The Rise In Car Thefts Has Experts Searching For Weak Spots
Criminals can exploit everything from a vehicle’s Bluetooth connection to a headlight’s wiring, but white hat hackers are trying to improve security.
(Bloomberg Businessweek) -- In Paris, in a laboratory the size of a walk-in closet, a handful of researchers tinker with the infotainment system of a Tesla. They prod the device, a circuit board they bought on eBay for $400, for weaknesses. To determine which components control which functions, they connect it to an oscilloscope, a machine the size of a heart monitor; various other tools help them extract and analyze data. The fruit of their labor: the ability to send commands wirelessly to a Tesla, remotely opening the doors and the front trunk, cutting the lights and potentially turning the car off—without ever having a key, and even while the car is moving.
The researchers are so-called white hat hackers, working for a French cybersecurity company named Synacktiv that helps probe clients’ computer systems. Tesla Inc. isn’t a client—earlier this year Synacktiv won Pwn2Own, a prominent hacking competition in Vancouver sponsored by Trend Micro Inc.’s Zero Day Initiative, by showing how the security firm could compromise Tesla’s electric vehicles.
Teslas have a reputation of being particularly hard targets for those looking to exploit automotive cybersecurity weaknesses, and are less likely to be stolen than other cars, according to the Highway Loss Data Institute, an organization that analyzes insurance data. Synacktiv’s recent success, though, is a reminder of the constantly shifting ground between those trying to break into cars and those trying to keep them out.
After years of decline, car thefts have been on the rise. In the US, they bottomed out in 2014 and have since risen more than 45%, with total thefts surpassing 1 million in 2022 for the first time since 2007. In the UK, car thefts rose 19% in 2022 alone. That country’s National Crime Agency said in July that one factor was a rise in “electronic compromise thefts,” a category that covers such actions as a thief removing a headlight, then attaching a device that sends commands to unlock a car’s doors and start its engine.
Criminals have also been using a range of devices to intercept signals from keyless fobs to get into cars—and block GPS trackers that would make recovery of stolen vehicles easier. Cybersecurity experts say it’s often hard for victims to know whether such devices were involved in crimes, making the extent of the problem difficult to determine. In the US, the nonprofit National Insurance Crime Bureau has been warning for almost a decade about the criminal use of devices that mimic the function of wireless key fobs. In October 2022, Europol, the European Union’s law enforcement agency, announced it had arrested 31 people across France, Latvia and Spain in an auto theft scheme using devices that spoofed keyless entry systems.
In the UK, officials are considering banning the sale, purchase or possession of equipment that can be used to hack cars, according to local news reports. Some lawmakers are also trying to compel carmakers to harden their defenses. Last year a law went into effect in the EU that requires all new vehicles to undergo a cybersecurity review and automakers to have a plan for identifying and fixing vulnerabilities before the vehicles are sold.
The increased scrutiny is a potential boon for cybersecurity companies like Synacktiv. Tiffany Rad, an independent consultant in the field since 2006, says she’s working with US officials on developing cybersecurity and privacy standards for the transportation industry, focusing on potential requirements for the design stages of automobile manufacturing. “When I started hacking cars, the auto manufacturers didn’t have many cybersecurity concerns,” she says. “Things are very different now.”
A major wake-up call came in 2015, when two researchers had a reporter from magazine drive a Jeep on a highway in St. Louis, then remotely hijacked it while he was at the wheel. (They also shared their work with FCA US LLC, the company that made the car, and it addressed the vulnerability.) Automakers have added many cybersecurity features since then—the researchers who hacked the Jeep quickly found jobs in the industry—but cars are also adding new potential vulnerabilities as they rely more heavily on computing systems.
Security is an issue throughout the computing industry. But automakers have a particularly tough task, because people tend to hold on to their car for far longer than, say, their smartphone, according to Ken Tindell, chief technology officer of Canis Automotive Labs Ltd., a UK-based automotive security company. “The cars you see are like starlight: They represent the state of the industry not as it is now but many years ago,” he says. “The spike in car thefts today comes from a few technically savvy criminals designing theft devices that are easy for street thieves to use on starlight cars with security weaknesses.”
Some problems can be fixed by requiring vehicle owners to visit dealers for software updates when carmakers discover vulnerabilities, but others are harder to stop. Tindell’s company published a report in April that documented the hack of a Toyota RAV4 stolen last year. He worked with the vehicle’s owner, an independent cybersecurity researcher named Ian Tabor, to discover how the thieves pulled off an attack that involved removing the car’s headlight to gain access to the internal network, through which different parts of the car communicate with one another.
In the weeks leading up to the theft, Tabor had woken up twice to find extensive damage to the vehicle, with the front bumper removed and the headlights’ wiring so badly mangled that they no longer worked. He posted photos on social media, complaining about what he assumed then was mere vandalism. After the theft, the researchers used an app that tracked the vehicle’s onboard telematics to confirm how it was stolen, and they scoured cybercriminal forums, finding hacking tools and instructions for sale that enable automotive attacks. Specific devices targeted vehicles including BMWs, Cadillacs, Hondas, Jaguars and Maseratis.
The researchers bought one such tool, a Bluetooth speaker retrofitted with a small piece of electronics loaded with malicious code and grafted onto the speaker’s circuit board, according to the report. They activated a special chip hidden inside by pressing the play button, sending the car’s system the message to unlock the doors. From there, they could detach the hacking tool, get inside the car and start the engine, according to the report. Canis’ researchers determined that a similar hacking tool was used to steal Tabor’s vehicle. (A Toyota Motor Corp. spokesperson said in an email that the automaker was “continuously working on developing technical solutions to make vehicles more secure” and that such devices should not be available for sale online.)
Synacktiv’s main work consists of conducting “penetration tests” for nonautomotive clients. It decided to focus on Teslas because of the vehicles’ popularity and their reputation for being particularly resistant to cyberattacks. Much of the published security research involving Tesla has involved flaws in cloud services used by owners, not the vehicles themselves. In 2022 a German teen named David Colombo found a weakness in a third-party app that some Tesla owners use to collect and analyze data about their vehicles. It allowed him access to those vehicles’ location history and hijack functions the owners had enabled via the app, including remotely opening and closing the doors and honking the horn.
Synacktiv’s work has exposed serious flaws in the code of the Teslas themselves. They disclosed three vulnerabilities at the Pwn2Own competition in March that allowed them to hijack key security and safety features of the Model 3—including, most dangerously, while the car is moving. To hack the Tesla, Synacktiv’s team needed to be within range of its Bluetooth connection. Without any physical contact with the vehicle, they could then run malicious code directly on the Tesla’s infotainment system and deeper into the vehicle, bypassing the car’s primary cybersecurity protections. (They weren’t able to control the steering wheel or acceleration, which are protected by additional layers of security.)
The company’s demonstration won it a $350,000 prize and a new Tesla Model 3. Tesla didn’t respond to requests for comment, but has been involved in the competition since 2019 and supplied the car that Synacktiv won as a prize, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. Tesla has long invited ethical hackers to look for flaws in its technology and has had a “bug bounty” program since 2014, according to the automaker’s news releases and public statements.
Tesla has subsequently patched the flaws, according to Synacktiv. The security firm’s researchers say they will likely join next year’s Pwn2Own, but with the security improvements Tesla has made, they are setting expectations low. “Every year it’s gotten more difficult for researchers to do useful and impactful exploits specific to Tesla,” says Vincent Dehors, one of the researchers on Synacktiv’s Tesla hacking team. “We’ll probably participate, but we don’t know if we’ll be able to do something. We think for now that it will be hard—very hard.”
