Ransomware is future of car theft
Imagine your car has been stolen. It’s brand new, you’ve barely made your third payment and it’s your first luxury car, a Mercedes or BMW with all the bells and whistles. You held onto the old Taurus until the fenders almost rusted off, got pre-approved credit at the bank and cross-shopped online so assiduously that you could probably start writing for Car & Driver.
Now it’s gone. The thrust of that turbocharged engine — more power and better fuel economy, promised the salesperson — will no longer make the daily commute at least a little entertaining. In fact, how are you going to get to work this morning? And damn, I think my kid left her homework in the back seat. Crap, Bob’s coming back from his business trip tonight. How will I pick him up?
Now, here’s the final insult, the kicker that makes you feel just that much more helpless: Your car is still in the driveway.
This is what’s called ransomware, and it could well be the future of car theft.
Already the scourge of computer servers, small businesses and now hospitals, ransomware is predicted by security experts, the FBI and Interpol to be the next big thing in auto theft.
Here’s how it works: “Black hat” hackers — that’s the bad kind — install a computer worm that disables people’s most precious files. Then they let them stew helplessly for a couple of hours, so that when they finally send a malicious little email demanding money in return for control of the hard drive, the ransom demand is almost welcomed.
The average amount extorted, according to experts, is about $500. When you consider Forbes magazine estimates that just one “exploit” — Locky, which scrambles and renames all your important files — tries to extort money from as many as 90,000 victims around the world every day, you get an idea of how widespread ransomware already is.
Another factor is the ubiquity of Bitcoin; its untraceable nature is blamed for encouraging ransomware exploits around the globe. And these hackers target industries with products notoriously lax in cybersecurity.
Like, say, cars. It might be the easiest money a high-tech gangsta will ever make.
Think about it: it’s the perfect crime. The thief gets the payout of holding something valuable for ransom, yet never has to take possession of it. Why bother with all the fuss of actually stealing a car when virtual theft is so much easier and more profitable?
Even the most enterprising car thief is going to have a hard time “liberating” more than two or three Benzes a day, what with the plotting required, waiting around for the target to be isolated and, perhaps most time-consuming of all, disposing of two tonnes of steel and leather. On the other hand, how many emails can an ambitious cyber-thief pump out?
Corey Thuen of Digital Bond Labs told Forbes that any American taking advantage of Progressive Insurance’s discounts for safe driving is vulnerable to getting hacked. According to Thuen, the company’s Snapshot “dongle” — a cellular-equipped device that plugs into a car’s on-board diagnostic port to relay your driving habits back to Progressive — has “basically no security technologies whatsoever.”
And this makes more than two million Progressive clients vulnerable to anything from auto theft to “road carnage,” he said.
And that’s not even the worstcase scenario! What if some particularly diabolical crypto-nerd was to infect all cars of a certain model and then hold the manufacturer to ransom?
Andy Rowland, head of customer innovation, energy, resources and automotive at BT Technology, posited just such a doomsday scenario to idgconnect.com. He noted the “infection” could start in any number of seemingly innocent ways: a compromised app that drivers download, “a batch of components with embedded malware” not detected on the production line, or by giving USBs to franchised workshops so the malware “gets onto diagnostic PCs, which then infect all of the vehicles brought in for servicing.”
In fact, the damage caused by hackers in the not-so-distant future could be even more widespread. According to William Largent, a researcher at Talos Security Intelligence and Research Group, “the age of self-propagating ransomware, or cryptoworms, is right around the corner.”
Completely self-sufficient, once a cryptoworm gains access to a system, it can navigate through a network semi-autonomously, determining, without programmer input, how best to invade other sub-systems.
In other words, skilful hackers, if they could get access to one car’s central nervous system, might be able to design malware that infects any car connected to it.
Now factor in the fact that the future of automotive safety is supposed to be vehicle-to-vehicle communications, and you have the recipe for an automotive apocalypse.
Stephen Cobb, a senior security researcher at ESET, an Internet security company, notes that “so far, the auto industry doesn’t have a good record of building in protection before technology gets compromised. It’s always ‘Let’s see what happens.’ ”