automotive hacking

Modern automobiles contain hundreds of on-board computers processing everything from vehicle controls to the infotainment system. These computers, called Electronic control units (ECU), communicate with each other through multiple networks and communication protocols including the Controller Area Network (CAN) for vehicle component communication such as connections between engine and brake control; Local Interconnect Network (LIN) for cheaper vehicle component communication such as between door locks and interior lights; Media Oriented Systems Transport (MOST) for infotainment systems such as modern touchscreen and telematics connections; and FlexRay for high-speed vehicle component communications such as active suspension and active cruise control data synchronization.Petit, J., & Shladover, S. E. (2015). [https://www.researchgate.net/profile/Jonathan_Petit/publication/266780575_Potential_Cyberattacks_on_Automated_Vehicles/links/543bb4150cf24a6ddb978a28/Potential-Cyberattacks-on-Automated-Vehicles.pdf Potential cyberattacks on automated vehicles]. IEEE Transactions on Intelligent Transportation Systems, 16(2), 546-556. doi:10.1109/TITS.2014.2342271

Additional consumer communication systems are also integrated into automobile architectures including Bluetooth for wireless device connections, 4G Internet hotspots, and vehicle Wi-Fi.{{cite web |title=Car renters beware: Bluetooth use can reveal your private data |url=https://eu.usatoday.com/story/money/cars/2018/01/30/car-renters-beware-bluetooth-use-can-reveal-your-private-data/1080225001/ |website=USA Today |access-date=23 March 2021}}

The integration of these various communications and software systems leaves automobiles vulnerable to attack. Security researchers have begun demonstrating the multitude of potential attack vectors in modern vehicles, and some real-world exploits have resulted in manufacturers issuing vehicle recalls and software updates to mobile applications.

Manufacturers, such as John Deere, have used computer systems and Digital Rights Management to prevent repairs by the vehicle owners, or by third parties, or the use of aftermarket parts.[https://www.eff.org/de/deeplinks/2015/04/automakers-say-you-dont-really-own-your-car Automakers Say You Don’t Really Own Your Car] on eff.org (April 2015) Such limitations have prompted efforts to circumvent these systems, and increased interest in measures such as Motor Vehicle Owners' Right to Repair Act.

In 2010, security researchers demonstrated how they could create physical effects and undermine system controls by hacking the ECU. The researchers needed physical access to the ECU and were able to gain full control over any safety or automotive system including disabling the brakes and stopping the engine.Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., ... & Savage, S. (2010, May). [http://feihu.eng.ua.edu/NSF_CPS/year1/w9_1.pdf Experimental security analysis of a modern automobile]. In Security and Privacy (SP), 2010 IEEE Symposium on (pp. 447-462). IEEE.

In a follow-up research paper published in 2011, researchers demonstrated that physical access is not even necessary. The researchers showed that “remote exploitation is feasible via...mechanics tools, CD players, Bluetooth, cellular radio...and wireless communication channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft”.Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., ... & Kohno, T. (2011, August). [http://static.usenix.org/events/sec11/tech/full_papers/Checkoway.pdf Comprehensive Experimental Analyses of Automotive Attack Surfaces]. In USENIX Security Symposium. This means that a hacker could gain access to a vehicle's vital control systems through almost anything that interfaces with the automobile's systems.

UConnect is Fiat Chrysler's Internet-connected feature which enables owners the ability to control the vehicle's infotainment/navigation system, sync media, and make phone calls. It even integrates with the optional on-board WiFi.{{Cite web|url=http://www.autotrader.com/car-tech/what-is-chrysler-uconnect-215353|title=Autotrader - page unavailable|website=www.autotrader.com}}

However, vulnerabilities in Fiat Chrysler's UConnect system, available on over 1.4 million cars, allows hackers to scan for cars with the system, connect and embed malicious code, and ultimately, commandeer vital vehicle controls like steering and brakes.Greenberg, A. (2015, July 21). [https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ Hackers Remotely Kill a Jeep on the Highway-With Me in It]. Retrieved August 6, 2015.

In 2015 at the DEF CON hacking conference Marc Rogers and Kevin Mahaffey demonstrated {{Cite web|url=https://www.youtube.com/watch?v=KX_0c9R4Fng/|title=DEF CON 23 - Marc Rogers and Kevin Mahaffey - How to Hack a Tesla Model S|website=YouTube.com|date=2 December 2015 }}{{Cite web|url=https://www.youtube.com/watch?v=8oXYQAKEUPg/|title=Bloomberg:Tesla Model S Gets Hacked by Professionals|website=YouTube.com|date=10 August 2015 }} how a chain of exploits could be used to take complete control of the Model S. Marc Rogers and Kevin Mahaffey identified several remote and local vulnerabilities that could be used as entry points. They demonstrated that after exploitation the vehicle could be remotely controlled with an iPhone.{{Cite web|url=https://www.hollywoodreporter.com/news/security-experts-reveal-how-a-814062/|title=Security Experts Reveal How a Tesla Model S Was Hacked|website=hollywoodreporter.com|date=7 August 2015 }} Finally, they also demonstrated that it was possible to install a backdoor that allowed persistent access and control of the vehicle in a similar fashion to exploit techniques more usually associated with traditional computer systems. Marc Rogers and Kevin Mahaffey worked with Tesla, Inc. to resolve the issues before disclosure. It was announced before the presentation that the entire global fleet of Model S cars had been patched overnight, the first proactive mass Over The Air (OTA) security update of vulnerable vehicles.{{Cite magazine|url=https://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/|title=Researchers Hacked a Model S, But Tesla's Already Released a Patch|website=wired.com |last1=Zetter |first1=Kim }}{{Cite web|url=https://www.npr.org/sections/alltechconsidered/2015/08/06/429907506/tesla-model-s-can-be-hacked-and-fixed-which-is-the-real-news/|title=Tesla Model S Can Be Hacked, And Fixed (Which Is The Real News)|website=npr.com}}

The OnStar RemoteLink app allows users the ability to utilize OnStar capabilities from their Android or iOS smartphones. The RemoteLink app can locate, lock and unlock, and even start your vehicle.{{Cite web|url=https://www.onstar.com/us/en/mobile_app/?source=ct|title=Mobile App|website=www.onstar.com}}

The flaw in General Motors’ OnStar RemoteLink app, while not as extreme as UConnect, allows hackers to impersonate the victim in the eyes of the RemoteLink app. This means that the hackers can access all of the features of the RemoteLink app available to the victim including locating, locking and unlocking, and starting the engine.Finkle, J., & Woodall, B. (2015, July 30). [https://www.reuters.com/article/gm-hacking/update-1-researcher-says-can-hack-gms-onstar-app-open-vehicle-start-engine-idUSL1N10A3XK20150730 Researcher says can hack GM's OnStar app, open vehicle, start engine]. Retrieved August 27, 2015.

{{Further|Relay attack}}

The security researcher Samy Kamkar has demonstrated a device that intercepts signals from keyless-entry fobs and would allow an attacker to unlock doors and start a car's engine.{{Cite web|url=https://www.npr.org/sections/alltechconsidered/2018/02/23/583682220/this-gray-hat-hacker-breaks-into-your-car-to-prove-a-point|title=This 'Gray Hat' Hacker Breaks Into Your Car — To Prove A Point|website=NPR.org}}

{{Further|Kia Challenge}}

Kia back windows can be broken without setting off an alarm, and Hyundai are similar.{{cite web |title=Milwaukee Might Sue Kia Because Of Excessive Thefts |url=https://carbuzz.com/news/milwaukee-might-sue-kia-because-of-excessive-thefts |website=CarBuzz |access-date=9 December 2022 |language=en-us |date=11 December 2021}}

Since 2021,{{cite news |title=Hyundai, Kia Take Action after Cars Become Theft Targets in Milwaukee |url=https://www.caranddriver.com/news/a38491394/hyundai-kia-thefts-milwaukee-action/ |access-date=9 December 2022 |work=Car and Driver |date=11 December 2021 |language=en-us}}{{cite web |title=Milwaukee car thieves are crazy for Hyundais and Kias |url=https://www.autoblog.com/2021/12/13/milwaukee-stolen-cars-hyundai-kia/ |website=Autoblog |date=13 December 2021 |access-date=9 December 2022 |language=en}}{{cite web |title=Hyundai, Kia models at higher risk of theft, and of course it's on TikTok |url=https://www.autoblog.com/2022/08/02/hyundai-kia-thefts-tiktok/ |website=Autoblog |date=2 August 2022 |access-date=9 December 2022 |language=en}} on social media,{{cite web |author1=Tommy G |title=Kia Boys Documentary (A Story of Teenage Car Theft) |date=31 May 2022 |url=https://www.youtube.com/watch?v=fbTrLyqL_nw |publisher=youtube |access-date=9 December 2022 |language=en}}{{cite web |title=Milwaukee Police Investigate 'Kia Boys' YouTube Documentary |url=https://patch.com/wisconsin/milwaukee/milwaukee-police-investigate-kia-boys-youtube-documentary |website=Patch.com |access-date=9 December 2022 |location=Milwaukee, WI |language=en |date=3 June 2022}}{{cite web |last1=Jannene |first1=Jeramey |title=Interviewing The 'Kia Boyz' |url=https://urbanmilwaukee.com/2022/06/07/interviewing-the-kia-boyz/ |website=Urban Milwaukee |access-date=9 December 2022 |language=en}} videos show stealing of post-2010 Kia vehicles and post-2014 Hyundai vehicles, without engine immobilizers, with a USB 1.1 A plug cable, or pliers.{{cite web |last1=Stumpf |first1=Rob |title=How Thieves Are Stealing Hyundais and Kias With Just a USB Cable |url=https://www.thedrive.com/news/how-thieves-are-stealing-hyundais-and-kias-with-just-a-usb-cable |website=The Drive |access-date=9 December 2022 |language=en |date=2 August 2022}}{{cite news |title=TikTok 'Kia Challenge' fuels St. Pete spike in Kia and Hyundai auto thefts |url=https://www.tampabay.com/news/crime/2022/07/28/tiktok-kia-challenge-fuels-st-pete-spike-in-kia-and-hyundai-auto-thefts/ |access-date=9 December 2022 |work=Tampa Bay Times |language=en}}{{cite web |title=3 Ways to Hotwire a Car |url=https://www.wikihow.com/Hotwire-a-Car |website=wikiHow |access-date=9 December 2022 |language=en}}{{cite web |last1=Anderson |first1=Brad |title=This Is How Easy It Is To Steal A Hyundai Or Kia With A USB Cable |url=https://www.carscoops.com/2022/10/this-is-how-easy-it-is-to-steal-a-hyundai-or-kia-with-a-usb-cable/ |website=Car Scoops |access-date=9 December 2022 |date=October 11, 2022}}{{cite news |title=Hyundais and Kias make up 68% of stolen cars this year in Milwaukee |url=https://www.tmj4.com/news/local-news/hyundais-and-kias-make-up-68-of-stolen-cars-this-year-in-milwaukee |access-date=9 December 2022 |work=WTMJ-TV |date=23 September 2021 |language=en}}{{cite news |last1=Hughes |first1=Elliot |title=Worried about your Kia or Hyundai getting stolen? Milwaukee police are handing out steering wheel locks |url=https://www.jsonline.com/story/news/crime/2021/05/07/milwaukee-police-giving-away-steering-wheel-locks-kia-hyundai-owners/4987762001/ |access-date=9 December 2022 |work=Journal Sentinel |location=Milwaukee}}{{cite news |last1=Schmidt |first1=Rose |title=St. Paul PD: Kia thefts up 1,300%, Hyundai thefts up 584% in 2022 |url=https://www.fox9.com/news/st-paul-pd-kia-thefts-up-1300-hyundai-thefts-up-584-in-2022 |access-date=9 December 2022 |work=FOX 9 |date=18 July 2022}}{{cite news |title=Car thieves using old trick to steal Hyundais, Kias in Columbus |url=https://www.10tv.com/article/news/crime-tracker/car-thieves-using-old-trick-steal-hyundais-kias-in-columbus/530-8b443afe-a52d-46f4-9428-d9c455b3a51a |access-date=9 December 2022 |work=10tv.com |date=January 11, 2022}} Kia started installing immobilizers in 2022.{{cite web |last1=Jewett |first1=Abraham |title=Kia class action alleges defect makes vehicles easy to steal |url=https://topclassactions.com/lawsuit-settlements/consumer-products/auto-news/kia-class-action-alleges-defect-makes-vehicles-easy-to-steal/ |website=Top Class Actions |access-date=9 December 2022 |language=en |date=8 August 2022}}

Using a fake device sold on the dark web, thieves were able to steal vehicles by forcing the headlamps open and accessing the CAN bus, and then once on the bus, to simulate the signals to start the vehicle. The exploit requires enough time and privacy for thieves to remove vehicle hardware, sometimes bumpers, in order to open the headlights.[https://kentindell.github.io/2023/04/03/can-injection/ CAN injection: keyless car theft] by Dr. Ken Tindell, CTO of Canis Automotive Labs, 4-3-2023. Possibly the only way to prevent this kind of event by determined and knowledgeable thieves would be for car designers to encrypt traffic on the CAN bus.

On June 11, 2024, a group of researchers lead by Sam Curry discovered a vulnerability in Kia’s web portal that allowed them to reassign control of the internet-connected features of any Kia vehicle manufactured after 2013.{{Cite web |date=2024-09-20 |title=Hacking Kia: Remotely Controlling Cars With Just a License Plate |url=https://samcurry.net/hacking-kia |access-date=2025-02-27 |website=samcurry.net |language=en}} Although the vulnerability didn't permit the group to interact with the car’s driving systems, they built a custom application to target this vulnerability that enabled them to scan any “connected” vehicle’s license plate and track the car’s location, unlock the car, honk its horn, or start its ignition—all on command.{{Cite news |last=Greenberg |first=Andy |title=Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug |url=https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/ |access-date=2025-02-27 |work=Wired |language=en-US |issn=1059-1028}}{{Cite web |last=Arntz |first=Pieter |date=2024-09-27 |title=Millions of Kia vehicles were vulnerable to remote attacks with just a license plate number |url=https://www.malwarebytes.com/blog/news/2024/09/millions-of-kia-vehicles-were-vulnerable-to-remote-attacks-with-just-a-license-plate-number |access-date=2025-02-27 |website=Malwarebytes |language=en}} These kinds of vulnerabilities are not new and have occurred in cars built by other manufacturers such as Acura, Genesis, and others. While the web portal vulnerability for Kia was quickly patched, the same group of researchers found similar vulnerabilities in multiple other car manufacturers, including but not limited to Ferrari, BMW, Rolls Royce, Porsche, and Toyota.{{Cite web |date=2023-01-03 |title=Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More |url=https://samcurry.net/web-hackers-vs-the-auto-industry |access-date=2025-02-27 |website=samcurry.net |language=en}}

The team exploited the Kia web portal vulnerability by leveraging API weaknesses in both the dealer and owner websites. They began by registering on the Kia Connect dealer website using a legitimate registration link sent to customers. By analyzing the back end API communication, they discovered that Kia’s systems inadequately authenticated users in the dealer system. Using this knowledge, they manipulated HTTP requests, modifying headers and tokens to simulate authorized dealer credentials. With the dealer credentials and access token, they were able to find information related to a car’s VIN by accessing the dealer API gateway endpoint, which is essentially an API for dealership functionality. The resulting HTTP response while using the token gave access to the vehicle owner's name, phone number, and email address.

Once gaining access to the personal information, the researchers escalated their access to the owner portal by replacing the email associated with a vehicle owner’s account. This step added the attackers as secondary users without alerting the original owner, enabling control over the vehicle. They then sent commands such as unlocking doors, starting engines, or tracking vehicle locations by issuing properly formatted API calls. Due to the lack of notification systems, the researchers were able to do all of this without the owner of the vehicle ever knowing.

• Automotive security

{{Reflist}}

Category:Hacking (computer security)

Category:Crimes