cars.pngSecurity Innovation has been securing Vehicle-to-Vehicle communications for almost 10 years, but for the average consumer, car hacking only came to light in 2015. As the year draws to an end, here’s a look at some of the events in 2015 that made car hacking go mainstream. January A researcher discovered that he could hack into the onboard networks of certain automobiles by exploiting Progressive’s Snapshot driver tracking tool which plugs into the highly-vulnerable OBD-II port. February 60 Minutes featured a segment on DARPA hacking the steering, braking, horn, acceleration, etc. This was immediately followed by US Senator Ed Markey’s report Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk which highlighted that automakers have not protected cars from hacker infiltration into vehicle systems nor have they protected drivers’ privacy. By utilizing a Wi-Fi dongle plugged into the OBD-II port, a researcher

January

A researcher discovered that he could hack into the onboard networks of certain automobiles by exploiting Progressive’s Snapshot driver tracking tool which plugs into the highly-vulnerable OBD-II port.

A researcher discovered that he could hack into the onboard networks of certain automobiles by exploiting Progressive’s Snapshot driver tracking tool which plugs into the highly-vulnerable OBD-II port.

February

60 Minutes featured a segment on DARPA hacking the steering, braking, horn, acceleration, etc. This was immediately followed by US Senator Ed Markey’s report Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk which highlighted that automakers have not protected cars from hacker infiltration into vehicle systems nor have they protected drivers’ privacy.

By utilizing a Wi-Fi dongle plugged into the OBD-II port, a researcher let an NBC NY news team use their laptop computer to control the headlights and wipers of his Mazda parked in Seattle.

March

A class action lawsuit in California claimed that Ford, Toyota and General Motors knowingly put consumers at risk by selling connected cars that can be hacked remotely. A former Tesla intern released a $60 fully Open Source car hacking kit that gives hobbyists (and hackers) a cheap and easy way to gain access to the CAN network of their connected cars. April Nick Bilton, a columnist for the New York Times, saw two kids unlock his Toyota Prius electronically, which he thinks was done by amplifying the signal from his keyless entry fob to his car. Keyless entry systems typically only communicate with their remote

April

Nick Bilton, a columnist for the New York Times, saw two kids unlock his Toyota Prius electronically, which he thinks was done by amplifying the signal from his keyless entry fob to his car. Keyless entry systems typically only communicate with their remote


Nick Bilton, a columnist for the New York Times, saw two kids unlock his Toyota Prius electronically, which he thinks was done by amplifying the signal from his keyless entry fob to his car. Keyless entry systems typically only communicate with their remote fobs over the distance of a few feet, but a signal amplifier is capable of extending this range, fooling the car into thinking that the remote is nearby even though it was in Bilton's House, about 50 feet away. Other theories were that his key fob was cloned by an insider at a repair shop or that the teens used a frequency jammer to keep the car from ever being locked. Regardless of the real attack, this article received a lot of attention. 

May

Legislators from the US House Committee on Energy and Commerce wrote letters to 17 automakers and the National Highway Traffic Safety Administration asking each about their cyber security readiness. The Committee said “Threats and vulnerabilities in vehicle systems may be inevitable, but we cannot allow this to undermine the potential benefits of these technologies. The industry and NHTSA have an opportunity to prepare for the challenges that advanced vehicle technologies present, and to develop strategies to mitigate the risks.”

In an email blast to over 1 Million subscribers, Consumer Reports urged its members to write congress requesting more government-mandated security for car-based computer systems. Consumer Reports provided an electronic form letter that can be automatically sent to the appropriate legislator.

June

Apparently, hackers and legislators took the month off and went to the beach, as there was no car hacking news this month.

July

US Senators Markey and Blumenthal introduced the SPY Car Act to protect drivers from hackers and protect their privacy. This legislation was announced immediately after researchers demonstrated that Chryslers could be remotely hacked, which prompted a Fiat Chrysler recall of 1.4 Million vehicles.

By this point that the average person was now aware of the threat. According to a Kelley Blue Book survey, almost 80% of consumers thought that vehicle hacking would be a frequent problem in the near future. But the hacking didn’t stop in July.

August

Frost & Sullivan released a report Automakers Remain Passive as Government Takes Action which criticized the steps that automakers had taken on cybersecurity and concluded that their inaction forced the US Government to intervene.

Researchers from the University of California at San Diego demonstrated that they could hack the brakes of a 2013 Corvette via the Metromile insurance dongle, which plugs into the OBD-II.

That same month, a UK court ruled in favor of researchers, allowing them to release their research on a vulnerability in the Radio-Frequency Identification (RFID) transponder chip used in immobilizers of VW cars. VW had been trying to suppress the research for two years, even though thieves were actively using this hack to steal cars in London.

September

Security Innovation’s own researcher, Jonathan Petit, showed LiDAR and cameras used by autonomous vehicles could be spoofed or temporarily disabled using lasers. Also, researchers at the University of California at San Diego and the University of Washington revealed that they could remotely take over a 2009 Chevy Impala. It took GM 5 years to fix this vulnerability, which was quietly brought to their attention by the researchers in 2010.

US Senators Richard Blumenthal of Connecticut and Edward Markey of Massachusetts were at it again, this time sending letters to 18 car makers asking for updates on how they protect vehicle owners against the threat of cyberattacks or unwarranted invasions of privacy. These letters were follow-up to the questions these senators asked the car makers in 2013.

autosecurity_final.jpgOctober

A Ponemon Institute survey of over 500 automakers regarding cyber security showed that the car manufacturers and suppliers were not treating security as a priority, nor did they believe they had the skills or knowledge to make a car nearly hack-proof.

The US House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade released a staff drafted proposal which addressed automotive cybersecurity and privacy.

US Representative Wilson also introduced the SPY Car Study Act of 2015 proposed that the National Highway Traffic Safety Administration (NHTSA) be directed to conduct a study to determine appropriate cyber security standards for motor vehicles.

The Librarian of Congress recently announced exemptions to the Digital Millennium Copyright Act (DMCA) that now make it legal to hack your own car without permission from the automaker.

November

An episode of CSI: Cyber called “Gone in Six Seconds,” was about a hacker who remotely controlled and crashed a driverless car using an open source microcontroller connected to its OBD-II diagnostic system.

 

December

SAE International produced a webinar called “J3061™ – The World’s First Standard on Automotive Cybersecurity A Global Discussion.” The J3061 will provide a cyber security framework for car makers and their suppliers.

Thankfully, there were no known cyber-attacks in 2015 that caused crashes, injuries or deaths. But as more and more connected features are added to cars each year without a corresponding increase in security, we may not continue to have such good fortune. If you’d like to read more about any of these topics, I compile a comprehensive list of automotive security articles that can be found here.