Automotive

/

Home & Leisure

Roadshow: New study shows just how bad vehicle hacking has gotten

By Kyle Hyatt, Roadshow on

Published in Automotive News

For many people around the world, a large portion of their lives is lived online. They conduct business, maintain personal relationships, manage their money, buy stuff and even get their car news using the internet.

This has been amazing for convenience, but that convenience has outpaced security, and so we hear about companies being hacked on a near-daily basis. This problem is increasingly spilling over into our vehicles, which have become increasingly attractive targets to hackers as they've gotten more technologically sophisticated.

We've covered vehicle hacks and vulnerabilities before, along with manufacturer "bug bounty" programs that encourage so-called "white hat" hackers to report their findings in exchange for a financial reward rather than exploit them for other personal gain. What we've lacked has been a more complete picture of just how bad car hacking has gotten, but thanks to a report by Israeli firm Upstream.auto, now we've got one.

So, just how bad is it? Well, according to Upstream's report, there were only around 150 incidents in 2019, which isn't good, but it's not like we're experiencing the automotive equivalent of the end of the 1995 film "Hackers." However, that represents a 99 percent increase in cybersecurity incidents in the automotive space in the last year. Even worse, the industry has experienced 94 percent year-over-year growth in hacks since 2016.

Those 150 or so incidents vary a great deal in the number of people they affect. For example, a breach in February targeted systems in some of the U.S. Army's troop carrier vehicles. A month later, Toyota announced a breach that exposed the data of 3.1 million of its customers.

Bug bounties are a large part of what vehicle manufacturers and suppliers are doing to help combat hacking. Nevertheless, only 38 percent of reported security incidents are being done by bounty-hunting white hat hackers. Black hats (aka the bad guys) are still responsible for 57 percent of incidents, while 5 percent are being perpetrated by "other" parties.

 

Some bug bounty programs have been more effective than others. Uber, for example, has 1,345 resolved bug reports and has paid out more than $2.3 million. That's either good or bad, if you take the stance that it had almost 1,400 vulnerabilities in its software, while Toyota only has 349 resolved bug reports. Tesla has had good luck with its program, with white hats finding several vulnerabilities with the Model S key fob that allowed it to be hacked in seconds.

If Tesla's fobs were so vulnerable, how many other vehicles are being accessed by keyless entry systems? A lot. The bulk (29.6 percent) of these cyberattacks are using the key fob to gain access. Company servers are a close second at 26.4 percent. Vehicle mobile apps represent around 12.7 percent of the hacks, with OBDII ports and infotainment systems rounding out the top five.

The worrying thing about these attacks is that 82 percent of them occur remotely, meaning that the hacker doesn't need to physically be inside the vehicle to do his or her dirty work. There are short-range remote hacks, like the Tesla key fob hack, where the hacker needs to be within a few meters of the car to break the fob's weak encryption, and there are long-distance hacks that can be perpetrated from anywhere.

Remote hacks are tough to defend against as an end user, so we're often left at the mercy of car companies and suppliers to find and fix the problems before something terrible happens. But as we have seen in Upstream's report, they could be doing a better job of it.

Visit the Roadshow at Roadshow.com

(c) 2019 CBS Interactive Inc., a CBS Company. All rights reserved., Distributed by Tribune Content Agency, LLC., Distributed by Tribune Content Agency, LLC.
 

Comments

blog comments powered by Disqus