Is your car at risk of a cyber attack?
The new digital technologies in cars make our lives easier, but they can also create vulnerabilities for hackers to exploit. We explain the risks and how to protect yourself...
Cars are smarter than ever. Many can now let you do everything from dictating text messages to helping you find available parking spaces as you approach an unfamiliar city. There’s a potential downside to all this technology that you might not have considered, though: as soon as you use the sat-nav or Bluetooth or link your smartphone to your car, you’re automatically sharing a lot of information with it. And that information could be open to abuse or theft.
Many new cars are also ‘connected’, which means they’re fitted with technology that uses the internet to allow you to access a wide range of information and control functions from your smartphone. There are already more than two million connected cars in the UK, and research by Statista suggests this number will increase fivefold to almost 8.6 million by next year.
Owners of these cars can use a smartphone app to do anything from unlocking the doors to controlling the heating and booking the car for a service. The cars might also connect to a concierge service so that you can ask for directions to the nearest restaurant or parking area. While these are great for convenience, the consequences could be serious if criminals hack into them.
Business users also need to be conscious of the danger of cyber criminals being able to hear what’s happening inside their cars by hacking into the microphones in their cars. The electronic systems in modern cars also collect and store data, both from your smartphone and about your driving habits.
For example, if you want to call someone in your phone’s contacts list, this data is usually downloaded onto the car’s system. To save you the hassle of inputting your home address into the sat-nav in order to check for delays on the way home, some cars can also collect data about your regular journeys and tell you the expected travel time as soon as you get in. If cyber criminals gain access to this personal data, they could sell it or use it to blackmail you. They could even use ransomware to lock you out of your car or prevent it from being driven until a sum has been paid.
Security risks highlighted
Modern cars have a significant number of vital components that are controlled by software and linked to an onboard computer network. The software in cars was confined to small areas just a decade ago, but the latest models now have millions of lines of code in them. In fact, almost every major component, from the engine to the steering and brakes, is now controlled by electronic technology.
The potential for these systems to be hacked into was highlighted back in 2015 when American security researchers Charlie Miller and Chris Valasek carried out a hack on a Jeep Cherokee. They took advantage of a flaw in the car’s connected infotainment system that enabled anyone with the car’s IP address to access it from anywhere in the same country. They were then able to send commands to the car’s controller area network, enabling them to operate many of its functions – including the steering, engine and brakes.
In response to the hack, Jeep issued a recall for 1.4 million Cherokees worldwide to apply a software patch that removed the vulnerability. And industry insiders say there have been significant improvements in the security of these so-called ‘critical’ car systems since this stunt highlighted the potential problem.
John Sheehy, vice-president for strategy at cyber security and computer services company IOActive, said: “Cyber security in cars has improved over the past five years because car makers have been taking governance of it. They’ve taken on staff and set up programmes to look at potential cyber security issues during the development of new models so that solutions can be put in place before the cars go on sale.
“There has been a significant increase in car maker staff participating in cyber security groups, and that has resulted in a number of improvements in key areas. For example, vehicle network architecture is now being designed to keep the systems that operate the infotainment system separate from those that work within the engine, brakes and so on.”
IOActive published research last year which showed that the number of vulnerabilities in the most important systems in connected cars and the potential for them to be exploited by someone with malicious intent had decreased compared with the previous year. It showed that 10% of vulnerabilities were considered to have a critical impact on security, compared with 25% before. This meant that the number of low and medium-impact issues had increased to 52% of the total.
It also found that the majority of cyber attacks were done locally – meaning by someone with physical access to the vehicle – rather than remotely. That’s a good sign that car makers really are addressing flaws like that discovered on the Cherokee.
The prime area of concern
One of the new challenges for the car industry is to improve the security of low-level systems, such as telematics and infotainment systems, says Sheehy. He believes an industry standard needs to be introduced to ensure that people don’t give away personal data when they sell their car. A recent survey of nearly 600 automotive professionals published by SAE International and the Synopsys Software Integrity Group concluded that the car industry is severely lagging behind on ensuring that internet-connected technologies are secured from existing and emerging cyber threats.
The survey found that 30% of organisations don’t have an established cyber security programme or team and 63% of automotive professionals don’t test the majority of the automotive technology they develop for security vulnerabilities. This suggests that a large number of infotainment systems, telematics, steering systems, cameras and wi-fi and Bluetooth devices that have been incorporated into connected cars so far might not be fully secure from hacking.
“The proliferation of software, connectivity and other emerging technologies in the automotive industry has introduced a critical vector of risk that didn’t exist before,” says Andreas Kuehlmann, senior vice-president of Synopsys. “This study underscores the need for a fundamental shift – one that addresses cyber security holistically across the systems development life cycle and throughout the automotive supply chain.”
Of the 593 automotive professionals who participated in the survey, 71% said the pressure to meet product deadlines didn’t allow them enough time to test their products’ cyber resilience and 62% anticipated that there would be a cyber attack against automotive technology in the next 12 months.
More threats incoming
Another area of concern is the security of the various back-end systems that cars will be talking to, such as app stores and other third-party software that’s being used in cars. The introduction of wireless (or ‘over-the-air’) software updates to cars is a further concern, because car makers will need to ensure that the systems that are delivering the updates are totally secure.
As a growing number of motorists switch to electric vehicles, there’s also the potential for hackers to gain access to the National Grid via charging points. If that were to happen, the hackers could compromise the system and possibly turn off the power in an entire city. This is a concern that’s already being considered by the electricity and charging industries.
The predicted arrival of autonomous driving technology poses even bigger concerns. Not only could whole convoys of vehicles be hacked, but there is also the risk of internet-connected infrastructure being tampered with to create gridlock or even accidents.
What’s being done to protect us?
Let’s not get in a panic; the Government is already working with car industry leaders to develop guidance to protect self-driving cars. It published a cyber security standard last December that it said “should help to improve the resilience and readiness of the industry”.
In America, the annual Automotive Cyber Security Summit has been taking place since 2000 with the aim of combating vulnerabilities in cars. It recently surveyed more than 325 global automotive experts to compile their top cyber-related priorities, challenges and investment plans for 2019, revealing that car makers and parts suppliers will be investing more than $10 million (£7.8 million) in new solutions to the issue over the next 18 months.
What you can do to deter cyber criminals
- Keep in touch with your car’s manufacturer regularly to check whether it has issued software updates or recalls to improve security. Alternatively, you can see if your car has an outstanding recall notice at gov.uk/check-vehicle-recall.
- To minimise the impact if your car and/or sat-nav is stolen, use any security features your sat-nav offers and think about regularly wiping all the data, such as your home address, from the system.
- If your car has built-in wi-fi, never leave the default password on it and never leave a note of the new password inside the car.
- Turn your car’s wi-fi and Bluetooth off when you’re not using them.
- If you download any smartphone apps that will be processing payments for your car, such as road toll fees, make sure they’re password-protected.
- Make sure your smartphone’s operating system and apps are the latest versions; updates are often issued to patch possible security vulnerabilities that can give cyber criminals access to your phone.
- Protect your social media accounts by making sure you’ve activated the privacy settings. With Facebook, avoid public updates and only send posts to your friends. With Twitter, you can’t be as selective.
- Protect your home by making your car’s sat-nav less accurate. If you don’t want cyber criminals to know where you live, instead of setting your home address to your house, consider setting the shortcut to a nearby junction or the closest motorway exit.
What to do if you're selling your car or returning a hire car
- If you’ve paired your phone to the car to access hands-free operation, go into the Bluetooth set-up menu and remove your phone from the paired phones list, as well as deleting your contacts if they’ve been downloaded onto the system.
- Check the car’s manual to find out how to clear all your private data from the infotainment system. It might be listed as a ‘factory reset’ option.
- If your car has web-connected services that bring data from your favourite apps and social networks to the dashboard, disconnect this. If you don’t, other drivers might be able to gain access to your Facebook and Google accounts. To wipe the information, you’ll need to reset the infotainment system
- to its factory-fresh state.
- If your vehicle has an integrated remote control that you’ve paired with your front gate or garage door, your vehicle is essentially a gigantic key to your house. Check the instruction manuals for your electric gate or garage door for resetting instructions.
For all the latest reviews, advice and new car deals, sign up to the What Car? newsletter here
Buy a new car with What Car?
Before you buy, visit What Car?’s new car deals section.
We have discounted deals on most new cars on sale, so you're never far away from finding a new car deal in your area.
It's all based on Target Price, which is the price we think you should pay based on research by our team of mystery shoppers, and the best discounts they can achieve.
If you’re still not sure then our deals team can help; call them on 03302 216207 – lines are open from 8am until 10pm seven days a week.