A Brief History of Car Hacking 2010 to the Present
While automakers continue to create wireless, electronic and remote features for cars, researchers and hackers demonstrate ingenious ways to break into the systems and wreak havoc.
As cars get more and more connected and computerized, it opens them to hacking. Connecting cars through wireless connections started in 1996 with the introduction of the General Motors OnStar safety system to notify emergency responders of collisions and the introduction of the wireless key fob by Mercedes‐Benz in 1998. Gradually, connected services grew, adding smartphone apps and remote features such as remote unlock and remote start. By 2010, when automakers started to expand services, such as apps with vehicle information and charging status for electric vehicles, researchers began to see vulnerabilities that could open systems to hacking.
2010 CAESS Report
Researchers at the Center for Automotive Embedded Systems Security (CAESS), a collaboration between the University of California San Diego and the University of Washington, published “Experimental Security Analysis of a Modern Automobile” that appeared at the 2010 IEEE Symposium on Security and Privacy.
Researchers connected an OBD‐II device to cars and computers. They revealed that they could disable the brakes, selectively brake separate wheels and stop the engine. They were able to break through network security and embed malicious code in a car’s telematics unit.
July 2013 Miller & Valasek Hack Ford Escape & Toyota Prius
Charlie Miller, a security engineer at Twitter, and Chris Valasek, a security researcher at IOActive, received a grant from Defense Advanced Research Projects Agency (DARPA) to find security flaws in cars. In July, they demonstrated to Forbes’ reporter Andy Greenburg how they could access vehicle controls.
The team reverse‐engineered software of a 2010 Ford Escape and the 2010 Toyota Prius, honked the horn, applied the brakes and controlled the steering through connected laptop computers.
May 2014 Car Hacking Video Freaks Drivers Out
A YouTube video, “Phreaked Out,” by Motherboard, showed how cars can be hacked. It highlighted security holes in order to reveal flaws in car technology. Information security researcher Mathew Solnik manipulated the car’s engine, brakes and security systems from his laptop by wirelessly connecting to the Controller Area Network.
February 2015 60 Minutes TV Show Shows Remote Hacking
On Sixty Minutes, host Lesley Stahl, in a demonstration by U.S. military’s Defense Advanced Research Projects Agency (DARPA), drove a car while the windshield wipers, horn, brakes and acceleration were controlled remotely through the telematics system and a laptop computer.
July 2014 BMW Vulnerability Revealed
Kaspersky Lab analyzed BMW’s ConnectedDrive system, finding several places for possible attacks, such as stolen password, mobile app and software updates. BMW issued an update.
August Black Hat 2014
At the Black Hat security conference, Charlie Miller and Chris Valasek revealed a vehicle “intrusion prevention device.” They also announced which cars they thought were the easiest to hack
March 2015 Cheap Hacking Device Offered For Sale
Former intern at Tesla, Eric Evenchick began selling a device to help car hackers break into vehicle Connected Area Network (CAN buses) and software that can turn off headlights, set off alarms, and roll windows down or set the parking brake. Evenchick said in the video demo: “Cars are fun, let’s break them.”
April 2015 Reporter’s Toyota Prius Wirelessly Opened
New York Times columnist Nick Bilton looked out of his window in Los Angeles, California, and saw two teens on bicycles using a black box pointed at his Toyota Prius on the street and unlocked it. Bilton reported that there are many gadgets to get into cars, including radio frequency fobs that either amplify the device and the brute‐force attack of a car using a notebook computer.
Hack Heard Round the World Jeep Cherokee July 2015
Charlie Miller and Chris Valasek took remote control of a Jeep Cherokee while Wired reporter Andy Greenburg drove. From a laptop computer 10 miles away (16.09 Kilometers) they sent commands to the Jeep’s infotainment system. They were able to control the brakes, radio, windshield wipers, air conditioning, accelerator and brakes, sending the car into a ditch. FCA recalled the vehicles and released a security patch for the vulnerability.
How secure are keyless locking systems? This video by ADAC discovers vulnerabilities.
August 2015 Tesla Hack at DEF CON
Kevin Mahaffey, the chief technology officer at Lookout, and Marc Rogers, a researcher at Cloudflare, discovered a way to get into the car controls of a Tesla by hacking into the entertainment system. Their hack stopped the car if it was traveling at less than 5mph or the car coasted to a stop. The vulnerability was exposed at the DEF CON an underground hacking conference. Tesla Motors sent out Over‐the‐Air update Version 6.2 (v2.5.21) to fix the security opening.
February 2016 Nissan LEAF App Hacked
Researchers used a web browser to hack into Nissan controls that were available through the LEAF Nissan Connect app. The team accessed the battery status, turned on heated seats and activated climate control by guessing VIN numbers. Nissan shut down the app and eventually updated the app with security measures. July 20 2016 Car Thieves Steal 100 Cars Wirelessly Two hackers and suspected car thieves were arrested in Houston, Texas, and accused of using pirated computer software to steal more than 100 vehicles. Police found electronic devices, keys and other tools believed used in the thefts. First, they cut wires to the horn and alarm then used a laptop computer with a database to reprogram the key fob for the vehicles.
DEF CON August 2016 More Remote Control of 2014 Jeep
At the Black Hat Security conference, Charlie Miller and Chris Valasek took their remote hack of the 2014 Jeep to the next level. They showed they could steer and accelerate the car. They claimed they could stop the car and digitally turn the wheel at any speed. In a separate attack, they took over the cruise control and sped up the vehicle quickly.
December 2016 Hacking Devices Discovered by Crime Bureau
The NICB (National Insurance Crime Bureau) announced that it discovered how wireless break‐in technology is being used to steal cars. A device captures the key fob signal. Then the signal is transferred to a key fob‐like device that can open the door and unlock the car. NICB noted reports of thieves not only opening the vehicles, but also starting them and driving away.
December 2016 Tesla App Hacked
Mobile researchers hacked into the Tesla remote app. Promon researchers took full control of a Tesla vehicle, including locating and tracking the car, opening the doors and enabling its keyless driving function.
January 3, 2017 Secure Gateway for Vehicles
M2MD Technologies and Giesecke & Devrient Mobile Security (G&D) announced the availability of a secure Communications Gateway. In addition to comprehensive security, the Communications Gateway allows automakers to quickly connect to the vehicle, execute commands more rapidly, and effectively manage costs. Enhanced security is driven by a patent‐pending solution integrating the best 3GPP wireless communication security with standard TLS 1.2.
April 25, 2017 Hyundai Blue Link App Vulnerability Shown
Researchers announced that the Hyundai Blue Link app contained a vulnerability that could allow hackers through insecure Wi‐Fi to locate information about the user. This vulnerability was discovered by independent researchers William Hatzer and Arjun Kumar at Rapid7 through a Wi‐Fi “Man in the Middle” attack. On March 6, 2017, Hyundai updated the Hyundai Blue Link app.
May 2017 TAK by G&D Security Framework
The Trusted Application Kit (TAK) developed by G+D Mobile Security is an application security framework for mobile operating systems, like Android and iOS. Using TAK, developers can quickly and efficiently incorporate advanced security functions into their applications during the design process. TAK provides robust security without impacting on app development time or the user experience, and it is therefore an ideal solution for all security‐sensitive applications.
July 2017 DYI Car Hacking Tool for Sale
Comma.ai, a company founded by George Holtz, began offering software and hardware in order for developers to create their own car hacks and or see how car software operates. Holtz claimed the panda OBD‐II port device “is the nicest universal car interface ever” and called his system “a way to get started car hacking.”