War between cops and cyber robbers over connected cars

Can technology defeat the old-fashioned car thief? An incident in Seattle suggested it might. Last November, a thief helped himself to a BMW 550i, the driver of which had left unlocked – complete with a set of keys – in a downtown parking garage. The owner of the car notified the police, who contacted BMW. The company dutifully tracked the car’s location and the police jumped on the trail. They discovered the vehicle parked in an alley, its engine still running.

In a very 21st century, connected car twist, the officers again called BMW, which agreed to remotely lock the car’s doors. The suspect, perhaps not the smartest criminal in the world, had fallen asleep. Stuck inside a locked car and drowsy, he was an easy arrest for the constabulary.

At first look, this is an encouraging development for us good guys and girls with connected cars. Our vehicles can be tracked in real time and, in certain cases, our manufacturer can even aid in apprehending a criminal.

The storied method of break-in-and-drive-away has met an intimidating new match but let’s not laugh with delight quite yet. Some experts warn that these modern-day powers can also be turned against us. “The same technology that allowed law enforcement to lock the thief in the car could, potentially, be used by criminals to obtain unauthorised access to the car, operate its systems or access its data,” said Jesse Sultanik, marketing manager of Israeli company Argus Cyber Security.

“Security and capability are two different things,” said Corey Thuen, a senior consultant at cybersecurity specialist IOActive. “The capability to remotely (and forcibly) lock a vehicle is a capability that could have an impact on the physical security of the vehicle. At the same time, such capability increases other risks such as cybersecurity. Any increase in attack surface, like adding in remote disabling, will increase risk to cybersecurity attack.”

One region of this attack surface is the OBD diagnostic dongle that is now required of every car manufactured in the US, the European Union and a host of other jurisdictions. Earlier this year, Argus demonstrated the vulnerability of such devices when it used one to hack into a target vehicle’s internal communications system. With that access, its hackers shut off the car’s fuel pump.

In 2015, in a similar demonstration that rattled the connected car world, a pair of computer security researchers gained access via wireless to a late-model Jeep Cherokee. While the car was in motion, the two men were able to control several of its functions, at one point turning off its transmission.

The ‘connected’ in the phrase ‘connected car’ refers to the networking of a vehicle’s electrical components with each other and, increasingly, to outside networks. Each of those components, plus hardware connected to them, is theoretically vulnerable to hacking, be it the OBD dongle, the SD card slot sitting under the infotainment console, or the Bluetooth network from which we patch in our phones. On top of that, all this technology is developing rapidly, often outpacing developments in security.

“Keyfobs, smartphone pairing with your car and embedded and aftermarket connected devices make cars connected targets,” said Sultanik. “There was even a case in Houston, Texas in the summer of 2016 where car thieves used laptops to steal a number of vehicles without having to physically break in.”

In that incident, two apparently quite sophisticated car thieves used a laptop to remotely start a 2010 Jeep Wrangler. They then stole it from the owner’s driveway. A senior Houston police officer remarked of one of the thieves that “we don’t know what he is exactly doing with the laptop but my guess is he is tapping into the car’s computer and marrying it with a key he may already have with him so he can start the car”.

A similar method may have been used in four other vehicle robberies around the same time. All of the cars were recent-model Jeeps, Houston police said. “So, although the old ways of getting in are still possible, connectivity has created new ways for car thieves to accomplish their objective,” Sultanik added.

Yet that assumes the bad guys have the technical know-how to breach a car’s systems – traditionally not a skill set boasted by your average auto thief prowling the streets. For the old-fashioned variety of smash-and-grab, technology might be gaining ground in the bad guys’ scene. Statistics seem to support this theory. In the US over the past decade or so, car theft has been generally trending downwards. According to statistics from the Department of Justice and the FBI, the total number of vehicles stolen consistently dropped from 2006 to 2014, with only a 3% uptick the following year. A decade makes a big difference – the 2006 tally was nearly 1.2M, while the 2015 figure was significantly lower, at just under 708,000.

Although we’ll never completely eradicate these traditional methods of thievery, we now have increasingly powerful methods to combat them. “I think the physical ‘meat-space’ style threats will always be an issue and connecting the car doesn't really stop them…” cautions Thuen, “…but it does improve our ability to respond.”


Leave a comment

Your email address will not be published. Required fields are marked *