24

There are lots of papers concerning car hacking. It is often done with physical access (by the OBD interface for example), sometimes without (Remote Exploitation of an Unaltered Passenger Vehicle).

The only case of exploitation I've read about is the theft of BMW cars. Are there some other cases of exploitation in real life by villains (or by governments, which can be pretty much the same)?

jwodder
  • 166
  • 1
  • 6
Shan-x
  • 441
  • 5
  • 10
  • 5
    It also depends on how you define the word "hacked". Researchers found a lot of Chrysler vehicles simply by scanning Sprint's IP space and were able to retrieve a lot of information about the cars using their research techniques. They were also able to reprogram _their own jeep_, over the air, to break through the security functionality and get complete control over the car remotely: https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/ – Mark Henderson Jun 27 '16 at 15:27
  • There are few instances that are known to be related to hackers, either because maybe that many people aren't pricks looking to wreak havoc, or because the people and/or media expect that one-off instances are human error. It is technically possible that isolated instances that look like accidents were in fact assassinations where a car hacker(s) was involved, but it wasn't portrayed as such. – Signus Jun 27 '16 at 19:19
  • I think the main limiting factors are: A) remote hacking a car still requires a fair bit of expert level know how, B) except if you're stealing the car (which is unlikely in a remote attack) there is no real monetary incentive... I.e. high cost, low benefits; thus a lower interest from the criminal world. – fgysin Jun 28 '16 at 12:04

2 Answers2

25

As reported on Wired in March 2010:

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

Other than that, not much, as Sophos says:

The dangers of cyber attacks on cars has all been theoretical so far: at this point, there’ve been no real-world attacks, as far as we know. Only security researchers have managed to send cars into the weeds.

nhahtdh
  • 131
  • 1
  • 8
J Kimball
  • 2,137
  • 1
  • 13
  • 19
  • 22
    a dealership had the power to remotely disable cars? that sounds wildly dangerous, even if used by the dealership rather than an intruder! – Woodrow Barlow Jun 27 '16 at 15:34
  • 4
    The problem here is "as far as we know." I don't think any of the police or even insurance people are set up to identify car hacking issues. – NotMe Jun 27 '16 at 15:47
  • 1
    @WoodrowBarlow It's been around for a few years and from what I've seen, the user should be able to determine that the car is in a safe location such as the borrower's residence before initiating the kill-switch. I'm sure some users will be inept and cause dangerous situations but given it's usefulness for making sure people make their payments, I would imagine it's usage is only going to increase as it becomes more of a commodity rather than a luxury. Also, I believe that banks are the ones pushing for this since they are the lenders. – MonkeyZeus Jun 27 '16 at 16:36
  • 6
    The remote disable systems used by lenders only disable when the ignition is off. So if the car is running/moving when the lender sends the command, the car will keep working until it's turned off. – longneck Jun 27 '16 at 17:09
  • 3
    @longneck - so, if you don't feel like making payments on your car, you could spend the savings on fuel to keep your car running 24/7. :D – TTT Jun 27 '16 at 18:19
  • @TTT That idea is 100% fool-proof!! – MonkeyZeus Jun 27 '16 at 19:28
  • 4
    @longneck: Um, consider the case where the engine stalls in a railroad crossing... – R.. GitHub STOP HELPING ICE Jun 27 '16 at 20:14
  • @R.. If the ignition doesn't work, you can still put it in neutral and roll it. If there's a train about to hit you, you're no worse off than if the car had stalled because it was out of gas. If you have more than a few seconds, that's enough to get out of the vehicle. If there's plenty of time, then you put it neutral and roll it off the tracks. – Martin Jun 27 '16 at 20:40
  • 5
    @MartinCarney: Assuming time for driver/passengers to do anything, of course they can just get out, so the main risk of a vehicle stuck in a railroad crossing is damaging/derailing the train. And "you're no worse off than running out of gas" is not an argument when a malicious party introduced a *new, additional dangerous failure case* for their own greedy purposes. – R.. GitHub STOP HELPING ICE Jun 27 '16 at 21:18
  • @R.. It might *feel* like they're malicious to those in debt, but repo agents are just trying to recover lost capitol. A repo agent doesn't want a car they're trying to repossess smashed by a train regardless of whether it's got people in it or not. The scenario you're describing is unlikely to occur by mere chance - a car stalled on a railroad track *after* receiving a lockdown command. If the lockdown was triggered maliciously, the driver still has to be reckless enough to ignore the warning lights and drive around the barrier, and *happen* to stall at just the right moment. – Martin Jun 27 '16 at 21:38
  • In such a case where a driver wouldn't have enough time to climb out of the vehicle to escape an oncoming train, they also wouldn't have enough time to start it back up and drive away, whether the vehicle's starter was disabled or not. – Martin Jun 27 '16 at 21:40
  • @MartinCarney: There are plenty of cases where inability to restart a car that's stopped is a safety hazard, and even more where it's a major nuisance to a large number of people not associated with the driver. Yes this happens already sometimes, but mostly with older cars in poor maintenance. Introducing a lot more cases where it can happen for purely selfish commercial interests is grossly irresponsible and is a (truckload of) lawsuit(s) waiting to happen. – R.. GitHub STOP HELPING ICE Jun 27 '16 at 21:50
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/41741/discussion-between-martin-carney-and-r). – Martin Jun 27 '16 at 21:52
-4

Yes, they can. My Jeep Cherokee was vulnerable. They even ran a segment on TV and I immediately went on line and found it to be true. I was referred to a Jeep website where I was able to download the patch to a thumb drive which I plugged in my car and started it up. It recognized the patch and installed it to the Jeep's computer. There is even a recall on this issue.

LeatherGator
  • 1
  • 11
    *"I immediately went on line and found it to be true"* then could you please add a source to your answer to back up your claim? – hd. Jun 27 '16 at 16:29
  • 3
    Where did you download the patch from? – user2320464 Jun 27 '16 at 16:47
  • The patch can be found at driveuconnect.com – Devin Jun 27 '16 at 17:34
  • 9
    You missed the point of the question. A security researcher demonstrated the flaw in the Jeep setup. However, there is no evidence of anyone actually using the flaw to do anything (steal a car, cause an accident, etc.) other than demonstrating the flaw. That is what is being asked: has the flaw been exploited? – longneck Jun 27 '16 at 18:46