We have been talking about hacking cars on this blog since 2011 (see posts) so the idea of thieves stealing a car by hacking their way into its computer system is no big surprise. This is the reality of cybersecurity in the era of the Internet of Things (IoT), and cars are just one more IoT device. But 100 cars? How did they pull that off?
2016 Hacking Theft of 100+ Jeeps and Dodges
I recently did a series of Fox News Radio interviews to discuss a case where two thieves were caught after stealing over 100 in the Houston, Texas area using only a laptop. Stop and think about that for a moment. Over 100 cars — with a laptop.
At first, the police did not know how the thieves were pulling off the thefts until a home surveillance video surfaced that showed them approaching a Jeep with a laptop computer and then, 6 minutes later, starting the Jeep and backing it out of the driveway.
Have you ever lost the key to your car? Of course, we all have. In the old days, when you lost your keys, you could go to your local dealership which was able to pull up codes to make a new key. Now that cars rely on computers and digital key fobs instead of keys, instead of having codes for keys, they have the codes to re-create the digital key fob that provides access to open and start the car.
In this case, the thieves had obtained access to the database of security codes for Dodge and Jeep vehicles and that information, with a laptop computer, allowed them to clone the owner’s key fob that gave them full access to the car in 6 minutes. Because of how efficient this was, the thieves were able to steal over 100 cars this way. Read more: Police: Laptop used to reprogram, steal more than 100 cars We do not yet know how they gained access to this database but my guess would be social engineering or insider misuse at the dealer/shop level. We shall see …
2015 Chrysler / Jeep Hacking Demo & Recall
This publicity is not good for Chrysler / Jeep, especially in light of its 2015 recall of over 1.4 million vehicles because of cybersecurity issues.
The recall came about after security researchers did a demonstration at Black Hat 2015 where they showed how they could hack their way into a Jeep Cherokee by first gaining access to its onboard wifi which had a predictable default password. Once they figured out the password, they used that as an intrusion point and made their way through the vehicle’s various systems until finally gaining access to its CAN Bus. The CAN Bus was the key to the kingdom that allowed them to control everything — all over the Sprint cellular network. Read more: Black Hat USA 2015: The full story of how that Jeep was hacked
2016 Defcon Tesla Demo
At the 2016 DefCon conference, researchers demonstrated how they were able to hack into a Tesla’s onboard computer system and overwhelm the vehicle’s crash-avoidance sensors. These sensors are designed to avoid hitting objects and, instead, they were able to trick them into causing the vehicle hit them what it was supposed to avoid. While this was not done under “real world conditions” the reality is, they showed that it could be done. Now, people with nefarious intent can start working backwards to figure out how to make devices that jam these sensors on vehicles and potentially cause massive accidents. See Hackers show how they tricked a Tesla into hitting objects in its path
What Does This Mean?
The Black Hat demo was a real “hack” in the truest sense of the word and exposed a legitimate flaw in the design of the vehicles. The Houston theft ring technique was different. It did not expose what is necessarily a flaw in the vehicle itself as much as it exposed a flaw in the manner in which critical information related to the vehicles — and virtually all others — is stored and accessed. This is not unique to Chrysler / Jeep / Dodge and is no more related to the 2015 hacking demo and recall than it would be to any other manufacturer though you can bet people will make the connection anyway.
With the Houston theft ring example, we see a need for better data security by the auto industry as a whole as well as the automobile manufacturers and dealers to protect and control access to databases of information that provide this kind of access to cars. Since cars first came with keys, people have lost keys and needed a way to re-gain access to and the ability to drive their cars.
Now that we are in a digital era, that has not changed. People will continue to need this kind of access and will expect manufacturers and dealers to be able to provide it. Unfortunately, criminals — now cyber criminals — know this and will take advantage of it. As I always say, cybercrime is simply the old tricks being done with new technology that allows the criminals to do it more efficiently and effectively.
For the examples of the sophisticated hacks into the 2016 Tesla and the 2015 Chrysler / Jeeps, this is the new normal. Much like the old Ralph and Sam cartoons, hackers and security professionals will play a continuous game to see which can outsmart the other. This will be a continuous match that is the reality of cybersecurity today. Cybersecurity defense is an ongoing process that is never complete — not for you, not for your business, not for our country, not for our world.
Welcome to the new normal.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.