Theft of vehicles is about as old as the notion of transport — from horse thieves to hijackers. No longer merely putting a brick through a window, vehicle thieves have continually adapted to new technology, as demonstrated by a new method to steal a car without the need to be anywhere near it.

Modern vehicles are built with a range of computerised systems that control and monitor security, fuel, engine management and more. Most new cars are fitted with Bluetooth connectivity and USB sockets, so it was only a matter of time before reports of criminals abusing these systems appeared.

The use of so-called Bad USB memory sticks to hijack systems has been reported, but the most recent issue involves a port fitted in virtually every car on the road today, the 30-year-old On-Board Diagnostic port (OBD-II). So put away that coat hanger — car theft has got a lot more technological.

At the recent S4 security conference, researcher Corey Thuen shared his concerns regarding a specific OBD-II dongle provided by US insurer Progressive Insurance. Designed to track driving habits, the dongle “phones home” to report back to the company via the mobile phone network, and the driver is awarded a lower premium if his or her driving habits demonstrate no dangerous driving — speeding, hard accelerating or braking.

Unfortunately, the port also provides read and write access to the car’s engine management system. If a remote attacker was able to use a man-in-the-middle attack — intercepting traffic between the car and the company’s servers while passing themselves off as one or the other — they could compromise the dongle, and so have complete control over the car’s engine. Potentially, this attack could compromise not just a single vehicle but fleets of vehicles, depending on what data was exposed from the company’s servers.

The main issue is for manufacturers to design products with security in mind, and provide updates swiftly once security flaws and vulnerabilities such as these are discovered. Some manufacturers are much better at doing so than others.

In this case, the dongle does not attempt to validate or demand signed firmware updates, its boot process is not secure, it doesn’t authenticate the mobile phone connection, nor encrypt the data it sends, nor is it hardened in any way against potential attacks.

“Basically it uses no security technologies whatsoever,” Thuen remarked. It’s essentially an open door.

Other security compromises based on computer systems in cars include using Bluetooth MP3 players, where malware disguised as a music track is loaded into the car’s systems to compromise them, or through applications on smartphones that use the Bluetooth connection to access the car’s systems.

On top of the distinctly disturbing idea of your car being hijacked and remotely controlled, there are also privacy concerns about the data the car collects about you. As well as information about driving habits, GPS data can locate you and build a pattern of your comings and goings, posing further risks.

There’s long been a problem here due to closed, proprietary systems to which you the owner and user don’t have access — something open rights campaigners such as the journalist Cory Doctorow have noted.

Usually, security advice includes not clicking on dodgy links, and keeping your antivirus and other software up to date. But with a car you are choosing to place your body inside a one-ton computerised cage travelling at 120km/h, which may no longer be in your control.

The solution, long understood by security researchers, is that software needs to be open to inspection so that bugs and flaws are easier to find and report, and so the software is fixed and improved more quickly. Closed, proprietary software puts users at unnecessary risk by obscuring potential problems that may not be made public, but could equally have been discovered by criminals who are only too happy to exploit them. Drivers need to understand how the modern car has changed and continues to change, and to lobby the car industry to change their approach.

Andrew Smith is lecturer in networking and Blaine Price is senior lecturer in computing, both at The Open University
This article was originally published on The Conversation

Follow TechCentral on Google News Add TechCentral as your preferred source on Google

Setback for South Africa’s electricity market reform

Solly Malatsi’s Post Office gamble

The conflict of interest at the heart of PayShap’s slow adoption

Africa powers mobile money to $2-trillion milestone

The R16-billion tech giant hiding in plain sight

It’s official: ads are coming to ChatGPT

Mystery Chinese AI model revealed to be Xiaomi’s

A mystery AI model has developers buzzing

Samsung’s trifold gamble ends in retreat

Nvidia targets $1-trillion in AI chip sales as inference demand surges

The last generation of coders

Sentech is in dire straits

How liberalisation is rewiring South Africa’s power sector

The top-performing South African tech shares of 2025

Digital authoritarianism grows as African states normalise internet blackouts

Meet the CIO | Healthbridge CTO Anton Fatti on the future of digital health

TCS+ | Arctic Wolf unpacks the evolving threat landscape for SA businesses

TCS+ | Vox Kiwi: a wireless solution promising a fibre-like experience

TCS+ | Flipping the narrative on AI in the Global South

TCS | Sink or swim? Antony Makins on how AI is rewriting the rules of work

South Africa’s energy future hinges on getting wheeling right

Apple just dropped a bomb on the Windows world

VC’s centre of gravity is shifting – and South Africa is in the frame

Hold the doom: the case for a South African comeback

The AI fraud crisis your bank is not ready for

Next to get hacked: your car

Clicks to bricks: Yuppiechef to open physical stores in Gauteng

What’s gone wrong with the World Wide Web

Internet hoaxes flourish on Facebook

Durban’s finance leaders are done with AI theatre

Defend your cloud with Altron Digital Business

Why most Cisco partners leave money on the table at renewal time