In the U.K., where vehicle theft has been in a steep decline for the past 20 years, the most widespread advice given by police to car owners is: keep your car keys in your freezer. The most common source of vulnerability these days is the interception of RF signals between keyfobs and cars. For a time, several years ago, there was a rash of thefts that derived from the car owner’s inclination to leave car keys near their front doors.
The issue is timely as LoJack reminds us that July is National Vehicle Theft Protection Month. The company released an infographic to highlight its concerns: http://tinyurl.com/hxca92y
The proliferation of remote keyless entry and telematics is setting the stage for a renaissance in vehicle theft. Thieves are still interested in auto parts ranging from tires and catalytic converters to airbags, but grabbing the entire vehicle may be getting easier in some circles with the aid of code grabbers intercepting signals from keyfobs.
In the U.S., vehicle theft has also declined, though not as steeply as in the U.K. The decline has been steep enough to make life difficult for stolen vehicle tracking and recovery companies like LoJack. Data from the FBI for the first half of 2015 suggests a significant uptick in vehicle theft in the U.S. and the U.K. has also seen a recent spike.
Some recent thefts of FCA Jeep vehicles in Texas suggests that hacking may be taking the place of smash and grab style thefts of and from vehicles. The Texas report points to hacking thanks to video captured by a home owner of the car thief entering the vehicle and apparently using a laptop computer to start the car: http://tinyurl.com/j7pe7lm
The thefts in Texas are interesting and important from several perspectives. According to the news report, the police believe the thief tapped into the car’s on-board computer via the OBDII port and created his own key. FCA executives expressed their “concerns that the thieves may have gotten hold of a system used by dealers to pair the vehicles with a new key, one they already had in hand. That could be as simple as access to a dealer website where knowing a vehicle’s VIN, or unique identification number, can provide the necessary codes to marry car and key.”
The automotive industry has been wrestling with the issue of cybersecurity ever since IOActive analysts Chris Vlasek and Charlie Miller hacked their way into a Toyota Prius and a Ford Escape two years ago. The findings from these analysts, presented at a Black Hat cybersecurity event, was that cars are now frequently equipped with both telematics systems and automated parking systems – a combination that makes taking control of the vehicle locally or remotely both fun and potentially profitable.
The National Highway Traffic Safety Administration (NHTSA) got involved after Vlasek and Miller followed up their Toyota/Ford exploit (which involved a lot of dashboard disassembly) with the now-famous or infamous Jeep hack. The IOActive pair, who now work for Uber, demonstrated how they could remotely control the hacked Jeep – to the horror of FCA executives, regulators and Jeep owners.
Of course, the Jeep hack required some significant preparation and was not achieved without time spent reverse engineering code and penetrating the vehicle’s limited security preparations. In fact, the Jeep hack exposed a significant vulnerability which led to FCA initiating a recall and sending out USB software updates to owners of the effected vehicles.
Even after the Jeep hack, though, industry executives scratched their heads over why hackers would bother to hack cars. Up until recently car makers were content with their “security by obscurity” approach – ie. cars were just difficult enough to hack to make it not worth the effort.
But the prospect of vehicle theft combined with increasingly obvious security shortcomings may signal a turning point in the vehicle theft business. The latest data from the U.K.: vehicle theft is up 9.9%.
The Jeep hack exposed the seriousness of vehicle vulnerability and the extent to which car companies are ill prepared to respond. Vlasek and Miller’s hack was intended as a wake-up call to FCA and the industry – but their methods pushed the boundaries of ethical hacking.
Ethical hackers, like Lab Mouse, seek to penetrate a broad range of consumer products in the interest of finding and fixing flaws in security systems. Once a vulnerability is found the effected company is notified only after which are the details of the vulnerability published.
Vlasek and Miller revealed that certain Jeep vehicles lacked a necessary firewall between the infotainment system and the vehicle’s safety and powertrain systems. This created a big problem for FCA. Like most car makers, with the possible exception of Tesla, FCA is vulnerable to the sieve-like recall system in the U.S. where car makers struggle to find current vehicle owners – and vehicle owners ignore recall messages from their dealers and the car companies.
It is entirely possible that the hacker/thieves in Texas are exploiting the same vulnerability identified by Vlasek and Miller and taking advantage of the likelihood that the software-related recalls on effected models have not been seen to. We won’t actually know until the thieves are caught or stopped.
The thefts highlight the importance of over-the-air software update technology of the type used by Tesla Motors to add features and make code corrections in its Model S vehicles. FCA mailed out thumb drives with software updates – an approach widely frowned upon in the cybersecurity industry.
There is yet another source of anxiety emanating from the Texas thefts. Dealers remain a weak link in the security chain. FCA’s suggestion that the Texas hacker/thieves might be accessing a dealer Website to clone keys is but one potential source of vulnerability. Disgruntled dealer employees have been known to wreak havoc with vehicle security and telematics systems.
Dealers are also a source of poor security hygiene because of the entire industry’s blasé attitude toward recall work. At the recent national gathering of automobile dealers, incoming NADA Director Jeff Carlson ridiculed the recall system, suggesting that most recalls did not represent urgent safety issues, based on industry research conducted by the auto makers.
In the FCA instance, the missing firewall is a vehicle theft waiting to happen. Vlasek and Miller may have had fun taking control, remotely, of a Jeep – but the real issue is theft.
The Texas Jeep thefts point up the greatest threat of weak vehicle cybersecurity: the return of widespread vehicle theft as a challenge for law enforcement and car owners. There has been a lot of fear-mongering around identity theft, vehicle ransom and remote control terror – but maybe we’re missing the most obvious threat in a world of connected cars – simple theft.