Top cybersecurity experts would never hang car keys on a hook near the back door or leave them sitting on a kitchen counter. The best strategy to prevent theft? Store the key fob in an old-fashioned metal coffee can.
“Really, some cyber experts don’t go to sleep without putting their key into a metal container,” said Moshe Shlisel, a veteran of the Israeli Air Force and now CEO of GuardKnox Cyber Technologies. “It’s called a Faraday Cage. You block the electromagnetic field.”
Copying code from vehicle key fobs is easy. Tech thieves can do it from outside your home or a motel. Then they can steal a vehicle or just gain access without owners realizing they’ve been violated.
Cybersecurity companies, including the team at GuardKnox, are working with the Detroit Three and automakers globally to create protections that deter hackers who covet new cars and the data stored in them.
Within the past 90 days, GuardKnox has been granted three U.S. patents including a “Communication Lockdown Methodology” that prevents attackers from entering a vehicle’s ecosystem. The patent covers trucks, buses, ships, planes, drones and even spaceships. The methodology has been implemented in fighter jets and missile defense systems.
“Vulnerability is everywhere. The fob is a symptom,” Shlisel said in an interview from his office just south of Tel Aviv. “You’re exposed to many attack vectors. Remember your computer 20 years ago? There weren’t firewalls. What happens if someone takes control of your car while you’re on the highway with two kids inside and you can’t do anything? You’re doomed. And that can be done today.”
This is not sci-fi. This is the reality of a wireless, connected world where car doors lock with a click and a chirp, where children in the backseat stream videos, where backup cameras make parking easy, where driver assist prevents accidents and companies can update software technology remotely.
“Connectivity introduces cyber risk,” said Faye Francy, executive director of the nonprofit Automotive Information Sharing and Analysis Center, which specializes in cybersecurity strategies.
While auto industry engineers know a lot about traditional safety, quality, compliance and reliability challenges, cyber is an “adaptive adversary,” she said.
“Today we’re in an interconnected society, from our computer to our phones to our cars to our homes. We need Kryptonite bars on the network,” Francy said. “Automakers are starting to implement security features in every stage of design and manufacturing.”
In 2015, the Detroit Three and 11 other automakers formed the group that shares, tracks and analyzes potential cyber threats, vulnerabilities and incidents related to the connected vehicle in North America, Europe and Asia. One company’s detection of a potential attack may mean another company’s prevention of a security breach, Francy noted.
Shlisel, whose board of directors includes executives who served on the board at GM, said digital firewalls are essential. “If you don’t have a mechanism that can protect his communication from someone replicating them, then it’s a no-brainer. Companies sell things legitimately on Amazon to clone transmission from a vehicle. This is called ’the man in the middle attack’ or ‘the relay attack.’”
Companies that specialize in hacking protection won’t reveal how frequently they’re able to hack vehicles or how easily. Said one cybersecurity researcher, “Our job isn’t to embarrass the industry.” Some automakers said they didn’t want to discuss the topic for fear of being perceived as challenging hackers.
Vehicles with easy remote access definitely offer benefits. In 2017, Tesla remotely and temporarily enhanced the battery capacity, and therefore driving range, of its Tesla vehicles for owners in Florida who were trying to escape Hurricane Irma.
But too often, these tactics can be used for evil, industry observers say.
Dan Sahar, vice president of product for Upstream, a cybersecurity startup based in Silicon Valley, said the risk of a widespread cyberattacks on vehicles is real and growing.
Vehicles are vulnerable in part because of the complexity of the software, with hundreds of millions of lines of code, said Sahar, whose company focuses on cybersecurity for the cloud, watching for and stopping anomalies. With so many lines of code, bugs are bound to exist, he said, and “if there’s a bug, the hacker can utilize the bug.”
But it’s not clear how quickly, or even if, the public would learn about a mass hack on a group of vehicles.
“Some companies don’t ever admit it. You know Uber got hacked. When did you learn about it? You learned about it [more than a year] after it happened,” Sahar said.
“In that case, hackers stole the data of 57 million Uber users. Rather than report the incident, Uber paid the hackers $100,000 to delete the stolen data and keep it secret.”