Copying code from vehicle key fobs is easy. Tech thieves can do it from outside your home or a motel. But cybersecurity companies are working with automakers globally to create protections that deter hackers who covet new cars and the data stored in them.
Top cybersecurity experts would never hang car keys on a hook near the back door or leave them sitting on a kitchen counter. The best strategy to prevent theft? Store the key fob in an old-fashioned metal coffee can.
“Really, some cyber experts don’t go to sleep without putting their key into a metal container,” said Moshe Shlisel, a veteran of the Israeli Air Force and now CEO of GuardKnox Cyber Technologies. “It’s called a Faraday Cage. You block the electromagnetic field.”
Copying code from vehicle key fobs is easy. Tech thieves can do it from outside your home or a motel. Then they can steal a vehicle or just gain access without owners realizing they’ve been violated.
Cybersecurity companies, including the team at GuardKnox, are working with the Detroit Three and automakers globally to create protections that deter hackers who covet new cars and the data stored in them.
Within the past 90 days, GuardKnox has been granted three U.S. patents including a “Communication Lockdown Methodology” that prevents attackers from entering a vehicle’s ecosystem. The patent covers trucks, buses, ships, planes, drones and even spaceships. The methodology has been implemented in fighter jets and missile defense systems.
“Vulnerability is everywhere. The fob is a symptom,” Shlisel said in a phone interview from his office just south of Tel Aviv. “You’re exposed to many attack vectors. Remember your computer 20 years ago? There weren’t firewalls. What happens if someone takes control of your car while you’re on the highway with two kids inside and you can’t do anything? You’re doomed. And that can be done today.”
This is not sci-fi. This is real life. This is the reality of a wireless, connected world where car doors lock with a click and a chirp, where children in the back seat stream videos, where backup cameras make parking easy, where driver assist prevents accidents and companies can update software technology remotely.
“Connectivity introduces cyber risk,” said Faye Francy, executive director of the nonprofit Automotive Information Sharing and Analysis Center, which specializes in cybersecurity strategies. “People call it the internet of things or, as I like to say, ‘The internet of threats,’ ” Francy said.
While auto-industry engineers know a lot about traditional safety, quality, compliance and reliability challenges, cyber is an “adaptive adversary,” she said.
“It’s an ever-changing, emerging threat that requires diligence in every aspect of design through operations — it’s not a simple engineering fix,” Francy said. “Automakers are starting to implement security features in every stage of design and manufacturing. This includes the key fob. Cybersecurity diligence is the cost of doing business in the digital age today.”
In 2015, the Detroit Three and 11 other automakers formed the group that shares, tracks and analyzes potential cyber threats, vulnerabilities and incidents related to the connected vehicle in North America, Europe and Asia. One company’s detection of a potential attack may mean another company’s prevention of a security breach, Francy noted.
Companies that specialize in hacking protection won’t reveal how frequently they’re able to hack vehicles or how easily. Said one cybersecurity researcher, “Our job isn’t to embarrass the industry.”
Some automakers said they didn’t want to discuss the topic for fear of being perceived as challenging hackers.
Dan Sahar, vice president of product for Upstream, a cybersecurity startup based in Silicon Valley, said the risk of widespread cyberattacks on vehicles is real and growing.
Vehicles are vulnerable in part because of the complexity of their software, Sahar said.
With so many lines of code, bugs are bound to exist, he said, and “if there’s a bug, the hacker can utilize the bug.”
The consequences of a cyberattack on moving vehicles are especially frightening.
Most Read Business Stories
- Millions of stimulus payments were mailed as prepaid debit cards. Some say they look like scams.
- IRS pushes back start of 2020 tax filing season
- Worries about West Seattle Bridge have not swamped the neighborhood's housing market
- Suzi LeVine, head of Washington state's embattled unemployment agency, to take job in Biden administration
- Amazon presses for in-person voting for unionization election in the midst of a pandemic
In 2015, cybersecurity researchers showed they could interfere with a Jeep Cherokee as it drove on a St. Louis-area highway in traffic. They were able to disable the car’s transmission and brakes, and, while the vehicle was in reverse, take over the steering wheel.
That incident damaged the reputation of Fiat Chrysler Automobiles, though it was not the only company hurt; the connection that allowed the hack in the first place came through a cellular network, Sahar said, noting that because automakers rely on so many suppliers, many more potential vulnerabilities exist.
The Detroit Three are making efforts to address cybersecurity.
As vehicle connectivity continues to evolve, GM continues to strengthen cybersecurity protections, said spokesman Tom Wilkinson. “GM’s three-pillar approach employs defense-in-depth, monitoring and detection, and incident response capabilities to protect our customers, their vehicles, and their data.”
Fiat Chrysler emphasized it has a group dedicated to preventing, detecting and responding to cybersecurity risks.
The company “is deploying both hardware and software technologies to protect against cyberintrusions,” and partnering with others, said Sandra Hosler, senior manager of vehicle cyber security.
While Ford spokeswoman Karen Hampton didn’t offer specifics on cybersecurity, she did say the company takes security and data privacy very seriously.