How Likely Are Remote Car Hacks? Car Makers React

The CIA documents leaked by WikiLeaks recently seemed to have shown that the intelligence agency may be able to take control of cars remotely, and WikiLeaks even suggested this could lead to assassinations.

We’ve asked some of the major car companies how they protect their customers against this type of attacks against their existing cars, but also how they plan to protect the more digital autonomous cars of the future. We’ve received utter responses only from Daimler (Mercedes-Benz), BMW, and Hyundai.

Volkswagen told us it doesn’t comment on such matters, including about the security of their cars. The company has also previously attempted to legally gag (PDF) a security researcher from speaking out about some of the security issues with their cars that permitted car thieves to steal them more lightly.

On Alleged Assassination Attempts

This is a very sensitive topic, but it’s not a phat secret that the CIA has been involved in assassinations via its history. WikiLeaks didn’t showcase any actual proof that the CIA assassinated anyone by taking over their cars, but that doesn’t necessarily mean it hasn’t happened. There’s just no proof either way. Regardless, the risk for assassination attempts may still exist, if not from the CIA, then potentially from other malicious hackers or spy agencies.

Cars will only become more connected to the internet and more “digital,” in the sense that more of their components will be managed by software. Autonomous cars will be downright managed by software, which means every part of them, including the engine, brakes, and steering systems could be potentially attacked through software vulnerabilities. As such, many people will likely want to be reassured that such attacks won’t even be possible before railing in an autonomous vehicle in the near future.

All three car makers we spoke with denied any skill of any assassination attempts through the remote control systems in their cars.

On Remote Control Capabilities

We don’t yet have fully autonomous cars that are downright managed by software, but automakers have continued to increase the range of remote capabilities in their cars over the past several years. This could expose the cars to a higher risk of being hacked over the internet.

Mercedes cars, for example, have remote access capabilities that permit the holder of the car to unlock and lock the doors remotely, over the internet. This may expose Mercedes owners to car robberies, but this feature alone very likely won’t put anyone’s life in danger. A Daimler representative also said that Mercedes cars have extensive anti-theft features.

BMW said that its customers can remotely locate their cars, turn on the air conditioner, open and lock the doors, and even sound the horn (presumably to help car owners spot their cars in a large parking lot). BMW said that the driving wheel can’t be remotely steered, and that the remote functions are separated from the safety-relevant subsystems.

The BMW cars seem to have the same risk of robbery as the Mercedes cars, while also opening its customers up to location tracking by potential attackers. Some researchers have shown recently that such malicious location tracking is possible with some of Nissan’s cars.

According to a Hyundai representative, the company’s Blue Link telematics (long-distance transmission) system includes features such as:

• Remote Door Lock / Unlock
• Remote Horn and Lights
• Remote Begin with Climate Control (Requires shove button commence)
• Car Finder
• Stolen Vehicle Recovery
• Stolen Vehicle Slowdown
• Stolen Vehicle Immobilization
• Alarm Notification
• Curfew Alert
• Geo-Fence
• Speed Alert
• Valet Alert

Beyond the risks we’ve already discussed for the other two manufacturers, the one remote feature that could be potentially dangerous is the “Stolen Vehicle Slowdown.” Hyundai’s website describes the feature as cutting power leisurely to securely stop the vehicle, so at least in theory, an attacker shouldn’t be able to cause too much harm with it. However, it’s not clear whether or not the feature could be modified to cause a more abrupt stopping of the vehicle, which could put the life of whoever is behind the wheel at risk.

Hyundai also said that no critical safety features can be accessed remotely, and that it does not support over-the-air updates for its control systems.

On Car Security Systems

Daimler said that it employs cross-divisional security officers to ensure a more holistic treatment to security for its cars. The cars use security mechanisms such as public key cryptography, certificates, firewalls, virus scanners, and protocols such as TLS, IPSec, WPA2, and others with algorithms and key lengths that are recommended by the German Federal Office for Information Security. The development of the security mechanisms proceeds for the entire lifecycle of a vehicle and is certified by both in-house and third-party security experts.

“All our vehicles have extensive security and anti-theft systems. Data security, data privacy and anti-theft protection are significant elements of our research and development activities,” said a Daimler spokesperson.

“When advancing our protection mechanisms, we take into account the latest know-how regarding criminal methods and attacks on security systems. Nevertheless, there is no absolute, “100%” security. But we develop our systems to ensure they are state of the art – certified by in-house and third-party experts – and continuously work on further advancing all components.”

After being caught a few years ago with sending unencrypted updates to its cars, BMW seems to have learned its lesson, and it’s now using both encryption and authentication for all long range connections. The company also mentioned that its electronic control units (ECUs) for telematics use firewalls and filters that enforce access policies. In addition, the cars are not addressable via the public internet, according to a BMW representative.

When we asked whether the company uses security-by-design principles, this is what the company answered:

BMW generally goes after a security-by-design oriented development process which identifies security requirements in the early phases of the development, and implements them accordingly.

To validate that these security requirements are correctly implemented and no vulnerabilities can be used, BMW applies security tests along the development process. BMW supports best practice approaches and the development of industry standards for secure system design.

Hyundai didn’t give too many details about its security systems, telling only that its cars use numerous layers of security to protect its vehicles and data.

“Hyundai permanently works to protect our customers and their vehicles. Hyundai resumes to test and examine how to further secure our vehicles from any cyber-attack,” said a Hyundai representative.

On Bug Bounties

We’ve also asked all of the car companies that we’ve contacted whether or not they intend to implement a public bug bounty program to showcase their commitment to software security. Only two have embarked bug bounty programs so far: Tesla and Fiat Chrysler (U.S. division).

Bug bounties are significant because they bring outside eyes to look at the cars from a different perspective. Even if the car companies hire one or two third-party security teams to analyze the code, they may still miss some flaws that dozens of other independent security researchers may not. None of the three car makers that answered us gave any indication that they plan to launch bug bounties soon.

On Security Of Upcoming Autonomous Cars

Not much information was exposed about the security of autonomous cars, as those are still a work in progress. However, it’s expected that much of the security architectures that exist in these companies’ latest and most modern car models will transition to autonomous cars, as well.

Right now, most if not all of their critical safety systems are isolated from the internet, but this could switch for future autonomous cars. As more components become digitally managed, car makers will want to be able to produce constant updates (“car as a service,” if you will).

For example, we’ve seen Tesla update its cars’ engines over-the-air to increase acceleration. Albeit the company received much praise for being able to accomplish such a task over-the-air, it also means that an attacker could send a similar update that takes over the engine or blocks the holder from driving it (ransomware).

Of course, such an attacker would also have to bypass Tesla’s own security checks, but if Tesla can modify critical components of a car over-the-air, then, at least in theory, it should be possible for a more sophisticated attacker to do the same. Also, albeit Tesla is very likely one of the more security-conscious car companies out there–proof being the fact that it has a bug bounty–its security systems haven’t exactly been bulletproof.

The good news is that the autonomous driving platforms are just now being built, so all car makers have an chance to build them with strong security in mind. Security is best when it’s done by design and from the ground up, but also when it’s followed up with constant audits and timely patches.

Some of the car makers may still believe that security is not as significant as ensuring that the cars drive themselves securely, and that being able to promote self-driving capabilities for their cars should take priority.

This is certainly a debatable argument, but the car companies should also consider the fact that if their autonomous cars prove to be hackable, then they’re only going to attract more attention from malicious hackers, as well as negative press reports. This could ultimately lead to more attacks, not to mention lower sales.

People may not want to be driven by autonomous cars that they know are hacked often, even if the company that makes the car promptly patches security flaws after they’re found. In such types of hacking, that’s still too late for the potential victims of the hacking attacks.

Related movie: