Cyber Vehicle Hacks Impact Our Safety On & Off The Road

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s part three of a four-part “cyber impact” blog series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, takes a look under the hood at some of the potential cyber risks that exist with our vehicles – ranging from the key fobs we use and the navigation systems we rely on to what can happen with certain parts in the supply chain (as in before it’s manufactured and we get a chance to drive it off the lot).

He shares his perspective on what we need to look for when buying a new or used car or truck and some of the steps that are being taken to protect us, so we don’t get taken for a ride!

By David Dungan

As cars become more technologically advanced, the potential for cyberattacks on vehicles is rising at a rate that might surprise you.

In 2024, the automobile industry experienced a significant rise in cyberattacks with more than 400 reported incidents recorded, amounting to an increase of 39 percent compared to 2023. And not unlike the damage that occurs with a car crash, the impact of these incidents is devastating, affecting millions of vehicles, fleets, and mobility services. What’s more, the crimes that are committed range from vehicle theft, malware, and location tracking to car system manipulation impacting vehicle control and disrupting a service business to data privacy breaches.

Add to that, with digital dashboards replacing traditional instrument clusters, the advent of self-driving cars, and the growing demand for state-of-the-art electric vehicles, drivers need to be informed of the risks associated with the vehicles we’re driving.

In many passenger vehicles, the most vulnerable components include:

• Key fobs

• Embedded vehicle systems

  • Telematics

  • Navigation

  • Infotainment

• Wi-fi Connections

• Storage devices

Key Fob Vulnerabilities

Wireless transmissions from vehicle key fobs are susceptible to interception. Threat actors may relay these signals using wireless transmitters and gain unauthorized access to vehicles. With key fobs and a few inexpensive tools, cars can easily be started or hotwired. Key fobs should be stored in safe locations and drivers should be aware of any suspicious activities that’s occurring near your vehicles.

Embedded System Exploits

Embedded systems, such as infotainment and navigation, are vulnerable to cyberattacks. Threat actors can hijack vehicle location information and access stored data. Mobile devices connected to vehicles via Bluetooth can introduce additional attack vectors. Threat actors can also take over and compromise electronic control units (ECUs), which manage the telematics (vehicle monitoring and automatic safety measures), via connected smartphones. Embedded systems also pose a significant risk through several avenues to vehicles and drivers’ confidential data. For example, attackers may exploit vulnerabilities to manipulate and access sensitive data, like contacts or saved/frequented addresses, without the user being aware of any potential danger.

Supply Chain Risks

Another risk for luxury car models is the supply chain. Tech products produced in Russia and China have caused privacy concerns in some vehicles. According to the US Department of Commerce, vehicles that include Chinese tech products are considered national security risks. Some suppliers ship products that are inherently vulnerable to cyberattacks. Russian state-sponsored attackers have exploited back doors in Automated Driving Systems to control vehicles and their embedded functions remotely. Additionally, Russian products enable data compromise and continuous monitoring of drivers’ information. The Department of Commerce issued a mandate to restrict the use of Russian and Chinese components in vehicles, with compliance required by 2027.

Cyberattacks: It’s Happened

In 2022, luxury car models from manufacturers including Mercedes-Benz, Porsche, and BMW suffered attacks that enabled remote code execution. Threat actors sent malicious commands to these vehicles to remotely start or stop vehicles, lock and unlock car doors, intercept navigation and location data, and compromise personal information within a vehicle’s storage system. Thankfully, these attacks were identified early through security monitoring. Because of this proactive response, security patches were deployed to ensure the user’s safety and prevent exploitation.

Wi-Fi and Cellular Network Risks

In some instances, in-vehicle Wi-fi systems have been exploited at close range. Researchers affiliated with the FBI studied several unnamed models of cars over a two-year period and discovered that exploits and remote control of the Electronic Control Unit (ECU) were possible using the car’s Wi-Fi connection from a range of 100 feet. The experiment also showed that vehicles could be compromised through cellular service from anywhere on the carrier’s network.

Because these issues are massive security concerns, vehicle manufacturers have diligently deployed patches. Car owners should regularly check for recalls according to their vehicle identification number (VIN) to keep their systems up-to-date and safe from cyber threats.