Suddenly, the doors unlock. The indicators flicker. The horn sounds. Nobody in the passenger compartment. An autonomous car? No, just a bunch of American hackers having fun with a state-of-the-art model from the South Korean car manufacturer Kia. The latter have just discovered a gaping security flaw, by simply exploiting… the vehicle’s license plate number. It took them barely 30 seconds to take control of it, using a tailor-made application. These exploits were posted on YouTube at the beginning of September, and skillfully detailed on the site from one of the pirates, Sam Curry. Of course, the hackers – here nice, “ethical” ones – had warned Kia of the problem. This was not their first feat of arms. In 2023, Sam Curry and a few friends had targeted Honda, Nissan, Mercedes-Benz and other Hyundais, again unearthing numerous breaches. Without needing to be near their target. “The attacker may be on the other side of the world,” said Sam Curry. Thank you Internet!
Transformed over the past ten years by the massive presence of electronic components, sensors and connected entertainment software, cars have become the preferred hunting ground for hackers. George Hotz, the first “pirate” of the iPhone and the PlayStation 3 games console – which got him into serious legal trouble – had opened the hostilities. He is now the head of a company developing autonomous driving software. In 2015, two other hackers, Charlie Miller and Chris Valasek, managed to stop a Jeep Cherokee dead in its tracks from the rear of the passenger compartment – without touching the pedals, of course. The following year, Craig Smith’s work, The Car Hacker’s Handbook, delivered a first “guide” to hacking modern cars.
Since then, the biggest hacker conferences in the world have all had their own booth tinkering with these “computers on wheels”, like the famous Defcon convention. Sometimes, the quest is particularly tempting: Tesla’s “Pwn2Own” competition, putting its latest model to the test, is rewarded with several hundred thousand dollars. With the possibility of driving the hacked vehicle again. A nice carrot. Especially since at the same time, the hunt has become less fun elsewhere: traditional computer systems and other smartphones are now much more secure and difficult to “crack”.
Better than Fast & Furious
In France, Gaël Musquet is a recognized personality in the community of French ethical hackers. He details to L’Express the numerous vulnerabilities specific to current vehicles: mechanical, software and electronic, through Wi-Fi, Bluetooth and even radio waves. “In the current fleet, we cannot guarantee that the car is not bugged at the expense of the person on board,” warns the man who has numerous trophies stamped Citroën, BYD and even Tesla on his hunt. Other disaster scenarios feared in the industry include a serious accident caused by an attack jamming the vehicle’s sensors and its ability to brake or accelerate. Or malicious people gaining access to the navigation system, forcing a car to follow a new, unknown route. The list is not exhaustive. “In automotive cyber, reality sometimes goes beyond fiction,” concludes Gaël Musquet, evoking the fantasies of the saga Fast & Furiouswhere hackers take control of an entire fleet of four-wheelers.
How are manufacturers reacting? Hard to say. At the Auto Show, which is currently in full swing in Paris, not a single conference dedicated to the cyber issue. When contacted, a large French manufacturer politely declined any interview request on this subject, for reasons of confidentiality. With the notable exception of Tesla, few manufacturers publicly test their vehicles. Due to lack of collaboration, Gaël Musquet most often uses his own Toyota C-HR for his demonstrations. Which also cost him several trips to the garage, caused by the involuntary “blocking” of his machine.
The “cyber” problem is recognized by all: several Asian automobile manufacturers use open source software proven by independent developers, and numerous initiatives have emerged to create standards and improve hardware, notably by subcontractors like Bosch . Additionally, remote vehicle updating, adopted by the entire industry, now makes fixes easier. However, there remains a lack of “cyber culture” and “specialized talents” in this area, says Gaël Musquet. Generally speaking, the cybersecurity sector is struggling to attract recruits.
No disaster yet, but…
“The subject of cyber is perhaps not yet seen as a priority among manufacturers, amid many other difficulties, such as production costs, environmental constraints…”, believes Renaud Feil, co-founder of Synacktiv , a French company specializing in intrusion testing and security audits, which has won the Tesla competition several times. The detection of a major vulnerability can, in some cases, lead to a widespread – and very costly – recall of vehicles. Jeep experienced this, with 1.4 million units recalled. Finally, it is true that no disaster scenario – such as a very serious traffic accident due to a hack – has yet occurred across the world. Or at least, has not been identified and publicized. The car fleet is still mainly made up of vehicles low techmuch less electronically complex. However, there are concrete reasons for concern, such as contactless car keys.
This vulnerability, pointed out several years ago, remains to this day a big stone in the manufacturers’ shoes. In 2019, Adac, a German motorists association, tested 500 keys whose doors unlock when the owner approaches – a very common system now. Only 5% were robust against piracy, in particular by jamming radio waves. A serious alert. However, five years later, out of nearly 700 vehicles equipped with the same accessory, the proportion protected against hacking has only increased to… 10%. A lack of consideration that raises questions. In France, 9 out of 10 flights are now operated electronically according to the French company Coyote : a quick, effective way, without the need to damage the car, and which offers better resale potential for thieves. “The most recent models which embed ever more technology are logically the most at risk despite anti-theft systems,” the company continues on its website. Coincidence or not, car thefts in France are themselves on the rise: 140,400 in 2023, an increase of 5% compared to the previous year, according to figures from the Ministry of the Interior. A flight every four minutes.
A threat that risks increasing with the advent of “driverless”. While electric cars are already equipped with hundreds of millions of lines of software code, future autonomous driving vehicles should have ten times more, various specialists have already warned. Enough to multiply the breaches. Tesla, which until now ordered ethical hackers to hack its locking systems or its screens, intends to widen their playing field during its next Pwn2own, at the beginning of 2025, New target: its control system. Renaud Feil and Synacktiv are salivating in advance. A sign that the cyber issue of vehicles is gaining momentum, hacker Gaël Musquet will continue his wanderings, from November, within a laboratory at the Cyber Campus. The new Mecca of French cybersecurity, located in La Défense, on the outskirts of Paris. Much to the relief of his Toyota.
.