Thieves don’t have to smash windows to break into your car. Through a tactic called RollBack, gaining access is already as simple as using a handheld device to record an owner pressing the key fob to lock and unlock the doors and then replaying that recording to open the car.
To be clear, we weren’t acting criminally. We were one of a number of teams trying to hack into virtual, or “cloud,” cars. We competed to gather flags by completing tasks like reading the vehicle identification number (VIN), opening doors, deploying the airbag—all through the controller area network (CAN) bus, which allows microcontrollers and devices to communicate with each other without a host computer.
We didn’t get to deploy the airbag, but we found the VIN and did well in other challenges, such as accessing Bluetooth, an often overlooked attack vector. In the end, we were pleased this year to finish seventh among nearly 100 competitors.
Reading the VIN, hacking the fob
VIN security is important. Those lengthy codes are like Social Security numbers for cars. Just as someone might use an SSN to hijack accounts and steal property, VINs can be used to re-register a vehicle in a thief’s name, file an insurance claim, or create fake plates that can be placed on a stolen automobile.
Another security vulnerability explored at DEF CON was the potential for cybercriminals to hack into vehicle key fobs. Today, at least 91% of cars sold use keyless ignition systems that depend on key fob technology. These remote-control devices contain radio-frequency identification (RFID) chips and antennae for communicating with the car. Press a button and doors open. Press another, the car starts.
Key fobs are super convenient. But how secure are they? The answer is: “somewhat.”
Any wireless and connected device is vulnerable to attack, and the underlying hardware and software often include exploitable weaknesses. For example, cybercriminals have had the capability for several years to exploit security flaws that exist in radio-enabled devices that many cars use to communicate with fobs. If successful, hackers can clone those digital keys and drive away in seconds.
In fact, in 2020 researchers in Belgium reportedly found vulnerabilities in Toyota, Hyundai, and Kia vehicles that could make that a reality. More recently, a researcher in Austria reportedly showed how a Tesla update could allow hackers to create their own key during the 130-second period after the car was unlocked, using a near-field communication (NFC) computer chip. And in August at Black Hat, DEF CON’s sister conference, researchers showed how easy it was to defeat the limited security features of a key fob.
Automakers know keyless ignition systems are vulnerable to attack because thefts are already occurring. In 2020, at least 93% of vehicles recovered by Tracker, a stolen-vehicle recovery system in the United Kingdom, were hijacked using relay attacks. In these hacks, crooks use electronic devices to intercept the signal a key fob emits.
Car thieves creep as close as they can to the key fob sitting inside your home. Another thief stands next to your vehicle to receive the relayed signal and opens and then starts the car. (Watch this video to see how it works.) That said, the hapless thieves may not be able to restart the car without the original fob, according to the American Automobile Association.
Millions of individual cars are stolen each year. But what’s to stop hackers from heisting vehicles from corporate fleets and rideshare lots en masse?
To be clear, a lot of car-hacking activity today involves responsible security researchers like me, who aim to push the boundaries of vehicle security. And, to be fair, automakers have worked hard to secure their vehicles and are getting better at it all the time.
What’s to stop hackers from heisting vehicles from corporate fleets and rideshare lots en masse?
However, that doesn’t mean hackers won’t get where they want to go at some point, given the complexity of modern vehicles. As Endpoint discussed in an article about automotive hacks, vehicles contain as many as 150 electronic control units (ECUs)—computer chips that manage everything from ignition and automatic braking to environmental and infotainment systems. These chips are increasingly used with systems connected through the cloud. Indeed, by 2025, 86% of cars rolling off assembly lines are expected to be fully connected, according to consulting firm Frost & Sullivan.
Motorists should exercise caution using key fobs, both on the road and off. More secure methods include using the metal key inside the fob as much as possible or securing the key fob itself by enclosing it in a box that blocks electromagnetic fields.
Automakers, in the meantime, should continue to partner with researchers to secure the future of vehicles. They know that automotive hardware and software are becoming more complicated and connected and therefore more vulnerable to attack. Weaknesses could become even more evident as autonomous vehicles hit the roads and rely on connected technology for navigation.
There are no simple answers. But carmakers should double down on automotive security measures, such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which detect and defend against external attacks. (CanBusHack, Escrypt, Vector, Intrepid Control Systems, and other companies specialize in automotive security research.)
Automakers should also continue to expand industry partnerships that aim to maximize vehicle security, along the lines of the BlackBerry IVY Advisory Council, an industry effort to spur the development of technologies that secure in-vehicle data. (Council partners include Here Technologies, Cerence, Telus, Geico, and AWS.)
Securing automotive vehicles needs to remain top-of-mind for everyone. If a part-time “hacker” like me can break into cars and seize control of data and systems, so can nastier and more determined cybercriminals. We need to remain vigilant to head off what will probably remain a constant threat over time.