Theft of vehicles is about as old as the notion of transport — from horse thieves to hijackers. No longer merely putting a brick through a window, vehicle thieves have continually adapted to new technology, as demonstrated by a new method to steal a car without the need to be anywhere near it.

Modern vehicles are built with a range of computerised systems that control and monitor security, fuel, engine management and more. Most new cars are fitted with Bluetooth connectivity and USB sockets, so it was only a matter of time before reports of criminals abusing these systems appeared.

The use of so-called Bad USB memory sticks to hijack systems has been reported, but the most recent issue involves a port fitted in virtually every car on the road today, the 30-year-old On-Board Diagnostic port (OBD-II). So put away that coat hanger — car theft has got a lot more technological.

At the recent S4 security conference, researcher Corey Thuen shared his concerns regarding a specific OBD-II dongle provided by US insurer Progressive Insurance. Designed to track driving habits, the dongle “phones home” to report back to the company via the mobile phone network, and the driver is awarded a lower premium if his or her driving habits demonstrate no dangerous driving — speeding, hard accelerating or braking.

Unfortunately, the port also provides read and write access to the car’s engine management system. If a remote attacker was able to use a man-in-the-middle attack — intercepting traffic between the car and the company’s servers while passing themselves off as one or the other — they could compromise the dongle, and so have complete control over the car’s engine. Potentially, this attack could compromise not just a single vehicle but fleets of vehicles, depending on what data was exposed from the company’s servers.

The main issue is for manufacturers to design products with security in mind, and provide updates swiftly once security flaws and vulnerabilities such as these are discovered. Some manufacturers are much better at doing so than others.

In this case, the dongle does not attempt to validate or demand signed firmware updates, its boot process is not secure, it doesn’t authenticate the mobile phone connection, nor encrypt the data it sends, nor is it hardened in any way against potential attacks.

“Basically it uses no security technologies whatsoever,” Thuen remarked. It’s essentially an open door.

Other security compromises based on computer systems in cars include using Bluetooth MP3 players, where malware disguised as a music track is loaded into the car’s systems to compromise them, or through applications on smartphones that use the Bluetooth connection to access the car’s systems.

On top of the distinctly disturbing idea of your car being hijacked and remotely controlled, there are also privacy concerns about the data the car collects about you. As well as information about driving habits, GPS data can locate you and build a pattern of your comings and goings, posing further risks.

There’s long been a problem here due to closed, proprietary systems to which you the owner and user don’t have access — something open rights campaigners such as the journalist Cory Doctorow have noted.

Usually, security advice includes not clicking on dodgy links, and keeping your antivirus and other software up to date. But with a car you are choosing to place your body inside a one-ton computerised cage travelling at 120km/h, which may no longer be in your control.

The solution, long understood by security researchers, is that software needs to be open to inspection so that bugs and flaws are easier to find and report, and so the software is fixed and improved more quickly. Closed, proprietary software puts users at unnecessary risk by obscuring potential problems that may not be made public, but could equally have been discovered by criminals who are only too happy to exploit them. Drivers need to understand how the modern car has changed and continues to change, and to lobby the car industry to change their approach.

Andrew Smith is lecturer in networking and Blaine Price is senior lecturer in computing, both at The Open University
This article was originally published on The Conversation

Follow TechCentral on Google News Add TechCentral as your preferred source on Google

US scored ‘own goal’ with ban on top Anthropic model

Fox is buying streaming hardware firm Roku for $22-billion

Where SA remote workers can keep the most: Wise, Grey, Payoneer or PayPal

How Russians juggle VPNs to outwit the Kremlin

The millions Vodacom spends protecting its CEO

Google on the hook for what its AI tells users, court rules

Amazon CEO flagged Anthropic AI risks to Washington

Trouble at Xbox

Meta declares war on Israeli spyware firm

Meta takes on OpenAI and Anthropic in enterprise AI

AI boom sparks rally, frenzy and fear

Every plug-in hybrid on sale in South Africa, ranked by price

What Wi-Fi 8 will mean for wireless networks

Alfa’s electric rebel

Africa switches on as Europe dims the lights

Watts & Wheels S1E5: ‘A Bentley of the bush and a car that swims’

TCS | Charge’s R1.8-billion bet on an off-grid EV future

TCS+ | The Up&Up Group on the hidden cost of AI

TCS+ | The retirement decision most South Africans get wrong

TCS | The Cape Town start-up listening for TB with AI

The clock is ticking on South African banks’ biggest advantage

Clashing judgments leave South Africa’s crypto law unsettled

The trap inside South Africa’s banking MVNO boom

The hidden cost of social media age bans is everyone’s privacy

Treasury’s crypto crackdown is a betrayal of Mandela’s promise

Next to get hacked: your car

Clicks to bricks: Yuppiechef to open physical stores in Gauteng

What’s gone wrong with the World Wide Web

Internet hoaxes flourish on Facebook

When jammers kill the signal, AI goes blind too

Workday Horizon shows SA firms how to make AI deliver

Hisense, Makro team up for winter laundry promotion