Why would someone hack your car?
We hear a lot about cybersecurity these days (and I’m more guilty than most for bringing it up) – but realistically, who would want to hack your car – and why? Of course, it’s not necessarily going after one car as recently, Nissan North America faced a major code leak that resulted in data being torrented into the hands of unauthorized third-parties.
In terms of who would want to hack your car, it’s a very valid question and goes to the heart of any security strategy. If you don’t understand and quantify the risks, you cannot adequately address them. Looking at cyber attacks as a means to prevent the normal functioning of a car, or a component in it, there are many parties who might have a motivation to hack your car. That does not mean that they are dishonest enough to try, and this list is deliberately stretching the point – but it illustrates why cybersecurity matters, even for a car. According to a USWITCH study cyber attacks on connected cars have gone up by 99% since 2018.
So who would hack your car?
- Terrorists. Tabloids love this one and understandably so. A terrorist may be motivated to make my car crash – much as they may be motivated to place a bomb under it. However, in practice, we get very few car bombings, so perhaps this threat is overblown? Not necessarily. There are several aspects that make a terrorist cyber-attack more of a concern.
- A cyberattack may be far simpler to instigate (if we do a poor job of implementing cyber security)
- It can be done at a distance in relative safety (for the attacker)
- It can be done at scale. This is the really worrying one. If I can attack one car, then I can potentially attack every car (especially if I can attach the back-end platforms). This not only amplifies the extent of an attack but means that a relatively minor attack (say stopping a car rather than crashing it) becomes more impactful.
- It can be shared. Welcome to the world of social media. Once an attack vector is found and shared, many actors may use it. Explosives just don’t have that property.
- It is easier to justify. An activist group who blows up even one car will lose a lot of sympathy. Cyber security can be seen as a softer option. Bringing a city to a standstill, by creating a large area of congestion, doesn’t (directly) cost lives.
- Extortionists. We are all aware of ransomware. Ransomware for cars is absolutely a possibility. Pay to drive may have a whole new meaning.
- Car owner. Car owners are highly motivated to illicitly tweak settings – squeeze a bit more out of that leased battery, enable that optional feature, disable the speed limiter, remapping the engine to increase BHP. Making such changes often involve disabling security capabilities which in turn makes other attacks, by other attackers far easier.
- Previous owners. Winding back the clock is only the start of it. As the digital history becomes more and more relevant to determine the resale value, the motivation to cheat will increase. This can also include intentionally leaving settings that enabled that allow simple tracking of the vehicle after it has been sold.
- Garages. They get to tinker under the hood (literally) but increasingly the work they undertake is logged in the car’s various computer systems. A garage wishing to overcharge may be motivated to fake these readings, and a backhander to a criminal worker in a garage is a great way for any other actor in this list to mount their attack. It’s also a great environment for someone to home their skills against a wide range of makes, models and security implementations. Parts manufacturers. Genuine part? Enough said. We may not think of this as a cyberattack, but with increased reliance on ‘smart’ components, and even relatively dumb components like window switches having MCUs in them, then there is ample motivation for parts manufacturers to play the cyber game or to even embed backdoors in to their parts.
- Carmakers. Generally, these hold the keys to the kingdom and are entrusted with the role of ensuring good cyber security practice – but that does not mean there are not motivations for them to manipulate the data. It is fair to say that cybersecurity is high on every car makers agenda, and that they all appreciate just how much they have to lose if they do a bad job (let alone if they are complicit in an attack).
- Other car makers. It may be viewed that OEM X will generally benefit if OEM Y’s cars prove to be unreliable, insecure or have a tendency to rust. The third of these is hard to achieve from a cyber attack, the other two are not! Of course, this needs to be balanced with the risk of lowering overall consumer confidence in and willingness to pay for the more advanced software based systems.
- Governments. Yes really. With political careers based on proving the success (or otherwise) or green initiatives, there is certainly motivation to fudge the figures – let alone the ‘benefits’ of a bit of government code embedded to track a vehicle or monitor a conversation happening it in. Thriller writers at least will be kept in material for many years to come.
- Commodity dealers, road builders, town planners, eco warriors, commuters… Increasingly our cars not only get us from A to B, but tell us what route to take, when to leave, how fast to drive. Cyberattacks can potentially influence all of these things, and whilst the motivation or impact for a single car is small – when applied to a population of vehicles the motivation and impact both increase. A great demonstration of this was how the Waze app could be fooled into thinking there was a traffic jam and rerouting traffic. That was just a technical demonstration, but that does not mean it couldn’t happen for real.
Please don’t take the list above as a reason not to drive. Although with around 67% of all new cars sold are currently connected in some way, but that is expected to rise to 100% by 2026 meaning vulnerabilities must be minimised. The vast majority of players are motivated to prevent such attacks, and automotive cyberattacks are (so far) pretty rare. We should not be complacent though, which is why it is great news that the new standards such as UNECE WP.29 and making it absolutely clear where the buck stops with ensuring the cybersecurity of vehicles throughout their life. For our part we are committed to help with technical solutions and certified software components.
As the provider of the industry’s leading Trusted Execution Environment (TEE) with more than 16M deployments in vehicle, and growing, Trustonic’s solutions will sit at the heart of the next-generation of secure vehicles. Using a hardware-backed secure environment to perform critical operations, such as encryption and biometric authentication, and to provide trusted environment for applications and services will provide a robust platform for building your future secure solutions.
Want to learn more? Get in touch below.