Not too long ago, car thieves relied on brute force methods—smashing windows, picking locks, and hotwiring ignitions. Today, as our vehicles have become rolling 2-ton computers, the modern car thief doesn’t need a crowbar. Instead, all they may need is a laptop and an internet connection.

This shift from physical to digital vulnerability isn’t just changing how cars are stolen; it’s revolutionizing the entire concept of automotive security. Let’s take a journey through this transformation and explore what it means for drivers, manufacturers, and the future of transportation.

Connected Cars: A Mixed Blessing

Today’s vehicles are feats of technology; with more lines of code than a passenger jet, they offer unprecedented levels of comfort, convenience, and safety. Your car can now read your emails, guide you around traffic obstacles, and even park itself at your command. But this connectivity comes at a price.

According to an article in Wired, backed up by an article in MIT Technology Review, the average new car contains over 100 million lines of code, similar to the amount of code that powers a modern fighter jet. By 2030, about 95% of new vehicles sold globally will be connected, up from around 50 percent today, claims HTEC. This rapid modernization from wheels to wires has expanded the attack surface for potential cybercriminals.

Every connected car endpoint, from Bluetooth to APIs to mobile apps, represents a potential entry point for attackers. Even common features like infotainment systems can become gateways for bad guys to gain control of key vehicle functions.

Grand Theft Auto: A Fresh Take

The transformation of car theft from a physical to a digital crime became top-of-mind a few years ago when security researchers remotely took control of a Jeep Cherokee, demonstrating their ability to cut the engine and manipulate other critical systems. This wasn’t just a theoretical exercise; it exposed real-world vulnerabilities that could be exploited by hackers.

Since then, the automotive industry has faced a plethora of cyberattacks. Major manufacturers like Honda, Mercedes-Benz, and Nissan all fell victim to malicious exploits. A lawsuit filed in California revealed that tens of thousands of Chevrolet Camaros had a critical security flaw in their key fobs, making them easy targets for thieves. This vulnerability, which allows criminals to intercept and replicate the key fob signals, has led to a more than 1,000 percent increase in Camaro thefts in Los Angeles. 

Indeed, one of the most significant vulnerabilities in modern vehicles lies in their Remote Keyless Systems (RKS) that operate by transmitting a code from the key fob to the car. While cool and convenient, they’re also susceptible to what’s known as a “retransmission attack.”

In such an attack, a hacker intercepts the radio transmission between the key fob and the car, capturing the unlock code. They can then use this captured code to unlock the vehicle at a time that suits them. It’s the digital equivalent of making a copy of a physical key, but with far less effort and far more potential for mass exploitation.

But individual vehicle theft is just the tip of a much larger problem. The nightmare scenario for automakers and security experts is the potential for large-scale attacks, or attacks on vehicles in motion. Imagine a terrorist or bad actor simultaneously hijacking an entire fleet of vehicles or slamming on the brakes of thousands of electric cars at the same time. The potential for chaos and destruction is staggering.

The Mobile App Quandary

As phones have become extensions of who we are, they’ve also become extensions of our vehicles. Mobile apps now allow us to lock, unlock, start, drive and even park our cars remotely. While incredibly convenient, these apps also represent a significant security risk if not properly protected.

Cybercriminals can potentially hack and reverse-engineer these apps, manipulate their code, intercept user data via screen overlay attacks, or even take control of vehicle systems. A compromised app could give an attacker the same level of control over your car as they would have if they stole your physical keys—and potentially even more control than that.

What is a screen overlay attack?

APIs: Hidden Highways of Data

Behind the scenes of every connected car is a complex web of APIs (Application Programming Interfaces). They connect vehicles to various online services and databases, enabling features like real-time traffic updates, travel and maintenance information, over-the-air software updates, and remote diagnostics.

However, these APIs can also be exploited by attackers to gain unauthorized access to vehicle systems or sensitive driver/owner data. A vulnerable API could allow a hacker to not just steal your car but also your personal information, driving history, diagnostics and performance data, and more.

Rethinking Automotive Security

The sheer range and complexity of potential attack vectors in modern vehicles demand a fundamentally new approach to security. We can no longer think of car security as simply a matter of steering wheel locks and alarms. Instead, we need to approach it with the same mindset we use for securing a data center.

Thinking differently about automotive security:

  • All-encompassing: Integrate security into every aspect of the vehicle from the ground up, not as an afterthought.
  • Flexible: Ensure security systems are adaptable and updateable to counter evolving threats and new vulnerabilities.
  • Thorough: Extend protection to the entire ecosystem of connected services, including mobile apps, cloud servers, and APIs.
  • Intuitive: Design security measures to be user-friendly and non-intrusive, preventing users from disabling or bypassing them.
  • Long-lasting: Develop security systems to remain effective for a decade or more, adapting to advancing technology.

The Way Forward: Collaborative Automotive Security

Addressing the cybersecurity challenges of connected vehicles requires a collaborative effort across the entire automotive ecosystem. This includes:

  • Manufacturers: Prioritize security in vehicle design and production, protecting all components from critical systems to sensors against exploits.
  • Suppliers: Adhere to rigorous security standards to prevent introducing vulnerabilities into vehicles.
  • Developers: Implement robust security measures in automotive apps and services.
  • Regulators: Establish and enforce cybersecurity standards for connected vehicles, such as ISO/SAE 21434, a standard that defines the specific responsibilities for several groups during the multiple stages of automotive product development.
  • Consumers: Keep software updated, use strong passwords, and stay aware of potential risks to maintain vehicle security.

Car Theft Is Now High-Tech

Car theft has evolved from physical break-ins to sophisticated cyberattacks, emphasizing the need for expanded approaches to handling automotive security. Modern vehicles’ connectivity brings both convenience and risks. Deeper collaboration and new solutions are required to integrate robust, flexible, and user-friendly security measures to protect both cars and the people who drive them from harm.