What happens when hackers find the keys to compromise your car? asks David Higgins, Director of Customer Development, EMEA, at the cyber security product firm CyberArk. If it’s connected it can be hacked, he warns.
Our cars have long been an extension of us. And, as we have become more digitally connected, so have our vehicles. Features such as navigation and multimedia streaming are increasingly being offered as standard, propelling the global connected car market to more than $219 billion by 2025.[i]
It used to be that the biggest risk was your physical car keys being stolen. But with technology progressing fast, your digital keys are likely to be even more sought after by criminals. Let’s assume that the car manufacturer has a central server that’s getting feeds from all its vehicles, for example with data on your location. This data may be stored on the manufacturer’s premises, or it may be stored in the cloud. Either way, your car will have to authenticate in some way to connect to this central system, creating a new trust issue. How does the manufacturer trust, if your car is talking to its central system, that it is that car? Or how do you trust, if the central system is talking to your car, that it is the central system?
Hackers will be trying to compromise that connectivity, and to do this they need two things. First, a route to connect into the system, for example an open WiFi. This has been a known technique since 2015 when hackers remotely compromised a Jeep Cherokee and paralysed it on the road.
Second, they will need a credential or permission to get in. These are your digital keys. What this means is if your car is open to connections or communications from an open source. If there’s a weak password, then attackers have got the credentials to gain access to your vehicle.
The big question is, if that connection is compromised, what could an attacker do? Inevitably, the threat will become greater as technology advances, and when driverless cars hit the road in 2021. This will take the capabilities of our connected cars to a whole new level and the biggest danger is that a vehicle will be taken over.
There is a huge amount of work happening right now, across the industry, to ensure that cybersecurity is fully integrated as part of the driverless vehicle development process. However, if someone did compromise that connection they could start to impersonate communications and send bogus commands to the car. Or vice versa – they could tell the central system that the car is over here when it’s somewhere entirely different and force a crash.
Indeed, attackers won’t automatically know how to configure or administrate driverless cars. However, we don’t need to look far for examples of where attackers have lurked inside the infrastructure until they had the knowledge to take control and cause considerable damage. With the Swift Bangladesh Central Bank heist and the Ukranian power network hack, attackers got into the critical assets, and they watched and learnt until they knew how to make a transaction or turn off the power. We can expect to see a similar approach being attempted to compromise driverless cars, with attackers holding the keys for a long time before they take the wheel.
Of course, full control of the vehicle is not the only motivation for cybercriminals. We may also see attempts to track the journeys of high profile targets. Attackers could silently collect travel data, while also using advanced social engineering techniques, to build a comprehensive picture of the person’s habits and whereabouts. This could potentially lead to a new type of online blackmail. As car connectivity continues to increase, there are even more digital identities to manage, secure and, ultimately, trust. The onus is on the manufacturers to keep customer data secure and ensure personal safety, and that all starts with protecting these trusts and any respective credentials.
