The auto industry is downplaying the immediate risk of car-hacking after a report about a cyber-intruder’s use of GPS trackers that allowed him to monitor the location of thousands of vehicles in commercial fleets and even turn off their engines.
“Hacking is not like you see it on TV,” said Gloria Bergquist, a spokeswoman for the Alliance of Automobile Makers. But she said automakers take the threat seriously and are focusing more on shielding vehicles’ computer systems from possible intruders.
“Vehicles are highly complex with multiple layers of security, and remote access is exceedingly difficult by design,” Bergquist said in an email. “New cars being launched now have an exponential increase in cybersecurity. Automakers are collaborating in all areas possible, including hardware, software and knowledge sharing with suppliers, government and the research community.”
Motherboard reported last week that the hacker — identified only by the handle L&M — cracked more than 7,000 iTrack accounts and more than 20,000 Protrack accounts that some companies use to manage their commercial fleets through GPS signals.
The hack allowed L&M to track vehicles in a small number of foreign countries, including India and the Philippines, and shut down the engines of vehicles that were stopped or traveling 12 mph or slower, Motherboard reported. The hacker told the news organization that he also was able to access information on the users from their accounts. Motherboard said it verified the hacker’s claims by contacting people whose accounts had been breached.
The report — though involving apps in use by fleet companies in a few foreign countries — offers a reminder of a potential downside to the leap forward in technology that has made it easier than ever to go from one place to another. It also comes as automakers cram more and more high-tech systems into vehicles, such as driver-assist technology, on the way to building autonomous vehicles that will one day drive themselves.
For now, much of the problem has centered on keyless locking and ignition systems, which can be vulnerable to interception. The German General Automobile Club, or ADAC, reported that 230 of 237 model cars it tested had keyless starting and locking devices that were vulnerable to theft, the BBC says. The most common method — known as a “relay hack” — involves using wireless transmitters to extend the range of the electronic key fob: Thieves hold the transmitter near the window of the target’s house and project the fob’s signal, thereby tricking the vehicle’s sensors into thinking the fob is closer to the vehicle than it is.
AAA says most relay hacks target property inside the vehicles, not the vehicles themselves, because once the car is moved beyond the ordinary range of the fob (about 36 inches), the vehicle cannot be restarted again. But AAA also says the extent of such thefts is not known.
In the meantime, automakers say their engineers have made IT security a priority. Computer-based systems that control the vehicle or contribute to its safe operation are walled off from communications and navigations systems. The industry also says it uses simulated attacks to test the safety. In 2015, Fiat Chrysler voluntarily recalled 1.4 million vehicles after security researchers, using pathways in onboard entertainment systems, discovered a way to disable a Jeep Cherokee’s brakes and steering while the car was on the highway.
The Detroit Free Press last year profiled a hacker who serves as a legal and technical consultant for auto manufacturers and for other industries. As a “white hat” researcher, the hacker was paid to find flaws in onboard computer systems that might allow him to render certain parts of the vehicle useless or simply make it seem as if the car is always in need of service.
The industry in 2015 also set up the Information Sharing and Analysis Center with 49 automakers and suppliers to develop guidelines on cybersecurity.
Bergquist, of the Alliance of Automobile Makers, said consumers can also play a part by exercising good cybersecurity practices in whatever they do, including when pairing a smartphone with a car. She also urged people to delete phone data from rental cars if phones were paired with the rental vehicle and to follow regular schedules for maintenance and software updates.
“There are a lot of players out there who want to access your car’s data for their own gain,” she said.