Cars have long been, above all, computers on wheels. The technological advances that have been integrated in recent times make them technical marvels and very, very comfortable. The problem is that all these advances have a dangerous counterpart.
vulnerabilities. It’s been almost a decade since ethical hackers, the so-called ‘white hat’ hackers, warned at the famous Def Con event. Connected cars posed risks in the field of cybersecurity, and two experts named Charlie Miller and Chris Valasek demonstrated that even then there were various models with vulnerabilities of different scope.
Shock at the wheel: your Jeep can be hacked while driving down the road https://t.co/40h8StaLFG pic.twitter.com/bOvjzQb9K4
— Kaspersky (@kaspersky) July 23, 2015
My Jeep has stopped suddenly. Since then, technology has become more and more present, so the problem has worsened. In 2015, those same hackers were able to remotely control a Jeep Cherokee—steering, braking, and accelerating—if the car was going at very low speeds. The firm ended up temporarily withdrawing 1.4 million vehicles to solve the problem. In 2016 things got serious: they could do it regardless of speed.
things are getting worse. That famous hack has made the threat apparent, but from time to time experts remind themselves how far things can go. In late 2022, a researcher named Sam Curry evaluated the cybersecurity of various manufacturers and telematics systems and discovered vulnerabilities and security holes everywhere.
remote controlled motors. Remote services that allow us to see the status of the car or turn on the heating or air conditioning before use are a good example of these risks. Curry demonstrated how Acura, Honda, Infiniti, Kia or Nissan cars can be hacked if we have their identification number. With this it would be possible to locate and open these cars, start them, stop them or sound their horns.
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
To explain how it worked and how we found it, we have @_specters_ as our mock car thief: pic.twitter.com/WWyY6vFoAF
— Sam Curry (@samwcyo) November 29, 2022
telematic nightmares. Services such as LoJack allow access to useful connectivity solutions for remote access to data from our vehicle, but this researcher detected multiple security holes that would allow hackers to gain “full admin access to the company-level admin panel and the ability to send arbitrary commands to an estimated 15.5 million vehicles (open, start, disable starter), locate or update them.” your firmware”.
Departed. The problems affect the cars, but also the internal systems of the manufacturers. Curry was able to infiltrate those of Mercedes-Benz, BMW and Rolls-Royce and access sensitive information and even GitHub repositories or chat rooms used by employees of these companies.
The manufacturers know it (and are reacting). In Ars Technica they contacted the manufacturers and there is some reassuring news: they are all aware of the problems described by Curry in his report, and there are solutions in development and in some cases patches to cover these vulnerabilities. No vehicles or accounts are known to have been affected, but it is clear that these threats will grow in the future and that efforts to prevent these problems are needed as well.
