Revenge of the Nerds: Tech experts detail vulnerabilities in modern cars

Article content

Article content

Long gone are the days when nefarious people (or a stranded motorist) could light the fires on their vehicle by crossing the terminals on an underhood starter solenoid with a cheap screwdriver. These days, technology reigns supreme and many items on modern cars can be controlled through a smartphone app or some other faraway device. Remote start systems, door locks, cabin pre-heaters – many of these and more can accept commands even if the owner is half a world away. All that’s required is an active Internet or cellular connection.

We apologize, but this video has failed to load.

Try refreshing your browser, or
tap here to see other videos from our team.

Revenge of the Nerds: Tech experts detail vulnerabilities in modern cars Back to video

We apologize, but this video has failed to load.

Try refreshing your browser, or
tap here to see other videos from our team.

Play Video

But, as any tech savvy person will attest, these features lead to new opportunities for idle hands to wreak havoc. Opening critical vehicle systems to the internet provides hackers an entrance, one which did not exist on vehicles in the analog days. One self-described security researcher, named Sam Curry from south of the border, recently detailed some findings which could put even the most seasoned techie on edge when it comes to potential vulnerabilities in their shiny new whip.

Article content

Curry begins his report by relating an amusing but slightly terrifying anecdote in which he and some buddies used a mobile app to gain access to basic functions of a few electric scooters. You know the ones: public-use two-wheelers scattered across big American cities designed to provide so-called ‘last mile’ transportation on a whim. Activate the thing from an app, jump on, then dump it and log off when you’ve reached yer destination.

Curry & Co managed to quickly use the app to flash the lights and sound the horns on several scooters for about 15 minutes. This harmless prank hurt no one (except for people trying to sleep) but exposed a significant security flaw in the scooter’s systems. The tech friends alerted the scooter company with a report about what they did and a possible fix. But it didn’t take long for them to connect the dots and figure out the same vulnerability exists in cars.

Article content

“We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality,” Curry writes on his blog. “If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.”

Yikes. That’s a heckuva lot of control and definitely lands in the category of “stuff which shouldn’t fall into nefarious hands.” That’s why Curry & Co released their findings, hoping manufacturers would sit up and take notice of the deficiencies and design some sort of fix. After all, many of them keep banging on about over-the-air updates. This is a perfect opportunity to deploy one.

Article content

The full list of what’s vulnerable and how it can be exploited can be found here. It goes into significant detail on a brand-by-brand basis, with most of the technospeak flying so far over this author’s head that it could earn Aeroplan points. Nevertheless, a few selected observations caught our collective eye. Kia, Hyundai, Nissan, and Honda (plus their respective luxury divisions) were found to permit access to a stunning list of commands including being able to fully remote lock/unlock, engine start/stop, precision locate, flash headlights, and honk the horn using only a VIN. For Kia specifically, the researchers could remotely access the 360-view camera and view live images from the car. Yikes. Porsche vehicles could be convinced to provide an ability to send retrieve the vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service.

Article content

Expanding from physical vehicles, the researchers found they could worm their way into some company systems. At BMW and Rolls, for example, the discovered company-wide core SSO vulnerabilities which allowed them to access any employee application as any employee, permitting access to internal dealer portals. This could let them query a VIN to retrieve sales documents or access any application locked behind SSO on behalf of any employee, including applications used by remote workers and dealerships.

Some industry watchers call researchers like Curry and friends ‘white hat’ hackers since they expose vulnerabilities and alert the companies about them rather than taking advantage and holding the place at ransom. Here’s hoping some of these security holes are plugged before the entire ship goes down.