For many people around the world, a large portion of their lives is lived online. Not in some kind of Second Life–Matrix hellscape, but they conduct business, maintain personal relationships, manage their money, buy stuff and even get their car news (👋) using the internet.
This has been amazing for convenience, but that convenience has outpaced security, and so we hear about companies being hacked on a near-daily basis. This problem is increasingly spilling over into our vehicles, which have become increasingly attractive targets to hackers as they’ve gotten more technologically sophisticated.
Now, we’ve covered vehicle hacks and vulnerabilities before, along with that encourage so-called “white hat” hackers to report their findings in exchange for a financial reward rather than exploit them for other personal gains. What we’ve lacked has been a more complete picture of just how bad car hacking has gotten, but thanks to a report by Israeli firm Upstream.auto, now we’ve got one.
So just how bad are we talking? Well, according to Upstream’s report, there were only around 150 incidents in 2019, which isn’t good, but it’s not like we’re experiencing the automotive equivalent of the end of the 1995 film Hackers. However, that represents a 99% increase in cybersecurity incidents in the automotive space in the last year. Even worse, the industry has experienced 94% year-over-year growth in hacks since 2016.
Those 150 or so incidents vary a great deal in the number of people they affect, too. For example, a breach in February targeted systems in some of the US Army’s troop carrier vehicles. Not good, but not impactful for a majority of people. On the other hand, just a month later, Toyota announced a breach that exposed the data of 3.1 million of its customers.
Bug bounties are a large part of what vehicle manufacturers and suppliers are doing to help combat hacking. Nevertheless, only 38% of reported security incidents are being done by bounty-hunting white hat hackers. Black hats (aka the bad guys) are still responsible for 57% of incidents, while 5% are being perpetrated by “other” parties. Since Upstream doesn’t elaborate on who “other” is, we’re going to assume it means lizard people or, like, Hugh Jackman in Swordfish.
Some bug bounty programs have been more effective than others. Uber, for example, has 1,345 resolved bug reports and has paid out over $2.3 million. That’s either good or bad, if you take the stance that it had almost 1,400 vulnerabilities in its software, while Toyota only has 349 resolved bug reports. Tesla has had good luck with its program, with white hats finding that in seconds.
If Tesla’s fobs were so vulnerable, how many other vehicles are being accessed by keyless entry systems? A lot. The bulk (29.59%) of these cyberattacks are using the key fob to gain access. Company servers are a close second at 26.42%. Vehicle mobile apps represent around 12.71% of the hacks, with OBDII ports and infotainment systems rounding out the top 5.
The worrying thing about these attacks is that 82% of them occur remotely, meaning that the hacker doesn’t need to physically be inside the vehicle to do their dirty work. There are short-range remote hacks, like the Tesla key fob hack, where the hacker needs to be within a few meters of the car to break the fob’s weak encryption, and there are long-distance hacks that can be perpetrated from anywhere.
Remote hacks are tough to defend against as an end-user, so we’re often left at the mercy of car companies and suppliers to find and fix the problems before something terrible happens. But as we have seen in Upstream’s report, they could be doing a better job of that.