Theft of vehicles is about as old as the notion of transport — from horse thieves to hijackers. No longer merely putting a brick through a window, vehicle thieves have continually adapted to new technology, as demonstrated by a new method to steal a car without the need to be anywhere near it.

Modern vehicles are built with a range of computerised systems that control and monitor security, fuel, engine management and more. Most new cars are fitted with Bluetooth connectivity and USB sockets, so it was only a matter of time before reports of criminals abusing these systems appeared.

The use of so-called Bad USB memory sticks to hijack systems has been reported, but the most recent issue involves a port fitted in virtually every car on the road today, the 30-year-old On-Board Diagnostic port (OBD-II). So put away that coat hanger — car theft has got a lot more technological.

At the recent S4 security conference, researcher Corey Thuen shared his concerns regarding a specific OBD-II dongle provided by US insurer Progressive Insurance. Designed to track driving habits, the dongle “phones home” to report back to the company via the mobile phone network, and the driver is awarded a lower premium if his or her driving habits demonstrate no dangerous driving — speeding, hard accelerating or braking.

Unfortunately, the port also provides read and write access to the car’s engine management system. If a remote attacker was able to use a man-in-the-middle attack — intercepting traffic between the car and the company’s servers while passing themselves off as one or the other — they could compromise the dongle, and so have complete control over the car’s engine. Potentially, this attack could compromise not just a single vehicle but fleets of vehicles, depending on what data was exposed from the company’s servers.

The main issue is for manufacturers to design products with security in mind, and provide updates swiftly once security flaws and vulnerabilities such as these are discovered. Some manufacturers are much better at doing so than others.

In this case, the dongle does not attempt to validate or demand signed firmware updates, its boot process is not secure, it doesn’t authenticate the mobile phone connection, nor encrypt the data it sends, nor is it hardened in any way against potential attacks.

“Basically it uses no security technologies whatsoever,” Thuen remarked. It’s essentially an open door.

Other security compromises based on computer systems in cars include using Bluetooth MP3 players, where malware disguised as a music track is loaded into the car’s systems to compromise them, or through applications on smartphones that use the Bluetooth connection to access the car’s systems.

On top of the distinctly disturbing idea of your car being hijacked and remotely controlled, there are also privacy concerns about the data the car collects about you. As well as information about driving habits, GPS data can locate you and build a pattern of your comings and goings, posing further risks.

There’s long been a problem here due to closed, proprietary systems to which you the owner and user don’t have access — something open rights campaigners such as the journalist Cory Doctorow have noted.

Usually, security advice includes not clicking on dodgy links, and keeping your antivirus and other software up to date. But with a car you are choosing to place your body inside a one-ton computerised cage travelling at 120km/h, which may no longer be in your control.

The solution, long understood by security researchers, is that software needs to be open to inspection so that bugs and flaws are easier to find and report, and so the software is fixed and improved more quickly. Closed, proprietary software puts users at unnecessary risk by obscuring potential problems that may not be made public, but could equally have been discovered by criminals who are only too happy to exploit them. Drivers need to understand how the modern car has changed and continues to change, and to lobby the car industry to change their approach.

Andrew Smith is lecturer in networking and Blaine Price is senior lecturer in computing, both at The Open University
This article was originally published on The Conversation

MVNO business shines in Cell C’s first post-listing results

Ramaphosa presses ahead with Eskom break-up

Cell C cleans up its balance sheet but faces tough trading reality

The key technology takeaways from Ramaphosa’s 2026 Sona

Toyota SA CEO: NEV inaction will cost South Africa its motoring industry

Russia bans WhatsApp

EU regulators take aim at WhatsApp

Musk hits brakes on Mars mission

Crypto firm accidentally sends R700-billion in bitcoin to its users

AI won’t replace software, says Nvidia CEO amid market rout

How liberalisation is rewiring South Africa’s power sector

The top-performing South African tech shares of 2025

Digital authoritarianism grows as African states normalise internet blackouts

TechCentral’s South African Newsmakers of 2025

Black Friday goes digital in South Africa as online spending surges to record high

Watts & Wheels S1E4: ‘We drive an electric Uber’

TCS+ | Cloud On Demand and Consnet: inside a real-world AWS partner success story

Watts & Wheels S1E3: ‘BYD’s Corolla Cross challenger’

Watts & Wheels S1E2: ‘China attacks, BMW digs in, Toyota’s sublime supercar’

TCS+ | Why cybersecurity is becoming a competitive advantage for SA businesses

A million reasons monopolies don’t work

Eskom unbundling U-turn threatens to undo hard-won electricity gains

South Africa’s skills advantage is being overlooked at home

Why Elon Musk’s Starlink is a ‘hard no’ for me

South Africa’s new fibre broadband battle

Next to get hacked: your car

Clicks to bricks: Yuppiechef to open physical stores in Gauteng

What’s gone wrong with the World Wide Web

Internet hoaxes flourish on Facebook

Cell C delivers maiden results with growth momentum, financial flexibility

Start-up king joins Paratus Rwanda

How NEC XON tackled identity risk for a major telco