Electronic hacking — coming to a car near you?

Not likely, according to the National Motor Vehicle Theft Reduction Council (NMVTRC). The council is a joint initiative of Australian governments and the insurance industry, with a mission to drive down Australia’s high level of vehicle theft.

In a recent article on the supposed increase in electronic vehicle hacking, the council aims to separate the hype from the reality and finds that old-school methods are still the preferred mode for thieves.

NMVTRC said that while much of the hype has centred on hacking passive keyless entry and start systems (known as a relay attack), or remote hacking of the engine management system (EMS) via Wi-Fi connected entertainment systems, these types of intrusions are actually far more complex than being publicised.

They suggest that it involves a process of complicated trial-and-error programming by individuals who have unrestricted access to the target vehicle. Using a widely reported Wi-Fi attack on the Jeep Cherokee’s Uconnect system as an example, NMVTRC said that researchers conducted months of work to discover the vulnerability and to develop the complex code required to rewrite the vehicle’s CPU firmware. This method also required hackers to know the IP address of an individual car, out of the many thousands available on the network.

Jeep closed off vulnerability with an in-service software upgrade and NMVTRC concluded that the likelihood of a malicious attack on a specific vehicle using this method is near-zero.

In terms of keyless entry hacks, the maximum transmission range of eight metres is extended to around 50 metres (100 if attached to a large power amplifier), but at least two participants are required in the attack; one to remain close to the car and one to be near the electronic key. This method will apparently only work on certain types of car, dependent on systems architecture, and the car cannot be restarted once it’s out of the amplifier’s range, making it a dubious proposition for would-be thieves.

According to the article, significant numbers of late model BMWs were stolen in the UK in 2012 by cloning blank electronic keys and using a device that was connected to the car’s onboard diagnostics (OBD) port. Again, a software update fixed the issue.

In more recent times, small, preprogrammed, model-specific devices that upload via the OBD have been used to switch off the immobilisation function. Currently in the UK, a top target for this type of theft is the performance model of the Ford Focus and authorities are recommending the use of OBD port locks to counter this vulnerability.

NMVTRC advised that while in Australia there is presently no evidence of electronic devices being used to defeat security systems for short-term theft, and there is only limited evidence of these methods being used in profit-motivated theft, this is no reason for complacency. Vehicle security is now an arms race with each new generation of security being scrutinised for potential weaknesses as soon as it is released.

As the connected car becomes a reality, NMVTRC has said it will continue to monitor developments in overseas markets and liaise with importers, insurers and police services on these issues. It has suggested that, in the meantime, while high-tech theft methods steal the limelight, the reality is that more than 70% of all theft is via the very low-tech method of simply stealing the owner’s keys.

Image credit: © iStockphoto.com