A necessary part of learning how to prevent a cyberattack is watching and learning from how hackers can do it. To a certain extent, we need to encourage hackers to hack cars to expose code and design vulnerabilities (we just don’t want them to hack a real car that is moving), only we need them to do it a controlled manner.
In recent years, several high-profile cases have served to help us learn from vulnerabilities exposed in connected and automated vehicles that have been worth our full attention.
Subscribe to SAE’s growing collections of standards, papers, journals, books, and more for:
Once of those prominent examples includes a now a legendary 2015 Jeep Cherokee hack demonstration by two car hackers out to show just how easily it could be done. In 2017, a Chinese research team demonstrated how it hacked an infotainment system in Tesla model S—for the second year in a row. In 2018, a Volkswagen Golf and Audi A3 were hacked through the vulnerabilities present in its infotainment system.
The Jeep Cherokee hacking was controlled experiment. In it, hackers Charlie Miller and Chris Valasek famously used a reporter as "a digital crash-test dummy" to underscore vulnerabilities in connected entertainment and navigation systems. In this case, the two hackers were able to disable the brakes and drive the vehicle into a ditch. Moreover, they demonstrated how easy it was to overcome password protections with brute force attacks and sometimes simple guesswork based on the systems boot time.
Watch on YouTube: Hacking The Jeep Cherokee
In another well-known incident, Chinese security researchers were able to hack a Tesla Model X, turning on the brakes remotely and getting the doors and trunk to open and close while blinking the lights in time. Leveraging memory corruption techniques, they performed this demonstration to music streamed from the car's radio — which they dubbed "the unauthorized Xmas show." The complex hack involved sending malicious software through the infotainment system in a series of circuitous computer exploits. They were able to remotely control the car via both WiFi and a cellular connection.
Watch on YouTube: The Unauthorized XMas Show
If that isn’t scary enough, this should be: Computest, a Dutch firm, revealed that the infotainment systems inside some Audi and VW cars were vulnerable to remote hacking. The researchers, Daan Keuper and Thijs Alkemade, confirmed these exploits using a VW Golf GTE and an Audi A3 Sportback e-tron model. The two researchers used a car's WiFi connection to exploit an exposed port and gain access to the car's IVI. They also gained access to the IVI system's root account, which they say allowed them access to other car data.
Securing an automated and connected car against a cybersecurity attack is about preventing them at the gate. No developer is perfect and there will always be those hard to find vulnerabilities. Understanding the limitations of existing techniques and applying a built-in active defense mechanism is critical in today's advance infotainment systems.
A key way to understand those limitations and develop the critical mechanisms to thwart cybersecurity hackers is to learn from how they have succeeded in the past. To make that happen, we need to encourage cybersecurity hackers to keep doing what that do—just not on a live automated and connected vehicle.
Matt De Reno is SAE MOBILUS web portal manager at SAE International. His interests include automated and connected vehicles, micromobility, smart cities, and automotive cybersecurity.