We’ve written a fair amount about the risk of automotive hacking in the past few months, and for good reason – the threat posed by cyberattackers in this space is growing rapidly. We’ve seen more and more evidence of this trend, from increased media coverage of successful car hacks to the filing of the first class action lawsuit centering on vehicle cybersecurity vulnerabilities. It’s very safe to say that at this point car hacking is no longer a science-fiction concept, or even a worry for another day. It’s happening now, today, and it needs to be addressed immediately. Unfortunately, as many of these recent news stories make clear, car manufacturers are just beginning to embrace the strategies and tools necessary to ward off these evolving and increasingly numerous threats.
Recently, a well-known technology writer witnessed this dangerous trend firsthand. New York Times columnist Nick Bilton reported via Twitter that he witnessed two kids break into his own car without ever laying a finger on the vehicle. This incident, along with many other recent examples of vehicle-focused cyberattacks, makes it clear that this is a threat automakers cannot afford to overlook. Instead, they must take immediate steps to embrace tools and solutions that help eliminate the vulnerabilities that hackers aim to capitalize on.
“The kid pushed a button and immediately the Prius was unlocked.”
A powerful example
According to Bilton, he watched as two kids approached his car, a Toyota Prius. One of these children – Bilton did not estimate their ages – had a device in his hands. When they reached the vehicle, the kid pushed a button and immediately the Prius was unlocked.
“So much for our keyless future,” Bilton tweeted.
Bilton went on to explain that it did not appear that the kids were actually trying to steal from his car. On the contrary, this appeared to be some sort of experiment to determine whether they could in fact hack a car and unlock its doors. If so, the trial was obviously successful. After witnessing the break-in, Bilton chased the kids, who fled. He explained that he wasn’t interested in retaliation or punishment, but rather wanted to learn more about the technology they used. However, the hackers escaped the pursuing technology writer.
Bilton later indicated he believed that the kids were using a device that costs approximately $100 and broadcasts a variety of signals to fool car locks.
Not the first, not the last
While successful real-life examples of car hacking remain uncommon, this incident was by no means unprecedented. Notably, late last year, CBC Montreal reported on a string of car break-ins that were likely examples of similar vehicle hacking efforts. The source noted that police speculated about the possibility of car thieves utilizing electronic devices to unlock car doors without leaving any physical trace, but had yet to arrest anyone in possession of such technology.
Several of the individuals whose cars were broken into told the source that they were certain they had locked their cars, but this did not stop the thieves from gaining access to their belongings.
“It’s not a whole lot of work if you know what you’re doing,” Spencer Whyte, a Carleton University biomedical and electrical engineering student, said in regard to this type of car hacking.
Beyond these examples, there have also been numerous reports of hackers not just unlocking cars remotely, but actually gaining control of a variety of the targeted vehicle’s systems, from windshield wipers to headlights to the car’s brakes. While never documented in a real-life setting, the growing number of demonstrations of such capabilities make it clear that the risk of serious car-focused cyberattacks is increasing rapidly. It’s only a matter of time until we see a news report detailing a genuine hacking-based takeover of a vehicle.
This is a serious issue, but it’s not insurmountable. With the right tools and strategies, it’s definitely possible for car manufacturers to make it far more difficult to hack their vehicles.
Klocwork static analysis tools are essential in this capacity. With these solutions, developers’ coding efforts are vetted in real time as they work. The software highlights any potential flaws or vulnerabilities, resolving these issues as early as possible, well before the software hits the streets. Vehicles that receive this type of diligence will be far more secure as a result.