Live Hack Highlights Auto Industry’s Connectivity-Based Achilles’ Heel

LAS VEGAS – Illustrating the vulnerability of vehicles on the road, cybersecurity firm Upstream Security hacks into a vehicle in a live demonstration here, taking remote control of the car’s brakes, steering and other vital systems as it moves down the road.

Upstream is an Israel-based software start-up that provides the way to monitor key systems aboard a fleet of vehicles, detect anomalies and counter cyberattacks. It recently completed its Series B round of funding, pulling in $30 million from a group of investors that includes the Renault-Nissan-Mitsubishi Alliance, Hyundai and Volvo.

As connectivity with the infrastructure expands, more cloud-based features are offered and consumers bring more apps into their vehicles via their phones and other hand-held devices (what Upstream refers to as “zero-trust” devices), vulnerability to malicious hacks increases, the company says.

In the demonstration for media and analysts here on the outskirts of CES 2020, a hacker based in Boston gains access to a vehicle driven by an Upstream employee in Israel through an aftermarket dongle – the type used by fleet operators and insurance companies to track vehicle health and driver performance – connected to the car through its onboard-diagnostics (OBD) port.

On gaining entry to the car’s ECUs, the hacker is able to decipher the operating code, search for specific commands around its various operating systems and inject new code on the fly to take over control of vital systems.

In the demo, the hacker commandeers the car’s steering, controls the mirrors, makes the accelerator ineffective by cutting off fuel to the engine and activates the brakes. He also shows how the door locks can be permanently activated to keep the driver from even entering the car in the first place.

Dan Sahar, Upstream’s vice president-product, says the demonstration is an indication of how easy it is for bad actors to get control of key vehicle systems either to extort ransom from automakers, access data on vehicle owners for nefarious means or potentially launch a widespread politically motivated cyberattack – what some industry insiders now refer to as a potential Pearl Harbor-like event.

Upstream has been compiling data on known automotive cyberattacks for several years, and in its just released 2020 report analyzes 160 high-profile incidents that occurred in calendar 2019, seven times the amount seen in 2010. Of the 2019 total, 57% were so-called black-hat (malicious) hacks. Keyless entry systems remain the top entry point into vehicles for hackers (29.6% of all hacks), with mobile apps No.2 (12.7%).

Sahar says criminal activity around automotive hacking has increased substantially in just the past two years and is on the rise. He points to the Car2Go hack in Chicago that saw 100 Mercedes cars stolen in a single event and FBI analysis that concludes hackers are targeting the U.S. auto industry to steal personal financial data. The Upstream report says Uber alone has paid $2.3 million in ransom related to cyberattacks that disrupted its ride-hailing business.

There were 330 million connected cars on the road in 2018, Upstream says. That figure will rise to 775 million by 2023.

“Connectivity is great,” Sahar says. “But it also involves risks. If there are a lot of windows and doors, there are more ways to get in.

“The mindset should be, you will be breached at some point and you better be able to detect it,” he says.