Before the end of the decade, a typical vehicle will carry 300 million lines of code on board. The source to support the new and disruptive services they will provide, but also a bridge to hacking cars
Digitalization will, and already is, transforming the world as we know it to unsuspected extremes. And, like any revolution, opportunities will emerge just around the corner. But it’s not just the good guys who will take advantage of them. The bad guys will be on the lookout for them. And hacking cars and motorcycles will surely become an increasingly common occurrence.
Because digitalization is going to be a cross-cutting phenomenon, that’s true. But there are few sectors in which it will have such a radical influence as in the automotive sector.
Electric, autonomous driving, hyperconnected cars… The innovations and advances that are already emerging represent an unprecedented challenge. The vehicle of the future will have little, if anything, to do with that first car created by Karl Benz in 1886 under the attractive trade name of Fahrzeug mit gasmotorenbetrieb.
Translated literally: «Thing with wheels and a gasoline engine».
A 21st-century car is a sophisticated machine that represents a challenge for manufacturers and their suppliers because of the sophistication it has achieved.
A study by the consulting firm McKinsey reveals that a conventional car today has some 150 electronic control units and around 100 million lines of code. Hardware and software that are indispensable for incorporating all these latest-generation services: connectivity services, traffic assistants, electrification…
But this has only just begun. The report claims that, by 2030, a commercial vehicle will have some 300 million lines of software code on board. Just one fact: a commercial aircraft today incorporates some 15 million lines of code.
In other words, a bag full of goodies (the whole store, why not say it) for hostile actors to hacking cars.
Fran Álvarez, a research engineer at Tarlogic Security‘s Innovation department, explains it very graphically: «We need to secure the automotive industry. Right now there are too many things in diapers».
His diagnosis coincides with that of McKinsey analysts: «The automotive industry lacks a standard approach to cybersecurity. [Manufacturers and suppliers must adopt a culture of security».
The signs are disturbing. Highly graphic examples have surfaced in recent years indicating that hacking cars is a palpable threat. And emerging.
Fran Álvarez has accumulated considerable experience as a researcher in this field. And he alludes to very graphic situations about the main threats that the automotive industry will have to face.
Beware of the master key
The first of these is in an everyday item: the key. In vehicles manufactured in recent years, one of the keys given to the user is a master key with a critical component: a tiny chip that is a transponder.
The Tarlogic researcher argues that driving around with such a key (a common occurrence, by the way) can be a huge mistake if it ends up in the wrong hands. «Reverse-engineering could lead to the control of all cars with this chip», he warns.
As part of an investigation in 2013, our colleague even tried to get his hands on this chip by contacting the manufacturer of a passenger car brand. The brand’s response was blunt: impossible. It’s not for sale, not even to suppliers.
«I insisted over and over again and was told that it couldn’t be sold or obtained. That reaction gave us a lot of food for thought about the importance of the transponder», he argues.
The PCF7961 transponder from NXP (formerly Philips) is now available for purchase without any restrictions whatsoever. «If someone were to capture in a public garage the vehicle-key wireless communications of some top-selling cars (models of brands such as Kia, Renault or Peugeot) to perpetrate the theft would be enough with the appropriate listening equipment and rewrite ids on keys purchased for less than 5 € on popular platforms such as Aliexpress».
The truth is that the opening and control of vehicles is, surely, the most widespread incidence nowadays when talking about hacking cars. It’s what is known as a RollJam attack: someone close to a car captures the key to the unlocking device when the owner is about to open it with the remote control.
The vulnerability of the connected car in this field has come to light several times in recent years. One of the most popular cases is that of a hacker known as EvanConnect, who developed an inhibitor with which he could access high-end vehicles, even in some cases turn them on.
The following video speaks for itself:
Connectivity knocks at the door
The second of the examples to which Fran Álvarez alludes is connectivity-related equipment. Another of the potential vulnerabilities that could allow cars and motorcycles to be hacked.
Services such as emergency calls or something as prosaic as a free connection to Spotify or Apple Music, included in countless models, could become a gateway to the vehicle if protection is not adequate. «With a device that has 4G or 5G and the right tools you could take control of the car», he argues.
And he even dares to describe a potential path: a brute-force attack combined with an application that allows packet requests to be injected into the car at the switchboard.
And what requests? Here the imagination, and the hostile actor skills, are free: opening, switching the car on and off, manipulating the driving systems… The possibilities are highly disturbing.
The cinema has already openly fabulized with these scenarios. In The girl in the spider’s web, the sequel to the Millennium saga centered on Lisbeth Salander, the hacker takes control of a high-end vehicle from a state-of-the-art smartphone.
Science fiction? Reality has insisted on proving that there is much more to it than that. There have been so many cases of vehicles with serious security flaws in recent years that the debate about hacking cars and motorcycles will gain momentum over the course of this decade.
It shouldn’t be forgotten that the very nature of the industry sometimes amplifies the dimensions of the incidents. In the automotive industry, it’s a common dynamic that an advance or new service ends up being installed in the cars of multiple manufacturers: driving systems, safety systems, on-board computing…
A practice that scales improvement. But also a possible vulnerability.
Each manufacturer usually creates its own security layers to protect the systems in its cars. However, this is where there is still a long way to go.
McKinsey puts it bluntly: «Manufacturers should consider cybersecurity as an integral part of their core business functions and development efforts».
The emergence of the electric car
Against this backdrop, many eyes have been on the industry’s latest big trend: the electric car. Surely the epitome of the problem because the potentially vulnerable equipment is even greater.
Fran Álvarez dwells at this point on a very graphic example: the charging plug. «That plug is not only used to charge the car. It also communicates with the vehicle, with all that it entails».
Somehow, manufacturers have replicated this component as if it were that of a conventional gasoline or diesel car. But without paying attention to that all-important detail: communications.
Hacking the electric car, then, would be even more accessible in the right hands. «That lid is very poorly protected. Improvements have to be implemented», he insists.
In addition, in mode 4 (fast recharging) there is a communication interface (reduced or not) in which to ask and force parameters in the vehicle recharging system.
The security, in this case, relies either on the encryption of PLC communications (well configured, it supports encrypted communications) or simply on a sequence of frames to the Canbus (which doesn’t encrypt communications) and this may be the entry point to move on to bigger words.
In this case, it would perhaps be pertinent to ask the manufacturers if it has occurred to them at any time to subject the recharging protocol to a security review beyond the electrical or electromagnetic security required by current regulations. The safety of the inexpensive electric vehicle is perhaps the most worrying issue surrounding the future mobility standard.
The Tarlogic researcher has analyzed these vulnerabilities and can accredit notable deficiencies. Some such as the absence of an adequate password level. «The current one is horrible», he stresses.
Álvarez is one of many voices calling for a paradigm shift in the industry. Greater sensitivity to cybersecurity services from the design phase.
Having pentesting services, source code audits, or powerful hardware hacking services will be indispensable in a sector that holds the lives of hundreds of millions of human beings in its hands every day.
The car of the future still has a lot of work ahead of it.
Discover our work in www.tarlogic.com