrastructure law did include a provision directing the Federal Highway Administration to establish a cybersecurity coordinator. And the White House this month is kicking off an initiative for labeling secure “internet of things” devices, but it’s starting with routers and cameras.
Right now, though, there’s not enough financial incentive for vehicle manufacturers to take action on their own to prevent theft, Leale said.
“They typically don’t want to add cost, and really theft isn’t a problem for the manufacturers,” he said. “It’s a problem for the user and the insurance companies.”
The grass-roots digital security initiative I Am the Cavalry put out a “five star” plan for automotive cybersecurity in 2014, some of which the industry has embraced, like providing incentives for researchers to report bugs, founder Joshua Corman told me.
“When we put out this ‘five-star,’ at the time there were zero carmakers that did all five and today, there’s still zero carmakers that do all five,” said Corman, vice president of cyber and physical safety at cybersecurity firm Claroty. “So do we have the political will, and are we moving fast enough to adapt to the threat landscape?”