PUT THE BRAKES ON HACKERS
Tech opens door to vulnerability
Automotive hacking may be in its infancy, but it most assuredly will be a growth industry, especially as more cars take on semi-autonomous — and, soon enough, fully autonomous — driving ability.
The modern car has as many as 100 microcomputers, many of them connected to the outside world by some means of electronic communication. And it isn’t just high-tech communication systems such as Wi-Fi and Bluetooth that make our cars so vulnerable to attack. Indeed, it is our very insistence on being permanently connected that makes our cars such a rich “attack surface” environment.
Without further ado, then, here are some strategies to minimize your vulnerability to computerized theft and subterfuge:
1 Keyless a no-no
Don’t use your remote keyless system to lock your doors. “What the …?” I hear you saying. Nonetheless, it turns out the simplest hack in the automotive world is still just breaking into your car to steal all your goodies. And the simplest way to “open sesame” is scanning your push-button locking system. There’s all manner of ways to do it, but the one thing in common is that they all require you to lock your vehicle remotely and then walk away from the vehicle. The simplest solution, therefore, is to forgo the key fob and use the central door lock button to close up shop. No transmission, no hacking.
2 Put it on ice
This one is going to seem odd — completely over the top, in fact — but you might want to start putting your keyless fob in the refrigerator at night. Or in a box with some tin foil lining. Not as common as the simple “transmission” hack noted above, this exploit — that’s cybertalk for getting up to no good — involves a slightly more complicated “amplifier” that fools your car into thinking the fob is close by, therefore allowing access to your car. More importantly, if your car has push-button start, it also fools the security system into thinking the immobilizer is nearby.
3 Lock it down
Useagoodold-fashionedsteering wheel lock. People crafty enough to construct some form of electronic hack to get into your car are probably smart enough to move on to a more vulnerable vehicle if they spot a steering wheel-locking system, especially if it’s the tried-andtrusted The Club Original 1000 or the even more robust FJM High Security Steering Wheel Lock. If they can’t drive it away, they’re going to look for easier prey.
4 ‘Bug Bounty’
Buy a Tesla or a General Motors product. No, not because they are electric or reduce emissions, but because Tesla and GM reward “white hat” hackers for showing them their products’ vulnerabilities. Virtually every cybersecurity expert we’ve spoken with says rewarding the discovery of software vulnerabilities is the No. 1 defence against malicious hacking. GM launched its “bug bounty” program in January and Tesla solved a hack last year with an over-the-air update.
5 Low-tech is best
Don’t drive a top-of-the-line car (Tesla and Cadillac excepted). I doubt if anyone rich enough to afford a Mercedes-Benz is going to take this advice, but expensive cars have more computers and connectivity features than the cars we peons drive. That just means there’s more ways into your car’s neurosystem and more things to play with once a “black hat” is in there. One security expert I talked with drives a 1970s Volkswagen specifically because it has no computers, wireless connections or USB ports and wouldn’t even dream of buying a car with a Wi-Fi hot spot.
6 The right connection
If being connected is a big part of your daily drive, buy a car with the latest Apple CarPlay or Android Auto systems. According to Kim Komando, self-proclaimed “digital goddess,” both CarPlay and Android Auto have beefier security than automotive entertainment systems, so running the telematics through your iPhone/Galaxy may be safer than automotive cellular systems.
7 Get an OBD lock
Buy an OBD lock. What’s an OBD, you ask? The on-board diagnostic system is your car’s built-in link to the outside world, the portal through which all repairs, mechanical or otherwise, are diagnosed. All cars have a port that allows technicians to access all the relevant computers controlling your car. Therefore, it is also the easiest way to get inside your car’s brains. This subterfuge requires access to your car, but once in, the potential for damage is pretty much limitless. So lock it up. Besides, your OBD port is also used to access your car’s Electronic Data Recorder, a chip that records exactly how — as in how fast — you drive. So the OBD lock also promises privacy.
8 Asking to be hacked
Don’t buy into one of those insurance programs that promises to lower your premium based on how safely you drive. They do so by plugging a “dongle” into the OBD port mentioned above — again, one of your car’s greatest vulnerabilities — and then connect it with the insurer’s home office via a lessthan-secure cellular connection. Seriously, you’re almost asking to be hacked. Forbes, for instance, claims “a skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles.”
9 Left wide open
The same applies to anyone else trying to install such OBD dongles in your car. Samsung’s ConnectAuto promises to let business owners monitor their fleet of vehicles via a Wi-Fi-enabled OBD dongle. Other future uses for these devices may be to allow crypto repo agents to “brick” a car for missed loan payments or even teaching fleets to drive more economically. As beneficial as these additions may seem, they still leave your ECU — electronic control unit — wide open to malfeasance.
10 USB ports vulnerable
Last, but most certainly not least, don’t plug random USBs into your dashboard. Data-enabled USB ports, which are used to update system software, offer direct access to your car’s neurosystem. Ironically, part of the fix for Wired magazine’s famed Jeep hack was a USB-installed “patch” sent via the post “The decision of Fiat Chrysler to mail out USB sticks to customers directly to patch the recent vulnerability is the security equivalent of waving a red rag to a bull,” Carl Leonard, principal security analyst at Raytheon Websense, told networkworld.com.