How Phone-as-Key, Remote Start Apps Can Make Your Car Easier to Steal
You can now use your phone to access and drive your car—but so can hackers.
With more vehicles getting over-the-air (OTA) updates and even some remote control features via smartphone apps such as Ford's FordPass or Genesis's homegrown effort, new cars are very connected. Bluetooth and near-field communication (NFC) signals have allowed owners of certain cars to drop keys altogether, relying solely on their phones for access and starting. And don't get us started on the reams of personal data harvested from those phones and our cars every day. Blend all of this connectedness together, and it spells opportunity for anyone with the right technical know-how and bad intentions. Security risks layered on top of the data leak risks? It leads us to wonder, just how safe is that data and your vehicle's security in this ever connected industry? From what we gather, it's not great news.
Hacking For Entry—TV Stunt or Real?
We've covered this as early as last year, but gaining entry to a modern vehicle that isn't yours isn't as difficult as one would think, as explained by "Occupy the Web"—or simply known as "OTW," a hacker who claims to have trained "every branch of the U.S. military and intelligence"—in a YouTube series. The informative clips also feature David Bombal, a Cisco engineer and Information Security expert, and riff on the hacking exploits found in the USA TV series Mr. Robot. In the fourth episode of the first season of Mr. Robot (da3m0ns.mp4), a pair of hackers make it look relatively easy to access a car and even begin to operate it.
As Bombal and OTW demonstrate, the show is not only not far off from reality but also shows that the tools and methods they used are real. Therefore, yes, this is actually possible, provided you have the right tools for the job and some research on the commands to operate the target vehicle.
That equipment and programming is readily available, too. RF and Bluetooth sniffers come in packages that can be easily hidden in your pocket, by cloning the signals between a key and the car's ignition and door locks, for example. Devices like the Flipper Zero can be used to simply access your vehicle if the security protocols are old enough. Starting a car using an OBD CANBUS reader that plugs into a laptop can be found on many DIY repair sites, and the code for making the car start is on the web already. Those aren't the only points of vulnerability in accessing your car's data and controls: it's your phone and the app used to control your vehicle remotely.
Connections
Special tools aren't needed to steal a car anymore—just your phone. Just recently, Global Newstold the story of an accidental theft of a Tesla because the owner of a Model 3 mistook their car for someone else's. The car had the same color and most of the same features as the original owner's car, but the phone app allowed the mistaken owner to not only unlock the car, but also drive it away without any issues. It wasn't until he received a text that he knew something was wrong and he was in the wrong car.
Amusing thought this story may be, it at least wasn't nefarious. It turns darker when someone wants to enter your car in order to steal it or your valuables—you know, on purpose. Turns out, it's potentially easier than you might think and it's not down to bad luck.
We spoke to Sam Curry—a cybersecurity expert and white hat hacker who found the Reviver Digital License Plate vulnerability—about other ways hackers can easily access your car and even your data. One of the first things we asked him was how concerned he was about these issues in the automotive industry. "After performing this research," said Curry, who is referring to the research on mobile device and vehicle vulnerabilities he and his team performed, "I'm very much concerned with the future of car security. These issues were not incredibly complicated and many of them were very surface level."
What he means by this is that the access isn't deeply rooted in some sort of secret server that you need inside knowledge to find. It's all in the site you use to access the application connected to your vehicle like Ford's FordPass, the Tesla App, and others.
That's because how those applications work with your phone aren't 100-percent tied directly to it. To oversimplify this explanation, many apps utilize websites that your phone connects to while the user interface is designed to work specifically with the device. You never see it, but there is a middleman website that handles many functions of the application. Again, that's an oversimplification because it does depend on what the application does, i.e.: a simple speedometer or level app will just rely on the sensors built into your phone, but your banking or streaming app requires a website to send information to and from the phone. Your car's apps are similar—if not are exactly the same—and use the same 4G and 5G networks to connect to the internet, as well. That also means that having many of the same applications, features, and connections as your cell phone does opens up your car to the same exploits bad actors have used on phones in the past and up to right now. These exploits don't require physical hacking tools and hardly require specialized knowledge to create and execute.
Just Find the Middleman
One needs only to know how a website and applications work in order to exploit a modern connected vehicle, and much of that knowledge can be found freely online. The applications to make your car unlock its doors from your phone works off of the same programming your phone does for things like locating itself, remotely unlocking your phone from its lock screen, and even accessing the cameras. This can all use a middleman website the user never sees or ever directly interacts with. "The middle area between the car itself and the mobile app, which is used to unlock vehicles, is ripe for exploitation," says Curry, "By attacking this middle area, it is possible to compromise vehicles and cause very real harm to people." These sites aren't hidden and can be found with some clever, but not impossible to figure out, searching online. Once found, those hackers have direct access to a user's data for both them and their vehicle.
Just by having that surface level access, vehicles could be tracked and even be susceptible to remote access to unlock doors, start the engine, or even peep the 360-view camera in real time. Beyond that, hackers could have access to a user's private information and change digital ownership of the vehicle within the app. All they would need to have is the VIN and access to the connected app website that controls the vehicle.
In other words, the characters in that Mr. Robot episode wouldn't even need those RF or CANBUS access tools to drive the car away if its owner connected it to their phone (the car in that show was too old, but we digress). "Someone could have exploited the issues that we reported to remotely locate a vehicle, remotely unlock it, then drive it away via generating a phone connected keyfob," said Curry, "Thieves can absolutely take advantage of vulnerabilities like this to steal cars."
What Are the OEMs Doing?
Fortunately, when Curry or any white hat finds these exploits and reports them to the automotive manufacturers, they respond rather quickly (if very quietly). "They are all very receptive after the reporting and when validating the fixes," said Curry. He also pointed out that the issues found during his team's research were fixed within one to two business days. The issue is that Curry and other white hats are required to do this without any sort of monetary compensation from those OEMs. While you might scoff at the idea of someone being paid when they weren't asked to report or find on these vulnerabilities, it's a common practice within the cybersecurity world. In other words, the automotive OEMs aren't providing the incentives of any kind to find these issues—while other tech giants outside of the car industry do. "Few [automakers] offer monetary bounties or public recognition for reporting these issues," said Curry. Bounties and other incentives after finding these exploits are the norm in the cybersecurity world.
Recognition is free and that can be enough for a few in the hacker community for either side of the good guy-bad guy line. The car and the data are both very valuable and the car is a very expensive investment for most people, especially right now. "Overall, I am worried about car security moving forward," continued Curry, "and I do not feel that many automakers are dedicating enough resources towards this problem."
The worst part is that these vulnerabilities and exploits wouldn't require a massive recall when found. At most, they just require an update to the app on the phone or updating the code of the middleman website that handles everything between your phone and your vehicle. Again, considering just how valuable your data and car are, paying a bounty or giving recognition are cheaper than the bad reputation, loss of faith, and potential lawsuits these easily solved exploits could cause.
What Can Owners Do?
If the OEMs aren't stepping up to secure your car and data, what can you do to prevent this from happening? To be honest, not a lot. The only good news is that for the average criminal looking to make a quick buck, it's still easier and quicker to break a window than it is to dedicate some time to scope out a car and read up on website coding. Though when it comes to tracking (again, for nefarious purposes), someone who doesn't want to plant a physical device on their target vehicle, for example, could find a site that would only need a VIN and some cryptocurrency to track someone by utilizing the middleman site hack.
If that is a real concern you have, then you may want to look into ways to have those features downgraded or see if they can be removed. Many of these apps require your acceptance for those functions to work, so not opting into them is the number one option for that. The main thing is to talk to your dealer about what connected features your new vehicle comes with and know what's being accessed by your phone and what's not. "If you own your own vehicle," says Curry, "there is no reason that you cannot disconnect the remotely connected functionality."