A recent study has discovered that electronic immobiliser systems used by 26 different manufacturers could be vulnerable to hacking.
Following police reports out of London that were unable to identify how some vehicles were being stolen, security specialists investigated the potential causes.
Digital security specialists, Baris Ege and Roel Verdult from Radboud University in The Netherlands, and Flavio Garcia from the University of Birmingham in England, compiled the report.
Their findings showed that as many as four out of ten vehicle thefts in major cities could involve some form of vehicle hacking.
Over 100 different mainstream models, particularly those equipped with a starter button in place of a key, are vulnerable to hacking by thieves with the correct equipment.
The results of the report have been suppressed by vehicle manufacturers to keep the information out of the hands of criminals, and to allow time to develop security patches.
Currently vehicle immobilisers work by sending a rolling code each time you unlock or start your car. By intercepting this signal, thieves could imitate the key and trick a vehicle’s security system into thinking a correct key is present.
The researchers who compiled the report were also able to demonstrate a way of gaining entry to a car, by sending trial and error signals until they found a matching code to access the vehicle. In less than 30 minutes they were able to start the car.
All of these entry methods first require physical access to the car and cannot be done remotely.
In July American researchers were able to demonstrate their ability to hack a Jeep Cherokee equipped with Chrysler’s internet-enabled Uconnect infotainment system.
As well as being able to operate the radio or wipers of the car, vehicle control systems such as the brakes, or accelerator could also be controlled remotely.
Jeep immediately issued a security patch for the affected vehicles. Australian delivered cars were not affected by the vulnerability.
As more vehicles become connected to outside networks, the internet, and vehicle-to-vehicle communications, more potential points of entry become available to hackers.
In the Jeep example, American researchers Charlie Miller and Chris Valasek, used the infotainment system to then communicate with other interconnected Electronic Control Units (ECUs) in the vehicle.
Although connecting the communication entry point to safety-critical systems may not be easy, other information can also be gleaned from the vehicle, from the radio station being listened to, to the car’s current location or destination, via satellite navigation.
Vehicle manufacturers meanwhile, are working to tighten vehicle security. Companies like Tesla have employed security experts to find and close any potential security loopholes.
For owners of the vehicles in the suppressed European report though, it remains to be seen what can done to keep their vehicles secure, or if manufacturers will issue recalls in a similar way to what Jeep has done.