All the frenzy over car-hacking would make more sense if the risks weren’t so easy to reduce: Just drive a simple car.
The threat of hackers taking control of cars has lately elicited perhaps more excitement than it deserves. The success of two security researchers in remotely hacking a Jeep – and taking over its accelerator while in motion – has prompted a class-action suit, a Senate bill to require vehicle makers to protect cars from such attacks, and a 1.4 million-vehicle recall, all without a single incident of malicious hacking.
That said, cars have long been susceptible to hacks. Consider, for example, keyless theft. Criminals have stolen thousands of cars – including David Beckham’s BMW X5 SUV in 2006 – by cracking the code needed to disable the immobiliser, a theft-prevention device that is obligatory in the EU and that 86 percent of cars in the US have. The immobiliser employs a radio frequency identification (RFID) chip that will not allow the engine to run unless the car’s original key, which transmits the necessary code, is present.
The car industry does not want people to hear too much about hacking immobilisers. Bloomberg News reported on Friday that Volkswagen, the world’s biggest car manufacturer by volume, had spent two years trying to suppress a report – now finally public – concerning a flaw in the chip that powers immobilisers. The paper’s authors, Roel Verdult, Flavio Garcia and Baris Ege, found three vulnerabilities in the Megamos Crypto RFID transponder used by Volkswagen, Fiat, Honda and Volvo. They said a successful attack took them about 30 minutes. Although those vulnerabilities are probably fixed, new ones will inevitably arise.