In a concerning development, car theft is on the rise, according to a recent report by AA Insurance Services. What’s even more worrying is that criminals are increasingly utilizing sophisticated tools to exploit the very sensors and computerized systems that were originally designed to enhance road safety and provide driver convenience.
Market research company Technavio highlighted in 2017 that the significant growth of the automotive electronics sector was driven by the demand for added driver convenience and concerns surrounding car theft. It is disheartening to realize that these very same sensors, computers, and data aggregation systems are now being utilized by criminals to steal vehicles.
One example of the convenience offered by modern vehicles is the keyless entry system (KES). With KES, drivers can passively lock, unlock, start, and stop the engine by simply carrying the key fob, which contains an integrated signal transmitter. The system works by detecting the signal from the key fob.
Typically, if the signal is strong enough, which is usually within one meter of the car, the vehicle will unlock and allow the engine to start using a push-button system. Attacks on the KES often involve amplifying and relaying the signal from the key fob to the car, tricking the car’s system into believing the fob is within range and disarming the security.
One method to prevent relay attacks of this nature is for car owners to store their key fobs in “Faraday pouches” when not in use. These pouches contain conductive fibers that disrupt radio signals and are relatively inexpensive.
It is worth noting that the computers in today’s cars, known as Electronic Control Modules (ECMs), manage various components, including the engine, transmission, powertrain, brakes, and suspension. These ECMs are programmed with extensive computer code, which unfortunately can contain vulnerabilities.
To mitigate these vulnerabilities, international safety standards such as the SAE J3061 and ISO/SAE 21434 provide guidance to manufacturers regarding secure code development and testing. However, due to the complexity of interconnected systems, production deadlines, and shareholders’ expectations, it is possible for vulnerabilities to go undetected.
Car thieves have found ways to gain access to cars’ electronic control units (ECUs) and on-board diagnostics ports, which provide technicians with quick access to a car’s diagnostic system. These ports are small computer interfaces found in most vehicles, allowing technicians to access sensor data and identify any faults easily.
This convenience has also made these ports attractive targets for car thieves. Recent reports have revealed instances where car thieves accessed ECUs by removing the front bumper to reach the headlight assembly. Through the ECU, they gained access to the widely used Controller Area Network (CAN bus), which enables communication between ECUs.
By accessing the CAN bus, the thieves injected their own messages into the car’s electronic systems. These messages were specifically crafted to deceive the car’s security systems, making it appear as though a valid key was present. As a result, the car doors unlocked, allowing the engine to start and the vehicle to be driven away, all without the need for the key fob. Unlike the previously mentioned relay attacks, this new form of attack cannot be thwarted by a Faraday pouch since the fob is not required at all. The thieves generate the signal that the fob would typically send.
Further investigations into these incidents revealed that the equipment used by the thieves costs as little as £8 ($10). Moreover, these components can be easily purchased pre-assembled and programmed, making it effortless for potential thieves to exploit a car’s wiring.
To compound the issue, the devices used in these attacks were disguised as an old Nokia 3310 phone and a
JBL-branded Bluetooth speaker, making them inconspicuous and difficult to detect at first glance. Even if a car thief is stopped and searched, these devices would not raise suspicion.
Experts in the field have emphasized that a long-term solution to this type of attack requires the involvement of car manufacturers and industry bodies. However, implementing such a solution would take time. In the meantime, most new cars remain vulnerable to these attacks, leaving them defenseless against tech-savvy thieves.
The recent surge in car theft incidents serves as a stark reminder that as our vehicles become more advanced and interconnected, they also become susceptible to exploitation by criminals. The evolving tactics employed by thieves highlight the need for continuous research and development to stay one step ahead of potential vulnerabilities.
Motorists are advised to remain vigilant and take precautionary measures to protect their vehicles. In addition to using Faraday pouches to safeguard key fobs from relay attacks, it is crucial to park vehicles in well-lit areas and install additional security devices such as steering wheel locks or immobilizers. Regularly updating and patching vehicle software can also help mitigate potential risks.
Law enforcement agencies are intensifying their efforts to combat car theft, collaborating with experts in cybersecurity and automotive technology to develop countermeasures. However, it is a collective responsibility to tackle this growing issue effectively.
As technology continues to advance, it is crucial for car manufacturers, industry regulators, and consumers to work together to ensure the security of our vehicles. Only through proactive measures, continual research, and robust cybersecurity practices can we stay ahead of the criminals and protect our valuable assets on wheels.
