Report examines threat of remote vehicle hacking

With cars becoming more connected, the scope of vehicle security is shifting from theft prevention to minimizing hackers capability to gain unauthorized access of in-car ECUs. Research and Markets has released a report, "The Threat of Over the Air Hacking for Cars - 2013."

This report provides a unique analysis of the ways in which the connected car could be exploited by thieves. Different methods by which a vehicle couldĀ be compromised, such as direct physical attacks, proximity based attacks and direct over-the-air attacks are discussed, together with the results of academic research performed in this area.

The report analyzes the risks that cars may get stolen due to various possible weaknesses in the entire chain of connected service delivery (IT infrastructure, servers, communications, etc).

The fast-paced recent development of vehicle telematics systems to provide an ever-greater number of convenience features is generally incompatible with the approach necessary to make a system secure. Due to the complex embedded software and a multitude of communication channels, it is likely that weaknesses exist in all systems which a criminal could exploit to facilitate theft of the car.

The inconvenient truth is that software attacks are already used to steal cars.

In the last few years there has been a rise in thefts of late-model cars where criminals have used hand-held tools, such as key programmers and immobiliser overrides, to steal them without needing the original key.

The speed with which these devices perform their attacks on the embedded software, via the OBD port, has transformed electronic theft from a minority method to, in some markets, the dominant method used by thieves to steal the most targeted models. The proliferation of theft tools available today illustrates both the ingenuity of the attackers and the complacency of the vehicle manufacturers.

A growing number of vehicle manufacturers today offer telematics systems to provide the connectivity demanded by a new generation of buyers. Some of these systems already offer services which could potentially be manipulated by an attacker to steal cars, such as remote door unlock and remote engine start.

This report shows that vehicle manufacturers and their telematics service providers should take heed of emerging academic studies which have demonstrated that remote attacks can result in a criminal manipulating vehicle systems. Reverse-engineering vehicle CAN messages, frequently to override security protocols, is already mainstream research for aftermarket companies. This level of knowledge, combined with any single exploitable weakness in the telematics platform, would provide an attacker with almost any remote control functionality they desire.

This report looks at how vehicle telematics systems could be used to facilitate car theft in the future. It considers how criminals may remotely access or start the car and whether such attacks could be performed entirely over-the-air, or whether the vehicle would firstly need to be compromised by some alternative method. It also examines the explosion in internet-facilitated crime to consider what the automotive industry should know about today's cybercriminals.

For more information, visit