THE LIBERALS WANT TO COMBAT AUTO THEFT
Securing vehicles against wily and smart criminals is a huge task, says David Booth.
Quebec's provincial police recovered 26 containers full of stolen vehicles from the Port of Montreal in February. As fortuitous timing goes, CTV Montreal's “Police seize 53 stolen vehicles” headline couldn't have possibly come at a better time for Justin Trudeau's Liberal party. Indeed, to understand how truly “coincidental” this timing would seem, CTV also reported the effort included virtually every policing agency — the Surete de Quebec, the RCMP, Ontario Provincial Police, local Montreal cops, the Canadian Border Services Agency and the Montreal Port Authority — present at last month's National Summit on Combating Auto Theft, a summit which saw said parties all bickering about the lack of interjurisdictional co-operation and communication.
And yet here they all were, not six days later, the very model of the common effort that the Minister of Justice and Attorney General of Canada, Arif Virani, claimed would be forthcoming to eliminate this scourge of auto theft. I don't think you need to be much of a cynic to think this all smelled a little “staged.”
The larger implication, if you actually watched the entire three-and-a-half hours of the summit — and the press scrum that followed — is that it is now up to the automakers to better their anti-theft game. Their current technology, says our government, is simply not up to snuff when it comes to protecting your pride and joy.
And, to an extent, they're right. One doesn't have to look much beyond the thefts of Kias and Hyundais south of the border — thefts that could not happen here, because Canadian versions of those stolen Sonatas and Souls have government-mandated engine immobilizers not required in the United States
— to understand that manufacturers really do need to up their game. That said, securing our cars against theft is going to be an enormously difficult task, and one in which we, the consumers, are partially — if not largely — to blame.
In the most basic of terms, there are essentially three avenues of entry to steal a modern car: duplicating or pirating the keyless-entry system; accessing the car's Controller Area Network (Canbus) directly; and, as has been getting more attention these days, remote attacks via the many wireless entry points into the modern software-defined vehicle.
The ingenuity of the modern car thief means those automakers will, of course, have to remain vigilant. For every solution to both these direct and keyless-entry attacks they come up with, enterprising thieves will come up with another vulnerability. Nonetheless, as the National Summit on Combating Auto Theft noted, along with antitheft experts like Ken Tindell, automakers are capable of preventing more common forms of auto theft.
The future of high-tech auto theft is likely remote. Oh, some ne'er-do-well will still have to go pick up the darned vehicle and then drive it to a secret location where it can be packaged and shipped off to whichever distant country has the laxest import regulation.
But the car will have already been “stolen.” Some enterprising “black-hat” hacker in some distant land will have already broken into its computer, opened its doors, and primed the start button to fire up the engine. All that our thief will have to do is drive away. Actually, if our distant future really does include fully autonomous automobiles — Level 4 or 5, please — the darned thing just might steal itself.
I'm not going to go into a full treatise on how black-hats can hack into cars — that has been covered extensively in both Motor Mouth and Driving into the Future — but two things are becoming abundantly apparent about cybersecurity in automobiles: attacks are becoming more prevalent, and our cars more vulnerable.
As to the first, Upstream Security's 2024 Global Automotive Cybersecurity Report — the finest compilation of data on the subject — says the number of “incidents” has increased dramatically over the last three years, and the proportion considered to have had a “massive” impact — as in millions of “mobile assets” compromised — is now almost 50 per cent of all attacks reported.
Those most dangerous of hacks have also increased by some 250 per cent over the last 12 months. The spread of automotive cybersecurity threats has just begun, but the problem would seem to be growing exponentially.
The issue is twofold — access and vulnerability. The biggest weakness would seem the ever-increasing channels of communication between cars, their owners and the companies that manufactured them. Essentially, every app that connects cars to some external device — whether it be a GPS system, a remote car-start, an officially sanctioned interaction app, or even a car company's direct portal into the car's computer architecture — is a vulnerability that some smart computer programmer can infiltrate. The more such portals there are, the more likely that one of them has a vulnerability that some blackhat can exploit.
Worse yet, some of those vulnerabilities are common across multiple brands. As Sam Curry, the world's leading authority of hacking cars explained on our How Secure Is the Data in Our Cars? panel, Sirius — yes, they of internet-radio fame — also builds apps to supply drivers with crash notifications, enhanced roadside assistance, turn-by-turn navigation, and even connect with some of your smart-home devices. Curry, as he and his gang of merry computer-coding elves have already proven, can break into those “co-branded service” apps, which means, he says, that he could easily build a single low-cost device that could allow thieves to steal tens of millions of cars across multiple manufacturers.
Making matters worse is how many people have access to the protocols in these apps. As with personal secrets, the more people who have access to a piece of information, the less likely that information can be controlled. And it doesn't matter if the holders of that information are white- or black-hat hackers. Eventually, that information will prove vulnerable.
For instance, as Shira Sarid-hausirer, Upstream's vice-president of marketing explains, even seemingly benign “car enthusiasts” having access to software protocols can be dangerous. Last year her team discovered that “a jailbreak for major OEMS' infotainment systems” could be downloaded from a German auto blog. The report, according to Sarid-hausirer, included the guidelines, stepby-step actions, and even a video tutorial on hacking into the IVI system, not to mention, she says, examples of the modifications possible.
Where this confluence of access and vulnerabilities will likely meet in the future is in “right to repair” legislation. Automakers have long wanted to protect the intimate details of their cars. In the beginning, this was simply to drive more service and repair business to their dealerships. More recently — and with increasing conviction — they have claimed it's to prevent the cyberattacks that are becoming increasingly common by limiting hackers access and information.
The issue going forward, however, is that consumers now want three seemingly conflicting attributes from their automobiles: ever more connectivity with their car; the right to determine who is allowed to fix that car when it requires service; and, of course, that said car be in their driveway every morning when they wake up. I'm no expert in these things, but it's becoming more apparent that we can't have all three.
Numerous auto insurers over the last few years have offered “good driving” discounts for those who obey all the rules of the road. To access the information that allows them to gather the data proving you're a good driver, at least some of these insurers use a Telematic Control Unit (TCU) that plugs directly into your car's ECU OBD-II diagnostic port.
The ultimate irony of these “safety” devices is that they are doubly hackable. First of all, some of the TCUS supplied have less-than-stellar security protocols and are just generally open to outside hacks. On the flip side, this means some motorists who've voluntarily opted to install these tracking devices can then hire black-hat hackers to try to conceal some of their poor driving habits from their insurance companies.
Being constantly connected, to paraphrase famed jazz poet Langston Hughes, is a bitch.