Autonomous Vehicle Theft: The Future of Carjacking

old school auto theft vs. autonomous vehicle theft

It’s 2034. You’re in the backseat of your driverless car, sleeping, catching up on some paperwork, cramming for a test, basically handing over the control of your smart auto to its mechanical brain. Out of nowhere, your car goes left instead of right, powers through the traffic light instead of stops and you sit helplessly as your high-tech, state-of-the-art self-driving wonder is taken over from miles away. Stealing a vehicle takes on a whole new meaning when it’s done by tapping into that artificial intelligence running your autonomous car’s brain. What do you do? And this goes beyond a question of design to law enforcement. After all, in this brand new world, what is being done about autonomous vehicle theft? Will there be a difference with how it’s handled today? Should there be?

A quick history of car theft

Let’s take a look at where “boosting” a motor vehicle started so we can understand where it’s going.

1888: All in the name of marketing

first auto theft for a good cause

Bertha Benz with husband, Karl, in one of his Motorwagens, the Benz Viktoria, model 1894

The first person to actually steal a car was Bertha Benz. Wife of Karl Benz, the creator of what many call the first practical gasoline-powered automobile in 1885 and co-founder of Mercedes-Benz, Bertha took the vehicle with the best intentions — viral marketing her notoriously shy husband’s invention. However, she still stole one of his “Motorwagens” from his shop in the dead of night on 05 August 1888 with the help of her two teenage sons without Karl’s knowledge. This first case of motor vehicle theft — what is sometimes called grand theft, auto — was harmless enough and actually benefited the automotive community by creating interest in this curious contraption traveling the countryside to the extent that others wanted one for themselves. A whole industry was born and as the horseless carriage became more the norm around the world, local communities saw this actual crime grow and began to wonder how to combat it.

1896: A baron’s ride is coveted

first auto theft on record

Baron de Zuylen de Nyevelt, 1907

The true first vehicle that was really stolen was the Peugeot owned by Baron de Zuylen in 1896. His mechanic decided to take it upon himself to take it out of the shop where it was being repaired. Luckily, both the thief and the car were found nearby.

1919: The U.S. takes a stand

the emergence of auto theft

1921 National Insurance Bureau Brochure, Courtesy of automobileandamericanlife.blogspot.com

The Dyer Act, aka the National Motor Vehicle Theft Act, becomes the first federal law combatting the brand new world of stolen motorized vehicles in America. Enacted by the U.S. Congress on October 29, 1919, Dyer focuses on the interstate trafficking or transport of stolen vehicles — stealing a car and taking it across state lines. Punishment is an unspecified fine — more than likely to be based on the actual value of the car stolen — up to ten years in prison, or both.

1969: Introducing the VIN

one of the original VINs on a car

Old School ID, 1970 Chevrolet Chevelle, Courtesy of chevellestuff.net

On January 1, 1969, The Department of Transportation, formed just a few years prior in 1966, requires all new cars imported into and/or sold in the U.S. to have a vehicle identification number (VIN). At this point, it is left to each manufacturer to decide how and where they want these to appear, which can cause confusion at times.

1980: Setting some standards

how to read a VIN for autonomous vehicle theft

Image Courtesy of “How to Decode a VIN Vehicle Number” by Jason Unrau for www.yourmechanic.com

1980: The universal 17-character VIN system is established.

1984: Divide and conquer goes on the road

cars chopped for parts

Photo Courtesy of patch.com

The “chop shop” starts showing up. Thieves steal a car, “chop” it up, and sell the parts that don’t have the VIN on them. So, the 1984 Motor Vehicle Theft Law Enforcement Act is created, highlighting the need to trace and recover stolen motor vehicles and their parts. The Department of Transportation (DOT) reacts to the new law by mandating that the VIN now be displayed on the car’s engine, transmission, and 12 major auto body parts. This makes it more difficult to cut up the cars and get away with the theft.

1992: Grand Theft Auto gets hands-on

how car jacking can also be done for autonomous vehicle theft

Image Courtesy of “Keep Your Wheels: 11 Tips to Avoid a Carjacking” for www.itstactical.com

1992: Then came carjacking, the armed and forced taking of a car from an individual. The Anti-Car Theft Act of 1992 makes carjacking and owning, operating and maintaining a chop shop federal offenses.

1994: “Somebody, stop me!”

added protection against vehicle theft

Bumper sticker with the blue car and eyes for wheels means your car is part of the watch program

The Anti-Car Theft Act is joined by the addition of the Motor Vehicle Theft Prevention Act to the Violent Crime Control and Law Enforcement Act of 1994. This requires the Attorney General to work with the different States to develop a voluntary auto theft prevention program that has car owners signing a consent form that authorizes local law enforcement to stop the car when operated under certain conditions, such as at night, in certain urban neighborhoods, etc. Participants display a decal on their car showing they are part of the program. Carjacking is also addressed within the body of the Violent Crime Control and Law Enforcement Act itself, proclaiming that should a death result from the action, it is a federal capital offense.

1996: The age of the database

databases incorporated to fight car and autonomous vehicle theft

Milwaukee motorcycle police officer Dennie Sanchez runs a computer check on a vehicle he stopped near N. 27th and W. Wright streets. Credit: Gary Porter

Welcome the Anti-Car Theft Improvements Act, which upgrades state motor vehicle department databases that contain titling federal and local law enforcement can access to determine whether the vehicle in that person’s possession is stolen or not.

21st Century: The future of vehicle theft

Incremental advances have been consistently made in federal laws and states have their own mandates that determine whether the stealing or tampering of a car is either a misdemeanor or felony. Since the last law was put on the books in 1996, auto theft has been on the decline, BUT…

With the advent of the Internet, the new crime of cyber-hacking has given rise to an even broader, more detrimental concern. What would happen in an autonomous vehicle theft? Carjacking in absentia means there has been no armed taking of the automobile, so it wouldn’t fall under the Anti-Car Theft Act of 1992 — that outlines carjacking as taking a vehicle from an individual by force while armed.

In addition, the ability to virtually break into a car has led to terrorist concerns. Throughout the world, automobiles are used for suicide attacks and the ability to do so from afar has prompted some serious research on how to get in front of what has yet to but could happen. What, then, would that protection look like and how would law enforcement engage with, let alone track down, who took over your vehicle?

Protection against cyber-jacking

cyber attack for autonomous vehicle theft

Vehicles used as weapons of terror appear to be on the rise. From disenfranchised individuals driving down crowded sidewalks to radicals using them as bombs, the humble motorcar has taken on an ominous feel of late. It’s not surprising that self-driving and highly connected autos make many wonder just how vulnerable their inner workings will be to tech-savvy terrorists or simple car thieves.

While there have been instances, in testing, of white hat hackers infiltrating cars in order to demonstrate how these automobiles might be taken over, the actual use of a vehicle in a terrorist attack by virtue of cracking its computer code has yet to occur. However, preempting that is key and such minds as American University Computer Science Professor Nathalie Japkowicz are working with others to do just that.

The best defense is a good (computerized) offense

While there is legislation currently considered to protect us in the not-so-distant fully autonomous future, anti-theft technology is being pursued right now. Professor Japkowicz — along with Adrian Taylor of Defence R&D Canada and Sylvain Leblanc of the Royal Military College in Canada — has designed a way to detect unusual activity in a car’s computer system. The trio is using machine learning, noting that anything out of the norm within an operating system may signal a cyber attack. The goal is to take this information and create the tools needed to address these security threats to connected vehicles before they turn into action.

In Washington, D.C., American University’s computer science department is currently focused on what they are calling “vulnerability management.” This entails “detecting attack during normal system operations.” We’ve discussed many ways cars are now more open to outside interference by the mere fact that there are a vast number of ports of entry into a car’s operating system. Whether it’s through telematics or that cool new infotainment experience, there are all of these little ways your high tech vehicle can be infiltrated. By paying attention to changes in normal computer behavior, the hope is that this will immediately signal a need for cybersecurity experts to step in and, at the very least, investigate the issues arising in the automobile.

As Professor Japkowicz and team engage two machine learning techniques to gain insight into activity that is out of the norm — Long Short-Term Memory and Gated Recurrent Units — they hope to provide the automotive industry with the tools to battle and evade such attacks. Newer cars are far more vulnerable than older models to any sort of cyber invasion with more computerized capability than ever before. From the simple USB port on your dash to the intricate framework of autonomous driving, the number of ways to enter from the outside has heightened exponentially and the challenge is to now shut each and every one of those areas from outside interference. That, in itself, is a lofty task especially as more cars coming off the assembly line are outfitted with more advancements, more bells and whistles, and more connectivity than ever before.

Take for example the recent slew of Tesla thefts in England. Thieves have been hacking into key fobs to unlock a Tesla, start it up and drive it away. Tesla reacted by offering an optional “PIN to Drive” feature, helping owners disable “Passive Entry,” and making a signal blocking pouch in which to keep your key fob available. This has helped, but those owners who don’t use any of the tips may find themselves losing their vehicle thanks to those who are technically proficient enough to become part of the New Age of Car Thieves.

Sidebar: “What if…?”

Although virtually accessing self-driving cars is the biggest concern of both vehicle manufacturers and the tech industry — not to mention what all of this means to your insurance premiums — this got us to thinking…

Imagine you’re slowing down to a stop for a pedestrian crossing the street when the front door lock is jimmied — either manually or digitally— and someone slips inside to take control. Autonomous car theft is consistently viewed from a high-tech, cyber-hacking standpoint, but what about good, old-fashioned carjacking? Without a driver, some skill with either an actual lock-pick or rudimentary hacking knowledge may very well turn that fully autonomous dream into a vintage nightmare. Hmm…

Tracking the hacker? Not so easy

hackers for autonomous vehicle theft

While more than 90% of all new cars have a black box installed to assist with determining issues when a crash happens, finding the hacker who cracked your automobile’s computer code is very difficult. They range from networks of people who work together to solo infiltrators writing self-erasing code, fake web addresses and more. Since there is no physical evidence of the break-in — only virtual — investigations can sometimes take years before the perpetrators are found. So, where does that leave you comfortably sitting in the backseat of your self-driving vehicle that is suddenly taken over and driven to…? Well, you get the point.

For now, all of these incidences are virtually nonexistent, but tomorrow? As someone once said, “Tomorrow is another day.” However, that “day” is fast approaching.

 

, , , , , , , , ,

Car Hacking: Safeguarding Your Connected Car

the console of a connected car in the middle of a car hacking

the dangers of car hacking

Computer viruses are nothing new. The brutal lessons learned from those who’ve survived them make us more cautious when surfing the digital wave on our devices. But how often do we think of our vehicles as motorized computers? Today’s automobiles include operating systems that provide climate control, fuel efficiency, satellite-based entertainment, automated safety features and more. Basically, we’re driving smartphones on wheels, something we tend to forget. Our vehicles are more connected than ever and with the automotive industry constantly innovating, they will only become more so. Because of this sophistication, concerns about the strange new cyber threat of car hacking are being raised.

Yes, we know car hacking isn’t exactly new. And other than a disgruntled former Texas car dealership employee’s remotely bricking 100+ vehicles to set off their horns and disable their operating systems, no actual malicious car hacking incidents have been reported. However, the infiltration of the Jeep Cherokee driven by WIRED Magazine writer, Andy Greenberg, on a Missouri highway by white hat hackers Chris Valasek and Charlie Miller is just one of many that have shown how vulnerable these systems are to cyber attack. White hat hackers are individuals who infiltrate computer systems in order to highlight security problems for companies to fix. They’re the good guys of the hacker world, those who find the weaknesses–sometimes even hired by businesses to do so–and share them with the manufacturers to help them strengthen their programs.

Black hat hackers, however, are the ones who break into the wireless network systems for malicious purposes. These are the bad guys of the hacker community. And as automobiles become more connected–self-driving cars–the need for lawmakers to take a legal stand to protect you and your 21st-century cutting-edge automobile from what is felt to be the inevitable actions of these perpetrators becomes more vital.

Car Hacking 101

Per the Tech Target website’s IoT Agenda, car hacking is “the manipulation of the code in a car’s electronic control unit (ECU) to exploit a vulnerability and gain control of other ECU units in the vehicle.” The ECU is your vehicle’s brain. It controls your entire engine. So, if someone’s able to hack into it then he or she is capable of making your automobile do pretty much anything he or she wants. And when you’re talking about a 6,000 pound hunk of moving metal, that’s rather scary.

Strict hacking laws proposed

As cars get smarter and more communicative, the ability to infiltrate them via a wireless network gets easier. Your vehicle talks to your phone via bluetooth, your MP3 player through the AUX cord, interfaces with other cars (V2V) and even sends signals to law enforcement through its license plate (automatic license plate readers or ALPR). With so much wide open access, it raises the issue of not just how would someone plug into your vehicle’s system, but when. 

Two pieces of legislation, in particular, are gaining notice. Michigan State Senator Ken Horn and Michigan State Senate Floor Majority Leader Mike Kowall have teamed up to propose that car hacking in their state be punishable by “life or any term of years” in jail. Meanwhile, the Security and Privacy in Your Car Act of 2015 or SPY Car Act is a federal plan sponsored by U.S. Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.), both members of the Commerce, Science and Transportation Committee. The bill requires the National Highway Safety and Transportation Administration (NHTSA) and Federal Trade Commission (FTC) to collaborate on creating new standards for automakers to meet in regards to cyber security in their vehicles.

The NHTSA has actually been researching safeguards to combat car hacking for several years and continues to expand its knowledge in order to better address these concerns. Its Office of Vehicle Safety Research specifically focuses on ways to “strategize, plan, and implement research programs to continually further the Agency’s goals in reduction of crashes, fatalities, and injuries.” Part of that is addressing car hacking.

A meeting of the minds in legislation and the auto industry

Connected cars and autonomous vehicles are considered the safest solutions to the rising automobile fatality rate – 35,200 deaths were reported in 2015 with 94 percent due to human error, hence the recent announcement about legislation to encourage and regulate the technology. Because of the desire to put even more wirelessly-connected autos on the roads it’s vital to make sure they can be operated safely. In January, U.S. Department of Transportation (DOT) Secretary Anthony Foxx announced the unprecedented collaboration between DOT, NHTSA and 18 automakers to address preparations for combating cyber threats to vehicles. A document called the Proactive Safety Principles 2016 outlines four key areas of security focus  and lists the partners who have signed on. These categories are Enhance and Facilitate Proactive Safety, Enhance Analysis and Examination of Early Warning Reporting Data, Maximize Safety Recall Participation Rates, and Enhance Automotive Cybersecurity.

In his statement, Secretary Foxx pointed out, “We all know that the performance today’s vehicles achieve is due in large part to an increasing amount of computer hardware and software under the hood and behind the dashboard. And the era of automated vehicle technologies will add to that. So we have pledged to work collaboratively to mitigate cyber threats that could pose unreasonable safety risks.”

A wealth of ports of entry

the various internal ports of entry for car hacking

a car’s electrical system

The hardware and software Secretary Foxx mentions have many ports of entry to the inner workings of your vehicle that leave it that much more exposed. Chris Valasek and Charlie Miller proved the fragility of cyber security not just once but twice in the same Jeep Cherokee they took over from Andy Greenberg. The first time was done over the internet and Fiat-Chrysler prompted responded by fixing the issue. However, a second attempt prior to the August Black Hat conference showed that the two researchers could affect a more dangerous hack when plugged into the ECU under the dashboard to send messages to the car’s internal systems known as the controller area network  or CANbus. It pointed out not only how someone plugged into the electronic control unit could attack the vehicle’s brain, but that doing so over a wireless network is still an issue.

Consider this scenario: you take your car to the shop. The mechanic plugs into your automobile’s ECU to gain instant access to the CANbus, adjusting and fixing whatever’s needed. Great.

But, while the auto repair person is communicating with the inner workings, it leaves your car’s digital door open for anyone else with enough know-how to hack into your on-board diagnostics (OBD) portal via remote. This is also the port into which you plug the dongle your auto insurance company gave you to track vehicle miles traveled (VMT). So imagine that all of the information floating around in there is vulnerable to anyone with a little car-hacking savvy to break in and control your car without your say so.

The OBD isn’t the only susceptible spot. There is the in-vehicle infotainment (IVI) capability that connects with everything from navigation systems to gaming and movies that can play on the screens in your backseat for the kids. Your bluetooth can be enabled so you can speak hands free – a law in some states – to any of your contacts in your cellular network. And every time you engage in wireless activities while you’re driving – upgrade a phone app, listen to driving instructions, access music – your vehicle’s system is open to anyone who wants to come in.

Five quick DIY anti-car hacking tips

Today’s connected cars are super efficient, wonderfully eco-friendly and incredibly convenient.  They are also machines that have created a whole information highway of their own by allowing access to their operating systems through different portals and devices in a unique way. Right now, the possibilities of being a victim of car hacking are rare. However, the concern that it’s only a matter of time before black hats decide to give it a go are real. While lawmakers work on auto legislation and car manufacturers innovate to keep you and your vehicle secure, you too can take some simple steps to help yourself.

In the spirit of “forewarned is forearmed,” here are five steps you can take to protect your car and yourself:

1. Know Your Mechanic

Make sure you’re familiar with the person who works on your car. That OBD he’ll plug into gives him all-access to everything inside your engine’s brain. Protect it.

2. Watch what you plug into your dashboard

Be careful with the USBs and flash drives you plug into the ports in your dash. Know the source of the information you downloaded to transfer to your vehicle’s brain. Malware has been known to be uploaded into the car’s operating system through these sticks, thereby compromising it.

3. Familiarize yourself with your OBD port and check it

Find the port and check it from time to time to ensure it doesn’t look tampered with and no strange dongles are connected. If you notice anything amiss, contact your carmaker.

4. Use your car key to lock and unlock your car

Scanning your wireless key fob system is the easiest thing to hack on your automobile. Every time you use it, it sends out a signal that can be plucked to allow someone to get inside your vehicle and steal it, the contents or meddle with your controls.

5. Keep up with system updates

Just as with your phone and computer, your car’s digital brain requires periodic updates. Get them installed immediately. Some of these need to be done by the dealer and others can be done by yourself. However, it’s best to work with your automaker to ensure these are being handled appropriately. If nothing else, it will walk you through installations and help you should you discover something amiss with your automobile.

Familiarize yourself with your car

Ultimately, keeping in tune with your vehicle will help you stay on top of any issues that could arise. This is a new age of automotive innovation that opens up amazing opportunities, but with those come a slew of possible dangers. Legislative inroads are being made in an effort to protect connected car owners, but these are still in the proposal stage. Taking an active role in the security of your automobile now will prepare you for the autonomous road ahead.

, , , , , , , , ,