Could a hacker remotely control your car?

Techworld asks the experts if carmakers have hack attacks covered

A grand Cherokee was hacked driving 70mph down a motorway ©Jeep

A grand Cherokee was hacked driving 70mph down a motorway ©Jeep

Car hacks are an acutely realistic threat, but are UK drivers at risk? We ask the experts with insider knowledge of the automotive and tech industry whether carmakers are investing in the right security, and whether recent reports can be written off as scaremongering.

Two hackers took control of a Jeep last week in a demonstration for tech magazine Wired - the latest in a series of embarrassing showcases of vulnerabilities in various luxury brand's models.

Techworld recently revealed Jaguar Land Rover was recalling thousands of its 4x4 models due to a software flaw that saw car doors unlock and in one case fling open mid-journey. Defects like these are increasing as cars become reliant on software, LTE and WiFi networks.

Mid-market carmakers haven't been spared security speculation either, with Nissan investigating its software vulnerabilities after a report that named it "most hackable" last year.

Are car manufacturers doing enough?

Amidst the media scrutiny, expert Pete Highton believes car brands are making improvements in car security. Highton is principal staff engineer at Freescale semiconductors and works with McLaren's Formula 1 cars, amongst other automotive manufacturers.

Freescale's semiconductors form part of the microprocessors that McLaren uses to learn more about its car, a technology which is used by most carmakers as they become increasingly digital. Samsung, Intel, Qualcomm and Sony make similar chips, which are primarily found in smartphones.

"With the advent of the connected car and continued extension of that connectivity from General Packet Radio Service (GPRS) to 3G, 4G and WiFi there has been a period over the last three to four years where car manufacturers have had to re-evaluate their approach to car security," he told Techworld.

Securing these connections involves encryption, decryption and authentication modules on microcontrollers and microprocessors in the car, he explained.

"No car manufacturer wants the dubious honour of being the first hacked car. As a result the 'mission critical' parts of the electronics (the engine control unit, for example) are not exposed to wireless interfaces directly."

However, hackers are able to intercept data sent from the engine control unit to the car's communication gateway - usually the infotainment system, like Apple's CarPlay. The security in place here is on the same level as algorithms that run on your laptop or tablet computer.

Many car brands have their own version of a "cloud platform" that drivers can sign into and use to check tyre pressure and use GPS through their dashboard, as well as monitor aspects of the car on their smartphone.

Some, like Ford, have even announced over-the-air software updates, similar to a new OS for your smartphone, following in Tesla's fashion. Tesla is already gearing up for a driverless feature update that will allow auto steering, as part of its 6.2 version OS which prompted concerns over further man-in-the middle attacks.

"Looking at what manufacturers are currently targeting in terms of in-car security, I would suggest that they have taken internet security as a good starting point and aimed at the next level. For example, implementing 256-bit encryption rather than 128-bit, which is still very popular within web security," Highton said.

Doesn't everyone encrypt?

Such "simple" encryption methods escaped BMW last year. It was forced to patch 2.2 million cars that link to its ConnectedDrive platform after hackers were able to unlock cars using their smartphones in a simple "man in the middle" attack, in which a thief sends information from a server (a mobile phone perhaps) pretending to be a BMW and fools the car into unlocking. The carmaker responded with a patch to encrypt that data, and released a statement that it said would offer security to "rival online banking".

The move raised eyebrows amongst the cyber security community, which has long considered encryption "absolutely bog-standard good practice" when using or developing software.

Remote access to cars on the road

Theft aside, the most pressing concern is an attack on a moving vehicle and the ability to take control of a car remotely. Highton says this is only possible if hackers have access to a car for several days and have a "serious amount of processing available to attempt to de-crypt the encrypted data," presuming it is encrypted.

One big assumption is that hackers could get the car, or the electronic units at the very least, up and running. Highton says that the latest version of microprocessors (which will be in the car) come with tamper detection, which will render a unit useless if it thinks it has been intercepted.

Of course, not all cars may be using the latest releases from semiconductor vendors. Rival firm NXP's chief technology officer, Lars Reger, said that ultimately, it's up to car makers and their suppliers to invest in security like encryption and intrusion detection systems.

In addition, cars need to be considered on a case-by-case basis.

He said: "The connected vehicle must be secure from hackers, and all messages must be properly authenticated. Different systems and networks within the car have different vulnerabilities and attack points and therefore will likely require different levels of security. In some cases, software security may be sufficient but other cases will require much stronger tamper proof security solutions."

Join the CSO newsletter!

Error: Please check your email address.

Tags AutomotiveJaguar Land RoversecuritynissanJeepindustry verticals

More about AppleIntelJaguarQualcommSamsungSonyTesla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Margi Murphy

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place