You get what you pay for — a familiar concept, but not what you want to hear after coughing up plenty of cash for a smart car. Looking at the high base price tag, owners may be forgiven the temptation to avoid pricey extras offered by the manufacturer. Instead, car owners comb the Internet for unofficial ride-pimping solutions, apparently unaware of the potential danger.
How to unlock additional features in your car
Modern smart cars can do a lot: connect to the Internet, download maps and other useful info, exchange data with a local service center, and perform remote diagnosis and maintenance. You can start the engine from your living room and set the climate control so it’s just right when you climb in.
There’s just one problem: Those perks don’t come cheap. The most expensive models from well-known manufacturers provide comfort features as standard. But in more budget-minded models, such frills tend to be locked (protected by a special digital signature) and require separate payment.
But what if hackers were to find vulnerabilities in smart cars granting access to the digital certificates protecting such features? Well, they already have — mostly in the USB interface — and they’ve started selling gadgets that let owners substitute the car’s security certificate to gain access to their dream features. As a result, many “alternative” smart car solutions have found their way online.
Our experts studied multiple forums and sales platforms offering a variety of tools and programs for this purpose. They presented their findings at the RSA 2018 conference, in San Francisco. For example, they found special modules for resetting the mileage or reloading the airbags after an accident, saving on maintenance, as well as tools for diagnosis and unlocking paid features, pirated navigation apps, and unlicensed accessories. Naturally, those products were all quite a bit less expensive than what manufacturers offer. Why pay more if you don’t have to?
Trojan firmware
Why pay more? Because you actually do get what you pay for. Penny-pinching motorists will still likely end up paying, just not the way they imagined. The problem is that, when connected, these tools gain access to the entire system of the car, including the owner’s confidential data and control functions. Just like unofficial Android apps, under-the-counter firmware opens up new possibilities for both users and cybercriminals.
Smart-car owners are tempting targets. Anyone with a splashy, high-tech set of wheels looks like a potential cash cow. Darknet ads flog accounts granting access to hacked cars from anywhere in the world.
Attackers who create “useful” programs for car owners to unlock features get almost unlimited control over the vehicle, depending on what code was injected into the firmware. They can monitor the car’s movements, eavesdrop on conversations, or access a smartphone connected to the system. Or they could turn off the alarm and unlock the doors.
Enterprising cybercriminals might even inject ransomware, preventing the vehicle from moving until the owner pays up in cryptocurrency.
Safety measures
Unfortunately, when it comes to protecting your car from cybercriminals, the buck stops with you. Although the first hack of a smart Jeep occurred back in 2015, and our experts highlighted the danger of third-party apps for connected cars in 2016, manufacturers still underestimate the importance of patching vulnerabilities, meaning that many threats remain active to this day. Until the situation changes radically, car owners need to take responsibility for their own security.
- Use only official apps and accessories. Remember the aphorisms in this post — it doesn’t pay to be cheap.
- Service your vehicle properly and update its firmware regularly. Don’t ignore firmware updates for your model — most likely they’ll fix some issues before you have to deal with them.
- Scan mobile apps for connected cars with antivirus. That way, intruders won’t be able to steal registration data from your smartphone for resale on the black market.