Many people don't think about it, but modern vehicles are advanced computers on wheels that are permanently connected to the automaker's digital infrastructure via the Internet. And as we have seen more than once, any computer can be hacked, and cars are not an exception in this respect.

Today, using the example of two research works, we will talk about how experts were just beginning to explore the possibility of remote hacking of cars in 2010 and 2015, and we will also discuss this year’s attack targeting millions of Kia cars. In addition, we will talk about how automakers adapt to new threats.

Perhaps the first serious car hack can be considered the work of a group of researchers from the University of California, San Diego and the University of Washington. In 2010, they developed an exploit that allowed them to gain nearly total control over the car.

At the time, the researchers chose not to publicly disclose the name of the company and the vulnerable car model, but instead directly reported the discovered vulnerabilities to the automaker. Later it became known that the model in question was one of the General Motors models — the 2009 Chevy Impala. General Motors took incredible 5 years to develop protection against the attack.

In 2010, data transmission in mobile operator networks was significantly less reliable than voice transmission. So the developers of the Chevy Impala's OnStar computer came up with a workaround: they used a voice connection to communicate with the car based on the principle of old-fashioned modems. Thus, the on-board computers were programmed to establish a connection to any device that called them “by voice” and played a certain series of audio tones.

Researchers studied the protocol used in OnStar and created an mp3 file that could trigger an error in the on-board computer known as a “buffer overflow.” This vulnerability allowed researchers to gain initial access to the computer. Then, they have succeeded in penetrating the CAN bus, which controls everything from windshield wipers to brakes. According to the researchers, the steering system was the only thing they could not gain control over.

Why did the company take as long as 5 years to remediate such a serious vulnerability? Researchers claim that the process took so long because the entire automotive industry was unprepared for a new type of threat. One of the authors of the Chevy Impala vulnerability study, Stefan Savage, said:

“They just didn’t have the capabilities we take for granted in the desktop and server world. It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists.”

Five years after the General Motors hack, other hackers — Charlie Miller and Chris Valasek — developed an attack targeting 2014 Jeep Cherokee. Or rather, they even developed two attacks — they presented them in detail at the Black Hat conferences in 2015 and 2016, respectively.

In 2015, Miller and Valasek exploited vulnerabilities in the car's smart functions to remotely take control of a Jeep Cherokee: vulnerabilities in the automatic parking system and in the diagnostic mode. Thanks to the bugs they found, researchers were able to remotely control the car, including turning the car’s steering wheel and controlling the accelerator.

The main limitation of this attack was that it worked only if the car was traveling at a very low speed — up to 5 mph. This was due to the fact that vulnerable smart functions are used when driving quite slowly, or even with the engine turned off. So at high speed they simply did not activate.

In 2016, Miller and Valasek improved their technique and succeeded in overcoming this limitation. They found a way to send false speed data over the same CAN bus to trick the car into thinking it was stationary even when it was actually moving down the highway. This allowed researchers to remotely exploit discovered vulnerabilities at higher speeds.

The list of actions available to them has even been expanded with the ability to control the power steering and engage the parking brake. All this did not give the hackers absolute control over the car — the driver could still physically turn the steering wheel or press the brake pedal by applying a certain force. However, to do this, he had to notice that something was wrong before it was too late.

Fiat Chrysler, the manufacturer of the Jeep Cherokee, patched the vulnerabilities somewhat faster than General Motors: according to researchers, some of the bugs were fixed within a year. The fuss made about this hack resulted in that Fiat Chrysler, General Motors and Tesla (their car was also hacked in a short time after this hack) launched Bug Bounty programs. And this was certainly a step in the right direction.

Now let us fast forward almost 10 years to discuss a fresh way to potentially compromise millions of Kia vehicles through a vulnerability in the company's customer and dealer web portal. This summer it was discovered by a team of cybersecurity researchers.

The essence of the vulnerability itself was that with the help of some relatively simple manipulations via the API, anyone could register a car dealer account on the Kia portal. Then, details of the owner of any car, including first and last name, phone number, email address and postal address could be available using a Kia dealer account.

As researchers found out, any Kia dealer can access all this information, and not just the dealer that directly sold the car to the owner. All you need for this is VIN number of the vehicle. The latter is not a secret information. In some countries, such as the United States, there are even publicly available databases of VIN numbers.

Having found out all the personal data of the car owner using the car dealer’s account, the researchers were able to register the car on the same portal to their own client account. This way, they were able to track the car's movement via GPS, open the doors and start the engine — all via the Internet.

As a result, the researchers created an application that made it possible to hack almost any Kia car in just a few seconds, knowing only its registration number. Researchers notified the automaker about the found vulnerability and published their work three months later, after the hole in the portal was closed. This also shows how much faster automakers have learned to fix vulnerabilities in their infrastructure.

Trends in the cybersecurity of cars

Researchers note that the pace of adoption of cybersecurity measures in cars lags behind the pace of innovation, which makes modern vehicles vulnerable to cyberattacks. Experts highlight the following key cyber threat trends for cars in 2023:

•  Increase in the share of detected attack vectors on cars via network connections (49%). This indicates a noticeable shift towards remote cyberattacks targeting cars.

•  An almost equally significant portion of all identified attack vectors (40%) were targeted at the local vehicle software, including operating systems, Electronic Control Units (ECUs), and Software Bill of Materials (SBOMs).

•  At the same time, the share of attack vectors related to physical access to equipment has decreased significantly compared to 2018 and now amounts to as low as 10%.

If you liked this topic and want to learn more about car and carmaker hacking, read the post about data breach of Toyota owners in our telegram channel: Future Crew for Business.