Can We Please Stop Pretending Car Hacking Is a Grave Threat?
The Egyptians had “hackers,” too.
Are you scared of your car getting hacked? The term “hacking” is so broad—and its use in clickbait headlines so vague—as to be meaningless. When was the last time you heard of someone’s car actually being hacked? You haven’t, except for examples
Your car is as likely to get hacked as you are to get Ebola. Actually, that isn’t true—thousands of people caught Ebola last year. How many private citizens' cars were hacked? As many as were eaten by Kraken, which is to say, none.
The good news? The nightmare car hack (see below) hasn’t happened. At least not yet. Connected car technologies that will open the door to hacking aren’t quite as connected as headlines would have us believe.
The bad news? The law of unintended consequences means connected cars will almost certainly give rise to new forms of aggravation.
We’re not there yet, but when they arrive we’re going to miss the old days, when car hacking was known by its original name: car theft.
What Is Hacking, Anyway?
Until the rise of automation, hacking was generally what you did to a tree with an axe. Today, hacking is what the media calls any crime the average person can’t understand. Your credit card info was stolen from a server? It was “hacked.” Sure it was, but it wasn’t magic. A person was behind it. A “hack” requires a weakness, and someone clever enough to exploit it, generally for profit.
By that standard, “hacking” has existed since for thousands of years. The Egyptians had locks, which means they had lock-pickers, which means they had hackers.
What Is Car Hacking?
Car hacking has been going on since the first Model T was stolen without a key. I imagine all it took was a metal rod, but it sure must have seem difficult at the time. Key technology improved, but “hackers” eventually moved on to slim jims, which must seem archaic to anyone born after 1990. Once having slipped it into the door, starting the car was easy—just bring a screwdriver. Then The Club was invented. Then handsaw blade technology caught up. The Club? Hacked! Thieves then moved onto duplicating master keys (because manufacturers and dealers were lazy) until keyless entry was invented. Then thieves cloned those, too, using devices available on Amazon. Then people began wrapping their keys in aluminum foil, then keyless entry improved, and thieves adapted again.
What was once hacking became an obsolete form of theft, and the media moved on. Then, car manufacturers began installing cellular and WiFi connections.
What Is The Nightmare Car Hack?
You wake up in the dead of night, and your car is gone. How? It drove itself away after being wirelessly access by “hackers” (a.k.a. modern car thieves). But wait, there’s a worse scenario: You’re IN the car, driving along, and hackers remotely commandeer the car into a tree, or to a remote location for nefarious purposes.
Remember the car crash that killed investigative reporter Michael Hastings? You know, the guy whose 2010 Rolling Stone article ended General Stanley McChrystal’s career, and who was allegedly about to take down another major political figure? Perfect nightmare car hack, right? Except that it wasn’t.
Just last week, a Russian socialite died in a car accident in Switzerland, and again there were suggestions of foul play, if not outright car “hacking.” She was, after all, connected to enemies of Russian President Vladimir Putin. But read past the headlines and you’ll see the same factors that killed Hastings: High speed and alcohol.
Occam’s Razor isn’t just for shaving.
Why The Nightmare Car Hack Hasn’t Happened Yet
“Anything can be hacked,” said George Hotz, the infamous hacker who unlocked the iPhone, cracked the Sony Playstation, and is currently developing self-driving car technology in his garage, “but the kind of people who can do the best stuff don’t give a shit about stealing your car.”
Hacking a modern car—as in, circumventing the average person’s ability to protect against it without current levels of technology—is incredibly difficult. That isn’t to say the nightmare car hack isn’t possible, but it requires a level of expertise, equipment, and time that you’re not going to find on the street.
Sources in the cybersecurity and hacking communities all told me the same thing. Even with the highest levels of skill and motivation—say, nation-states and intelligence services—you need physical access to a car prior to the hack, and not just a few minutes but hours, and more probably days. The difficulty of electronically accessing a modern car is inversely proportional to how much time and familiarity a hacker has with the specific target.
It’s a whole lot easier to physically sabotage a car than it is to hack one. If you want to steal a car, bring a flatbed or a tow truck. If you want to kill someone, cut a cable, or deflate a tire. Or just poison them.
But What About Those Tesla And Jeep Hacks?
The Tesla and Jeep hacks perfectly highlight the next round of car-related crimes currently under the “hacking” umbrella. All were executed by cybersecurity professionals looking to demonstrate their skills to clients who might hire them, and had ample time with the cars before shooting the hacking videos which so consumed the media cycle. Anyone who read the accompanying text would have understood how far their “hacks” were from being replicated by the average thief.
Lost in the mix? The difference between Tesla’s and Jeep’s responses. Tesla routinely hires hackers who breach their security, then wirelessly updates their cars soon as possible. Jeep, on the other hand, snail-mailed 1.4M owners a USB key with a security patch, which was far dumber and more dangerous than the hack itself.
This is the future. Medeco locks vs. Walmart’s house brand, but in cars.
The Biggest Danger? Phones, Apps & You
For the most part, car manufacturers aren’t dumb. Every time we complain about crappy infotainment, the answer is twofold: it’s partially that they aren’t Apple or Google, but it’s also that they’re terrified about security. That’s why Apple Carplay and Android Auto aren’t quite as good as their phone-based counterparts.
Open up the dash to third-party apps, or grant smartphones any real access to your car, and what we call hacking becomes commonplace theft, at least until cybersecurity practices improve. Security will only ever be as good as the weakest link in the chain, which is why the most recent Tesla hack required installing malware on an older generation Android OS on which Tesla’s Summon app was installed.
Luckily, Tesla has already closed that particular door. The lesson? Update the OS on every device you have. Don’t download unnecessary apps. Nothing good is free.
Which brings us to...
The Good News And Bad News Go Hand In Hand
The same technology that makes connected cars theoretically vulnerable also protects them from physical theft. How do you steal a connected car whose real-time location is broadcast via one or more networks, and which can be remotely disabled by calling roadside assistance?
You don’t. Which is why, in time, the danger of car theft will go away, but a new danger will rise.
Ransomware—the crippling of electronic networks and systems for cash—will migrate from static systems to transportation. It happened last week with the San Francisco Muni hackers, who demanded $70,000 in Bitcoin to restore the system, and it’s going to get worse.
What’s going to happen when a lazy manufacturer launches their vertically-integrated self-driving car taxi service? How about when Beyonce gets in her S-class on tour in a foreign country? You don’t need to be Nostradamus to know that the Knight Rider was basically a documentary. Especially the KARR episodes.
Crime finds a way.
How To Protect Yourself
When you’re 20, you have 20-year old problems, like college finals and finding a summer job. When you’re 40, 40-year old problems, like thinning hair and finding time with the kids.
The same goes for cars. If you want to avoid modern car theft, buy an older car without cellular or WiFi connections, but you’re going to fall prey to traditional forms of theft. Car thieves generally aren’t carrying handsaws anymore, which is why Winner International, makers of The Club, had such a nice booth at SEMA this year.
If you must drive a new one, buy one from a manufacturer that isn’t clueless about security. The arrival of self-driving cars will add a new dimension of risk, as some autonomous technologies will be more vulnerable than others, which we’ll cover in a future piece.
For now, don’t worry about it. We’re at a crossroads, with analog car theft having peaked and digital theft just starting to rise.
So You Still Think You Can Hack My Car?
I’ve got an idea. Let’s do something to demonstrate how safe the average person is from hacking today. I’ve been talking to my betters at The Drive, and we came up with a plan. We’re going to get a couple of manufacturers to donate cars, and we’re going to do an actual hackathon, where the winner gets to keep the car. Maybe just for a year. We’re still hashing out the details.
Stay tuned.
Alex Roy, entrepreneur, President of Europe By Car, Editor-at-Large for
The Drive, and author of
The Driver, set the
2007 Transcontinental “Cannonball Run” Record in a BMW M5 in 31 hours & 4 minutes, and has set multiple "Cannonball" endurance driving records in Europe & the United States in the
EV,
&Semi-Autonomous Classes. You can follow him on
and
