Hackers Have a New Target: Your Car

Jim Motavalli

Jim Motavalli | Jan 22, 2014

Welcome to the murky world of car hacking. We’ve all heard of “chip tuning,” replacing electronics to get more performance, but what about altering your car’s black box data, rolling back the odometer, changing a VIN number, or, worse, accessing someone else’s car to steal it or even make it crash?

All this is not only possible but fairly easy in the murky world where automotive Internet access collides with electronic control of virtually every system in the car.
Last December, hackers Charlie Miller and Chris Valasek (working legit with the Defense Department) demonstrated they could gain remote access to the electronic control units (ECUs) in both a Toyota Prius and a Ford Escape, control the brakes, gas pedal, steering wheel and even the infotainment system. If the hackers didn’t like the driver’s Vivaldi, they could change it to death metal. 
But there’s more. Tom Kowalick, who chairs a black box group at the Institute of Electrical and Electronics Engineers (IEEE), says people are routinely hacking into those boxes, which are similar to event data recorders on airplanes, using cheap devices bought on the Internet. Why? So they can alter entries that show them speeding, or failing to apply the brakes before an accident. It’s the Wild West out there.

According to Ray Magliozzi, "We have not seen firsthand any of those hacker intrusions, but I'm sure we will."
Try this. Google “Youtube Stolen BMW 1M Coupe in less than 3 minutes” and you’ll see some guys in hoodies making off with a sweet ride by reportedly using an RF jammer to keep the actual owner from gaining access, then using a key programmer connected to the car’s OBD-II port. Off they go. Dealing with savvy thieves is “a constant challenge,” says BMW.

Kowalick markets a simple device to put your OBD-II port under lock and key, but maybe the bad guys would get through that defense, too.
The data recorder problem is a new one for me, but it’s troubling. According to Kowalick, a proliferation of videos on Youtube and websites show how to hack in and clear black box or airbag data using $40 devices they sell you, many made in Russia or China. “In just a few minutes online, one can locate products and services to roll back digital odometers and erase crash data by accessing the vehicle diagnostic link connector,” Kowalick said. They can evidently get away with this because there’s no clear law that you actually own the data your car generates.
Kowalick says there are three main reasons to hack in:

  • Reputation. Hackers do this stuff because, well, they can, and it’s a challenge to overcome any electronic barriers.
  • Financial gain. Need we explain why a car with 40,000 miles on it is worth more than one with 140,000? Data taken from recorders can also be sold for statistical or marketing purposes.  
  • Avoiding liability. The information recorded by the black box can be altered to make the driver’s pre-crash actions—braking, using the gas pedal—look better.

This whole area can make your skin crawl. It’s ugly, especially when you see how much is out there to help people mess with automotive electronic controls.

Fourteen states have some kind of regulation on event data recorders. The Driver Privacy Act, introduced late last year by Senators Amy Kobuchar and John Hoeven, would limit retrieval from event data recorders by anyone not the owner or lessee (unless a court ordered it, it’s retrieved as part of an investigation, or there’s informed written consent).
I know, you probably thought that your data was already protected. Guess again. And the Driver Privacy Act is hardly a slam-dunk. Like I said, it’s the Wild West out there. Here's a federal DARPA offiical talking about how hackers gain access:

Get the Car Talk Newsletter

Got a question about your car?

Ask Someone Who Owns One