The rise of car hacking: In-car technology has led to thieves remotely taking over our vehicles

The consequences of a car falling under the control of criminals while travelling at speed could be catastrophic. The race is now on to find ways to stop them

First it was your personal computer. Then it was your phone. Is your car now the number one target for hackers? It's a scary thought. A PC or smartphone hack might be hazardous to your privacy or financial health. But car hacking raises the stakes to a whole new level. The consequences of a car falling under the control of criminals while travelling at speed could be catastrophic. Then there's the prospect of your pride and joy being pinched courtesy of a smartphone app.

But how likely are these nightmare scenarios? In simple terms, car hacking is already happening. BMW made the headlines – and a slot on the BBC's flagship consumer-rights show, Watchdog – for all the wrong reasons last year following a spate of hi-tech thefts of its cars in the Midlands and east London.

Thieves took advantage of a combination of vulnerabilities in factory-fitted alarm systems and a diagnostic port typically used to read fault codes during servicing. They gained access to the port without triggering the alarm and used it to reprogramme blank keys. The whole process takes just a few minutes and the upshot was thieves in possession of fully functioning keys and making off with expensive BMWs almost at will. BMW has since released a software update to remove the vulnerability. That's reassuring but will be little consolation to those who had their cars stolen.

More recently, cyber-security researchers based in the US showed how the latest safety and self-driving car technology could be turned against vehicle owners.

Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of security intelligence at security firm IOActive, aimed to increase awareness of car hackability by hooking up a Nintendo game-console controller to a US-market Ford Escape SUV.

They were able to accelerate, brake and steer as though they were playing a video game. Except this wasn't a game. It was a very real two-tonne SUV and it had been comprehensively hacked. Miller and Valasek also wired into a Toyota Prius hybrid car using a laptop computer and took control of several safety-critical systems including the brakes.

If there is a good news angle to this, it's that those exploits, along with the BMW thefts, all require physical access to cars. Where things get really worrying is the potential for wireless attacks. What if the bad guys could compromise your car as easily as they take over your laptop's web browser? And do it from behind a computer screen hundreds or thousands of miles away?

And they might just be able to, thanks to two key trends in car tech. The first is automation. The latest cars can pack 30 or more electronic control units or ECUs. These tiny digital brains now have at least partial control over everything from steering and braking to suspension settings and throttle inputs. The problem is, anything controlled by computers is hackable.

Security experts Charlie Miller (left) and Chris Valasek hooked up a Nintendo console controller to a Ford Escape SUV and took it for a spin (Forbes) Security experts Charlie Miller (left) and Chris Valasek hooked up a Nintendo console controller to a Ford Escape SUV and took it for a spin (Forbes)  

The other part of the puzzle is connectivity. Wireless technologies such as Bluetooth and Wi-Fi and cellular data such as 3G are now widespread in new cars, allowing remote access to in-car systems. Most new cars also offer USB connectivity with some level of in-car smartphone syncing or integration. Even if your car doesn't have wireless capability of its own, plugging in a smartphone effectively puts it on the net and at risk of a cyber attack.

It's that combination of automation and connectivity that could create a perfect storm of wireless hackability. If that's the theory, what's the reality of wireless car exploits today? Professor Stefan Savage of the University of California, San Diego, is one of the world's leading experts on automotive cyber security. He told The Independent that wireless attacks are indeed possible. He says he knows this because he and his research team have done just that themselves.

"We demonstrated remote wireless exploitation of vehicles using both Bluetooth and cellular networks via software bugs in media-player firmware and diagnostic systems," Savage reveals. "We then had fairly arbitrary control over other ECUs including the ability to remotely brake or turn off the brakes altogether." Terrifying stuff.

However, Savage doesn't think this necessarily means remote car hacking is an immediate safety concern with current cars.

"This kind of work takes quite a bit of time and skill, not to mention resources to buy test cars. Then there's the question of motive. Who wants to mess with the brakes of a typical driver? What's in it for the attacker? In practice, this kind of attack is about theft and mainly concerns immobiliser, door-lock and engine-start technology," he reckons.

What's more, car-makers are now much more aware of the risks posed by car hacks than even a few years ago. Several car manufacturers we spoke to (see right) emphasise efforts made to separate critical car-control systems from user-accessible and networked features such as multimedia and entertainment set ups.

If history proves anything about modern electronics, it's that there's no such thing as a completely hack-proof computer system. Very likely it's a question of when, not if, cars are stolen or crashed courtesy of a wireless exploit. But cars are made up of multiple systems. They aren't highly integrated devices like laptops or phones. That gives manufacturers a decent shot at restricting hacking to a rare occurrence and preventing cars from suffering the sort of malware plague that currently afflicts personal-computing devices.

The future of road safety depends on it.

Hack attack! How are leading car brands responding?

Audi

"Audi UK is aware of a relatively small number of Audi vehicle thefts which have allegedly been carried out using computer technology to eliminate the need for an ignition key. We will always exhaustively investigate any potential threat to the security of our cars in conjunction with the relevant authorities. To date we have absolutely no conclusive proof that our vehicle security systems can be breached in this way."

Ford

"We build in firewalls and application 'white-lists' to separate vehicle control systems from the infotainment functionality and connectivity. Cryptography is also used to restrict unwanted updates to multimedia software or access to potentially sensitive information. Software updates must be "code-signed" and recognised as coming from Ford in order to update systems such as SYNC (Ford's in-car multimedia platform)."

Mercedes-Benz

"Our COMAND multimedia system can connect to the internet and the assumption may be that this leaves it exposed to hackers. However COMAND operates independently of critical vehicle systems such as braking, steering, accelerating and various safety technologies. Even if COMAND was compromised, our cars would remain safe at all times."

Toyota

"Our company's focus is to prevent hacking into a vehicle's by-wire control system from a remote/wireless device outside of the vehicle.

"Toyota has developed very effective firewall technology against remote attacks. We believe that our systems are robust and secure."

PROMOTED VIDEO
News
Russell Brand discusses Trident and the NHS in an episode of the The Trews.
news
News
The cartoon depicts the UK (far left) walking around a Syrian child refugee
newsIn an exclusive artwork for The Independent, Ali Ferzat attacks Britain's lack of 'humanity'
Life and Style
tech
Arts and Entertainment
film
Sport
footballManager attacks Sky Sports pundit Jamie Redknapp after criticism of Diego Costa's apparent stamping
News
video
Life and Style
food + drink
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs General

    Recruitment Genius: Administrator

    £14500 - £16000 per annum: Recruitment Genius: This is an exciting opportunity...

    Recruitment Genius: Administrator

    £14500 - £16000 per annum: Recruitment Genius: This is an exciting opportunity...

    Recruitment Genius: Infrastructure / Development Support

    £20000 - £30000 per annum: Recruitment Genius: Fantastic opportunity to join a...

    Recruitment Genius: Partnership Relationship Manager

    £35000 - £45000 per annum: Recruitment Genius: A Partnership Relationship Mana...

    Day In a Page

    Greece elections: In times like these, the EU has far more dangerous adversaries than Syriza

    Greece elections

    In times like these, the EU has far more dangerous adversaries than Syriza, says Patrick Cockburn
    Holocaust Memorial Day: Nazi victims remembered as spectre of prejudice reappears

    Holocaust Memorial Day

    Nazi victims remembered as spectre of prejudice reappears over Europe
    Fortitude and the Arctic attraction: Our fascination with the last great wilderness

    Magnetic north

    The Arctic has always exerted a pull, from Greek myth to new thriller Fortitude. Gerard Gilbert considers what's behind our fascination with the last great wilderness
    Homeless Veterans appeal: Homeless in Wales can find inspiration from Daniel’s story

    Homeless Veterans appeal

    Homeless in Wales can find inspiration from Daniel’s story
    Front National family feud? Marine Le Pen and her relatives clash over French far-right party's response to Paris terror attacks

    Front National family feud?

    Marine Le Pen and her relatives clash over French far-right party's response to Paris terror attacks
    Pot of gold: tasting the world’s most expensive tea

    Pot of gold

    Tasting the world’s most expensive tea
    10 best wildlife-watching experiences: From hen harriers to porpoises

    From hen harriers to porpoises: 10 best wildlife-watching experiences

    While many of Britain's birds have flown south for the winter, it's still a great time to get outside for a spot of twitching
    Nick Easter: 'I don’t want just to hold tackle bags, I want to be out there'

    'I don’t want just to hold tackle bags, I want to be out there'

    Nick Easter targeting World Cup place after England recall
    DSK, Dodo the Pimp, and the Carlton Hotel

    The inside track on France's trial of the year

    Dominique Strauss-Kahn, Dodo the Pimp, and the Carlton Hotel:
    As provocative now as they ever were

    Sarah Kane season

    Why her plays are as provocative now as when they were written
    Murder of Japanese hostage has grim echoes of a killing in Iraq 11 years ago

    Murder of Japanese hostage has grim echoes of another killing

    Japanese mood was against what was seen as irresponsible trips to a vicious war zone
    Syria crisis: Celebrities call on David Cameron to take more refugees as one young mother tells of torture by Assad regime

    Celebrities call on David Cameron to take more Syrian refugees

    One young mother tells of torture by Assad regime
    The enemy within: People who hear voices in their heads are being encouraged to talk back – with promising results

    The enemy within

    People who hear voices in their heads are being encouraged to talk back
    'In Auschwitz you got used to anything'

    'In Auschwitz you got used to anything'

    Survivors of the Nazi concentration camp remember its horror, 70 years on
    Autumn/winter menswear 2015: The uniforms that make up modern life come to the fore

    Autumn/winter menswear 2015

    The uniforms that make up modern life come to the fore