New technology leads to rise in cybercrime

Electronic systems are attractive but they also open vulnerable access points

Car hacking: the more complex the electronics – and the more interaction they are allowed with the outside world – the more vulnerable you and your car are to unwanted attention
Car hacking: the more complex the electronics – and the more interaction they are allowed with the outside world – the more vulnerable you and your car are to unwanted attention

For the past five years, we have been talking about Volkswagen’s MQB chassis and the huge number of vehicles using it as the basis for their construction.

To call it a chassis is something of a misnomer. Instead it is a set of highly versatile components, with few fixed points of reference, which can be juggled and reshaped to provide a multi-branded range of hatchbacks, saloons, estates, MPVs, coupes and more.

And now it's second best. Not second best to the work of another manufacturer, but second best and potentially of secondary importance to the VW Group.

MQB has an internal competitor called the Modular Infotainment Matrix (MIB). With MIB, we have reached something of a tipping point where at least as much, if not more time, was spent talking about and demonstrating the ins and outs of an electronic set-up than was spent on the mechanical demonstration of the car itself.

READ SOME MORE

On a day in Munich, where VW was showing off its mighty 240hp BiTurbo TDI Tiguan SUV, we only got a cursory look at the turbo plumbing. Hours were spent on the minutiae of electronics.

Not that the electric bits are not impressive. Volkswagen’s Car-Net system debuted on the MkVII Golf GTI and has since been available on certain Passat models and anything with an electric or hybrid drive. But now it’s spreading to all models and the Tiguan was chosen as the launch vehicle to show off some new tricks. From an app, you can do such things as check the amount of fuel in the tank, the status of the doors and locks, the last location parked and more.

Warning messages

You can have the system send warning messages to your phone if the car exceeds a speed limit or travels outside the boundaries of a pre-set area (handy for nervous parents, that one).

Inside the car you (or, as VW suggests is healthier, your passenger) can call up on screen weather forecasts, news feeds, car park locations, availability and pricing and how much a litre of fuel costs at the nearest pump. There are even more options for entertainment including full integration with a tablet for those in the back seat.

There are systems that will call the emergency services for you in the event of an accident or ask your dealer to ring you to book in a service when the computer reckons the car needs attention. It is a bit overwhelming. And impressive. And vulnerable.

This is not to point any finger of blame or accusation at VW. Rather, it’s an area of increasing concern for all carmakers and all car owners. More complex electronic systems were once seen as the solution to issues such as break-ins, theft and tampering. Now, it’s the reverse: the more complex the electronics – and crucially the more interaction they are allowed with the outside world – the more vulnerable you and your car are to unwanted attention.

‘Internet of things’

We are truly in the era of the “internet of things”. The Tiguan I drove, impressive though its powerful diesel engine was, was perhaps more impressive for its technology. Not only did it contain its own built-in wifi hotspot, not only could you connect your phone to the car to use its 3G or 4G signal but you could even connect the car to an external wifi transmitter. This would allow you to download large files such as navigation map updates to save your mobile data costs.

But if there’s a way into the car’s brain, then there’s a way to get in and do things that you don’t want done. As far back as 2010, “hackers” were showing that they could access a car’s brain and take control of certain functions.

In 2015, researchers actually controlled the locks of a BMW by remote over a mobile phone network. Then, as part of an investigation by Wired magazine, another research team took control of a Jeep Cherokee while it was being driven and steered it off the road.

Then came the Nissan Remote app hack, then the Mitsubishi Outlander PHEV hack . . . You can see the trend.

But what is being done to protect us from such invasion, intrusion and invidiousness?

Volkswagen's Sebastian Shiebe says: "As you mention there are more and more ways to contact the car. Such as even the tyre pressure monitors, the USB port, the Bluetooth systems. So our technical department is aware of the situation and we try to provide the best security for our customers that can be built into the car.

Computer area networks

“So, for example, we have separated computer area networks in the car. You have the engine network, the network for brakes, for gears and so on, and then for the entertainment.

“While previously there have been some successes in getting through to some cars, through entertainment systems and so on, and there may still be cars on the street that do not have separated computer area networks, but we do and it’s on all our cars.

“Anyone who is aware of this kind of technology would say that there will be, even in the future, no 100 per cent secure system, there is always the question of how good the system is against the criminal energies that are placed against it.

“But at any point, let’s say you take any system and you spend two months with it, you perhaps get into the system, so we must have a very high stage of security for our customers, and we are working every day on this.”

Prof Tim Watson, director of the cybersecurity centre at the University of Warwick in the UK, has just set up a full-size vehicle simulator which will allow his team to subject a huge variety of cars to cyberattack to put their security systems to the test.

He told The Irish Times that the most likely forms of future attack on cars were identity theft and holding the car's systems to ransom, threatening to shut everything down if cash is not paid.

“We see ‘ransomware’ on PCs and we can see it on cars so we do need to make sure that they are resistant to those kind of exploits,” he says.

However, he is sympathetic toward the plight of the carmakers as they feel their way into a new world of electronics and security.

“They have issues. Every time you add an extra bit of physical kit, it affects the miles per gallon; it may well affect the emissions of the car. The way that we measure the success and the value of a car perhaps need to change to allow the carmakers the space they need to include a bit of extra kit or whatever they need,” Watson says.

“In general they are now aware of the problem and are are struggling and making sometimes disjointed efforts to change the way that they develop cars in order to make sure that cybersecurity is ‘baked-in’ to that process.

“We will get there. I think some manufacturers are taking it more seriously than others, and often it’s the ones who’ve suffered the reputational damage already who suddenly start taking it much more seriously.

What more can be done to fight the hackers? Shiebe says it’s all about good practice and communicating with the experts.

“We’re getting higher and higher levels of connectivity, with communication from car to infrastructure, from car to car and so forth,” he says.

Watson says the consumer can do a lot to insulate themselves but that it’s down to owner, expert and carmaker to work to try and ensure the tightest security possible.

“Well, it’s about asymmetries, it’s about who’s got what knowledge and where the resources lie and what the intentions are,” he says.

“So often the predator/prey thing is expressed as if a lion misses an antelope, the lion just misses out on one lunch. There’s rather more at stake for the antelope. And that’s exactly why most of the time, the lion does miss the antelope.

Digital life

“For many businesses, it can be catastrophic if they’re attacked; for the attacker, it’s just a missed lunch. In terms of uncertainty, an organisation certainly has the potential to know more about its own systems than an attacker.

“In some respects, it isn’t that things are weighted on the side of the attacker. I know it’s said the attacker only has to get lucky once, and the defender has to be lucky every time, but I don’t think it’s as clear cut that the attackers automatically have the upper hand.

“I guess you need to isolate your digital life as much as you can. If you do online banking, don’t do it on your phone and pair your phone with a hire car. Try and keep the things you value in an isolated part of your digital life.

“The best thing I would say is ask questions. When you’re on online forums doing your car-buying research, when you’re in a dealership, when you contact the manufacturer, ask about cybersecurity. The more they’re asked questions, the more it becomes a selling point for them to have good cybersecurity. Oh, and don’t have nightmares . . . ”

Neil Briscoe

Neil Briscoe

Neil Briscoe, a contributor to The Irish Times, specialises in motoring