Go to the Globe and Mail homepage

Jump to main navigationJump to main content

AdChoices
Charlie Miller, left, and Chris Valasek remotely hacked into a 2014 Jeep Cherokee as part of a test to show the vulnerabilites of vehicles that have Internet connections. (STEVE MARCUS)
Charlie Miller, left, and Chris Valasek remotely hacked into a 2014 Jeep Cherokee as part of a test to show the vulnerabilites of vehicles that have Internet connections. (STEVE MARCUS)

Driving Concerns

What can a hacker realistically do to my car and should I be worried? Add to ...

What could a hacker realistically do to my car? And why would anybody even bother? Right now, can a kid access my car in 30 seconds with a laptop, like hackers seem to do on all those TV procedurals, and steal my car or get me to drive off the freeway? - Rich, Vancouver.

Hacker Chris Valasek famously used a laptop to make a Jeep Cherokee to do terrifying things.

Like display a photo on its infotainment screen of Valasek and partner Charlie Miller in tracksuits. And stop entirely on a busy highway.

But Valasek’s not worried about his own car being hacked. At least not yet.

“If it tells you anything, I'm not afraid to get into my car and I am one of the people capable of hacking a car,” said Valasek, security lead at Uber’s advanced technologies centre, in an e-mail. “Right now it's still really hard to do, and takes a lot of resources - that being said, as technology progresses, hackers may try to attack cars.”

After Valasek and Miller’s hack in July, which also took over the Jeep’s steering and cut the brakes, Chrysler issued a recall and put out a software fix for more than 1.4 million U.S. vehicles. There was no recall in Canada.

The stunt was designed to warn of a hackable flaw in the company’s Uconnect system - which potentially allows access to anything that’s controlled by the car’s computers. But Chrysler’s not the only company that’s hackable.

“Right now, cars are in a transition state - they don’t really realize they’re on the Internet,” Craig Smith, CEO of Theia Labs and author of the Car Hacker’s Handbook, told Globe Drive. “Consumers want Internet access points in the car, they want Facebook in the car - and auto makers aren’t really thinking about security.”

FBI warning

In the U.S. this month, the FBI, the Department of Transportation and the National Highway Traffic and Safety Administration issued a public service announcement warning about the dangers of attacks on cars over the Internet.

So what could a hacker actually do to your car, whether it’s on the 401 highway or sitting in a Costco parking lot? Could they steal it?

They could. But there don’t seem to be any official reports of anybody actually doing that yet.

“I don’t want to give the impression that people are doing this in criminal theft rings, but could somebody in my position use a laptop to unlock and start a car? The answer is yes.” Smith said.“A lot of times when I’m doing an engagement for companies, I can stop once I’ve unlocked and started the car - because then you can prove that you can do anything else. But I don’t always get that far.”

So far, it doesn’t look like even the most sophisticated thieves have used the Internet to get into a car, Smith said. Instead, crooks have reportedly hijacked the signal from keyless entry fobs, or made their own.

No immediate risk?

Right now, hacking into cars typically involves taking systems apart — and studying them for months. Once a car has been hacked, hackers usually tell how they did it - so companies can fix the problem.

“Years ago, academia pointed out that electrical control grids could be attacked and [officials] said nobody’s ever going to do that - and then the Ukraine was hit,” Smith said. “It might take a while for a flaw to get abused - but if you don’t fix it, eventually it will get abused.”

When you get into your car, you don’t have to type in a password — so your car assumes that anybody who has access is supposed to be there, Smith said.

So far, there hasn’t been a known case of a kid hacking into cars for kicks - or a hijacker wanting to wreak real havoc.

“So far, I don’t know of anybody trying to cause damage and it does take a certain kind of person - you’d have to be a sociopath,” Smith says. “It’s different than hacking a website - people deface a website without thinking about it.”

But if someone decided to do it, “there isn’t a whole lot in the way to stop them,” Smith said.

Smith hopes the FBI announcement will get car companies to start taking hacking risks seriously — and design ways to make it impossible to access the engine, steering, transmission and brakes.

“There were still a few companies who want to pretend that they’re not connected to the Internet anymore,” Smith said. “[Hackers] probably aren't crashing a car anytime soon, but there’s a potential for it.”

Dongle dangers

Even if car companies do fix the problem, there are aftermarket devices - like telematics devices that monitor driving and send the info to parents or insurance companies - that plug into the diagnostics port and can easily give hackers access to your car’s key system.

“You’ve now attached some device to a critical part of your car that typically has a cellular connection,” Smith said.

The best way to keep your car safe from hackers?

Make sure your dealer is installing software updates. And keep checking the manufacturer’s website for warnings of security issues.

“Don’t plug in foreign dongles and don’t drive with them,” Smith said. “Otherwise, it’s consumer beware.”

Like us on Facebook

Follow us on Instagram

Add us to your circles

Sign up for our weekly newsletter

Report Typo/Error

Follow us on Twitter: @GlobeDrive

In the know

The Globe Recommends

loading

Most popular videos »

Highlights

More from The Globe and Mail

Most popular