Automotive hacking may be in its infancy, but it most assuredly will be a growth industry, especially as more cars take on semi-autonomous – and, soon enough, fully autonomous – driving ability. The modern car has as many as 100 microcomputers, many of them connected to the outside world by some means of electronic communication. And it isn’t just such high-tech communication systems – Wi-Fi, Bluetooth, etc. – that make our cars so vulnerable to attack. Indeed, it is our very insistence on being permanently connected that makes our cars such a rich “attack surface” environment. What’s ironic is that the best way to thwart these high-tech exploits involves some decidedly old school guardians as well as some that sound just plain cockamamie. Without further ado, then, here are 10 strategies to minimize your vulnerability to computerized theft and subterfuge:
1. Don’t use your remote keyless system to lock your doors. “What the…?” I hear you saying. Nonetheless, it turns out the simplest hack in the automotive world is still just breaking into your car to steal all your goodies. And the simplest way to “open sesame” is scanning your push-button locking system. There’s all manner of ways to do it, but the one thing in common is that they all require you to lock your vehicle remotely and then walk away from the vehicle. The simplest solution, therefore, is to forego the key fob and use the central door lock button to close up shop. No transmission; no hacking. Of course, it doesn’t matter if you use a keyless system to enter your car; you’ll be driving away from the threat.
2. This one is going to seem odd – completely over the top, in fact – but you might want to start putting your keyless fob in the refrigerator at night. Or in a box with some tin foil lining. Not as common as the simple “transmission” hack noted above, this exploit – that’s cybertalk for getting up to no good – involves a slightly more complicated “amplifier” that fools your car into thinking the fob is close by, therefore allowing access to your car. More importantly, if your car has push-button start, it also fools the security system into thinking the immobilizer is nearby. Not only can thieves now rifle all your belongings, they can also steal your car.
3. Use a good old-fashioned steering wheel lock. People crafty enough to construct some form of electronic hack to get into your car are probably smart enough to move onto a Benz more vulnerable if they spot a steering wheel locking system, especially if it’s the tried-and-trusted “The Club Original 1000” or the even more robust FJM High Security Steering Wheel Lock. If they can’t drive it away, they’re going to look for easier prey.
4. Buy a Tesla or a General Motors product. No, not because they are electric or reduce emissions, but because Tesla and GM reward “white hat” hackers showing them their products’ vulnerabilities. Virtually every cyber-security expert we’ve spoken with says rewarding the discovery of software vulnerabilities is the number one defense against malicious hacking. GM launched its “bug bounty” program in January and Tesla solved a hack last year with a simple over-the-air update.
5. Don’t drive a top-of-the-line car (Tesla and Cadillac excepted). I doubt if anyone rich enough to afford a Mercedes-Benz is going to take this advice, but expensive cars have more computers and connectivity features than the cars we peons drive. That just means there’s more ways into your car’s neurosystem and more things to play with once a “black hat” is in there. One security expert I talked with drives a ’70s Volkswagen specifically because it has no computers, wireless connections or USB ports and wouldn’t even dream of buying a car with a Wi-Fi “hotspot.”
6. If being connected is a big part of your daily drive, buy a car with the latest Apple CarPlay or Android Auto systems. According to Kim Komando, self-proclaimed “digital goddess,” both CarPlay and Android Auto have beefier security than automotive entertainment systems, so running the telematics through your iPhone/Galaxy may be safer than automotive cellular systems.
7. Buy an OBD lock. What’s OBD, you ask? The on-board diagnostic system is your car’s built-in link to the outside world, the portal through which all repairs, mechanical or otherwise, are diagnosed. All cars have a port that allows technicians to access all the relevant computers controlling your car. Therefore, it is also the easiest way to get inside your car’s brains. This subterfuge requires access to your car, but once in the potential for damage is pretty much limitless. So lock it up. Besides, your OBD port is also used to access your car’s Electronic Data Recorder, a chip that records exactly how – as in how fast – you drive. So the OBD lock also promises privacy, something you might find important if you get in a collision and someone tries to access your car’s accident data without your permission.
8. For God’s sake, don’t buy into one of those insurance programs that promises to lower your premium based on how safely you drive. They do so by plugging a “dongle” into the OBD port mentioned above – again, one of your car’s greatest vulnerabilities – and then connect it with the insurer’s home office via a less-than-secure cellular connection. Seriously, you’re almost asking to be hacked. Forbes, for instance, claims that Progressive Insurance’s Snapshot dongle had “basically no security technologies whatsoever” and that “a skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles.” I suspect these systems will prove very susceptible to remote hacks – i.e., via a laptop – sometime in the near future.
9. The same applies to anyone else trying to install such OBD dongles in your car. Samsung’s ConnectAuto promises to let business owners monitor their fleet of vehicles via a Wi-Fi-enabled OBD dongle. Other future uses for these devices may be to allow crypto “repo” men “bricking” a car for missed loan payments or even “teaching” fleets to drive more economically. As beneficial as these additions may seem, they still leave your ECU – electronic control unit – wide open to malfeasance.
10. Last, but most certainly not least, don’t plug random USBs into your dashboard. Data-enabled USB ports – used to update system software – offer direct access to your car’s neurosystem. Ironically, part of the fix for Wired magazine’s famed Jeep hack was a USB-installed “patch” sent via the post. Security experts have long cautioned against plugging in USBs received via (easily-compromised) snail mail, so why FCA decided to fix one security glitch with another vulnerability is mystifying. “The decision of Fiat Chrysler to mail out USB sticks to customers directly to patch the recent vulnerability is the security equivalent of waving a red rag to a bull,” Carl Leonard, principal security analyst at Raytheon Websense, told . “Hackers, highly adept at taking advantage of indecision and social engineering tactics in times of crisis, could potentially utilize this USB fix opportunity for nefarious gain.”