The first connected car could be taken for ransom

By lpitt posted 03-20-2017 02:00





In my last blog, I discussed how a supply chain attack could affect the business – and brand –of a global company. This week, we’re going to take this a level down and consider something else which I believe is a threat, even more so in light of the recent revelations in this space.




Car hacking is not new. In 2015 (and 2016), it was demonstrated at the BlackHat conference that a car could be stopped by exploiting in-car software.


What is new is the growing number of people buying and driving connected cars, relying on the smart functions and software, and therefore growing the profile of the products. A recent report by estimates 380 million connected cars will be on the road by 2020. This makes it more attractive for hackers to put the time and energy into developing exploits.


I think that very soon we will see targeted security attacks on owners of connected cars using social engineering to get to the driver and either deny access to, or use of, their vehicle – or perhaps to take control of one or more connected elements. This could be as basic as disabling satellite navigation, or as scary as taking control via ‘by-wire’ technologies which many cars use for brakes and accelerators today.


Imagine the scenario:

You are driving to work and a message pops up on the in-car screen: “Your service is due in 30 days, we can book you now for xx/xx/xxxx, click to accept or cancel”. It looks legitimate so you select “accept”; you’ve just been hacked. The next time you stop the car, it won’t start or the A/C locks to the coldest temperature. But, the vulnerability could be darker, allowing remote access to the in-car devices for recording, location tracking and then possible blackmail. This type of attack may only be limited by the functionality of the vehicle and the creativity of the hacker.


I do not think that the first attack will be random. The opportunity window is closing as manufacturers layer additional security into cars. The first attack will probably be for visibility, perhaps targeting a celebrity. It will be ‘the scariest thing that has ever happened to them’ but with a triple edged sword of damaging manufacturer brand and, at the same time, increasing celebrity and hacker profile.


Until now, connected attacks have been limited and have required physical connection to a port inside the car. As many new cars sold now have telematics built in, along with mobile connectivity and online access, the likelihood of an attack rises. Many car manufacturers have implemented and are continuing to develop and install firewalls between in-car systems, but not yet all of them.


How can connected car owners be better protected?


  • Security awareness: We are well trained in not responding to unsolicited text messages or emails, and it is the same with a car. If you receive an unexpected message via connected car technology, do not blindly accept – take time to read it, look for obvious spelling or grammar errors. If you are still unsure, do not accept the message then contact your dealer for advice. Always err on the side of caution.
  • Manufacturer communications: People are excited about the possibilities of having a connected car and manufacturers are developing applications and APIs (interfaces for custom application development) to extend functionality. If there is an issue or outage, then manufacturers should communicate this clearly and quickly.


By 2018, we will see more connected cars on the road, especially with the eCall initiative in Europe and the US DoT looking closely at V2V (Vehicle to Vehicle) technology. This is a good thing for drivers, but a challenge for manufacturers with multiple operating systems and millions of lines of code. Criminals know that people will pay to keep their car on the road, and for the next couple of years – at least – I believe this is a risk.


My advice... think before you click.


If you enjoyed reading this blog and would like to read related security blogs please visit here