How to Hack a Modern Car

Your car is an extraordinary piece of technology. A 2020 model year car will have more than 100 million lines of code, a dozen electronic systems, and an array of sensors. If your vehicle is capable of autonomous driving, those numbers will be much higher.  As the public becomes more aware of cyberattacks and technologically advanced cars, they’re beginning to ask questions. What happens when your car gets hacked? What could that look like? How do we prevent it? 

What happens when your car gets hacked?

Once your car is hacked, a threat actor can do whatever they please. This may include setting off airbags while driving, taking control of your steering wheel, or perhaps ransomware will lock your ignition switch. This isn’t hyperbole. You can watch a demonstration from 2015.  In 2015 two security researchers Charlie Miller and Chris Valasek, successfully hacked into a 2014 Jeep Cherokee. Remotely they were able to turn the steering wheel, disable the breaks, and after the car, with them in it, drove into a ditch to kill the engine. They accomplished this by attacking the infotainment systems Uconnect used in Chrysler vehicles. This demonstration prompted Fiat Chrysler to conduct a massive recall of 1.4 million cars. 

What does hacking a car look like?

There are numerous ways to gain access to vehicle systems.  In the example above,  the researchers exploited a vulnerability of the onboard infotainment system via its WiFi to gain access. From there, they were able to access the chips that control steering and braking systems. Their hack required remote but effectively close proximity to the target. Today that wouldn’t be necessary.  Today the two best paths for hacking a car would be malware or a supply chain attack:  Hacking a vehicle with malware: threat actors could look to infect smartphones and then have them spread that malware each time the phone is connected to a new system. Given the notable vulnerabilities and zero-click exploits exposed after the Pegasus Spyware scandal, this option is a real risk.  Hacking a vehicle via the supply chain: The easiest and most likely way automobiles will be hacked in the future is via a supply chain attack. Two options exist: either targeting vehicles that use a particular mobile data provider or targeting the manufacturer to push malicious code.  One can look at the Kaseya VSA ransomware attack as an example. Kaseya’s systems were breached, and ransomware was pushed to their user base affecting 800 – 1,500 different companies. If the target was a company such as Volkswagen or Ford, millions of vehicles could be disabled. 

How do we prevent cars from being hacked?

Researchers and white hats have recommended numerous changes from disconnecting systems from each other, hardening current plans, and a standard level of encryption for vehicles.  However, these changes do not address the issues around supply chain attacks.  As discussed in our report “The Race Against External Threats in the Automotive Supply Chain,” the automotive industry is at high risk of cyberattack due to endemic exposed credentials, numerous third parties, and vulnerable digital assets. In our report on automotive cyber risk, we also outline options for reducing these digital risks to better protect manufacturers and their customers. Our report is available for download here