From 2024, cars must have a cybersecurity certificate or face a fine of 30,000 euros
In the first half of the year, 14,852 car thefts were reported, an increase of 23.7% compared to the same period in 2021. The time when
a window was broken to make a jumper and start the vehicle, since the criminal tool of choice is now the computer.
“Now glass breaks only occur if you want to take something of value out of the interior,” police sources tell ABC. Sounds logical
Thieves don’t want a damaged carbecause it attracts more attention and lowers resale value. In addition, the lack of violence poses a new problem for the owner: the difficulty of proving the theft to his insurer.
The same sources state that today is the most widespread method of stealing vehicles
is to open the door, either by forcing the cylinder or, if you are more advanced, by manipulating the key’s radio frequencies and accessing the control module via the OBD 2 port to start the engine and be able to drive it. Professional thieves are able to perform the operation in less than three minutes.
“It has become very frequent in recent years
find cases in the Volkswagen Group“But it is increasingly common that complaints come from BMW or French brands,” the police said.
On October 10, Europol even arrested 31 members of a gang organized between France, Spain and Latvia for car theft. They seized 1.1 million euros in criminal assets.
There are many similar cases, in the US the “Kia Boyz” specialized in the previous generation cars of the South Korean group, which also posted explicit videos of the method to follow to start the car. others,
in France they used a custom JBL speaker — with a black market value of $5,000 — to access the vehicle’s control module through the USB port. Despite the fact that it seems that vehicles today are more vulnerable than ever, the reality is that half as many thefts were reported in the first half of 2022 as a decade ago, as 27,045 were recorded in the same period of 2012. deductions.
The manufacturers try to fix their vulnerabilities quickly – the “Kia Boyz” are no longer able to exploit the new models – and even
they have come to pay the ‘hackers’ for disclosing security breaches. One example is Tesla, which handed out $50,000 after a hacker proved he had access to his entire fleet via information exchanged by its supercharger network.
The law is lagging behind when it comes to controlling new forms of crime.
In 2021 the United Nations presented Regulation 155 for a standard for homologation of vehicles with regard to their cybersecurity, which defines nearly 70 vulnerabilities for current and future vehicles that must be protected. The European Union has already announced that the UNECE/R155 standard will be introduced from 1 July 2024, subject to a fine of 30,000 euros per unit produced that does not meet the requirements.
As well as digitization
has provided new access roads For cybercriminals, it has also led to companies specializing in the prevention of this type of crime and security certification. In Spain, for example, Eurocybcar is the only one that can issue this technical cybersecurity evaluation.
Achieving lower latency broadband opens up a world of industrial and automotive connectivity opportunities. In a recent interview with ABC, Bosch CEO Stefan Hartung said this would reduce the number of control units in vehicles and move computing systems to the cloud. On the one hand it would increase local security as there are fewer vulnerable nodes to access, but on the other hand it could compromise the integrity of a fleet management system by authenticating itself as a harmless element in the cloud .
To develop defenses, it is essential to adopt a “hacker mentality” and think about the profit paths this type of criminal can have. Ever since
cybersecurity company Trend Micropoint to several vectors: ‘ransomware’ – blocking a vehicle’s functions until the owner pays a ransom -, the theft of private information or even the misuse of systems, including taking control of fleet management to avoid suspicion. wake up at the supervision center, for example by turning off the GPS location. The advent of self-driving trucks would open the door to an easy way to distribute illegal material or have it parked in a place to be dismantled.
However, from Trend Micro, they confirm that the results of their quest to violate connected cars have been limited, “a good sign that criminals have not yet focused their efforts on monetization,” they say in their report.
In the forums of the “Deep Web” they sell
hacked accounts for car sharing and taxi apps, as well as “threads” on how to break the OBD port, adjust the control unit, information on the CAN protocol developed by Bosch or the sale of frequency inhibitors for keys -they prevent the car from being locked with the remote control- or the tools most commonly used today: key cloners. Still, from a technology point of view, the simplest methods, such as duplication of keys, are potentially much more harmful than other, more sophisticated methods, such as installing “malware” remotely.
While auto theft has become much more sophisticated, the most common destinations used to be
Russia and Ukraine before the war, as well as China, Eastern Europe, Morocco and Mauritania – the most notorious cases to have appeared in the press have been carried out by ethical hackers, in an attempt to expose a system’s vulnerabilities.
The first example that exposed the lack of computer security in vehicles was the 2015 “hacking” of a Jeep Cherokee, which resulted in the recall of 1.4 million Chrysler vehicles. In this case,
Charlie Miller and Chris Velasek They found they could access the control unit in several ways, but they preferred the 3G network because it allows an attacker to be out of line of sight and still send messages to the vehicle via the CAN protocol. Among other things, they discovered that they could turn off the engine, deactivate the brakes or turn the steering wheel of the jeep.
According to the American consumer protection association, Consumer Watchdog, Tesla vehicles are the most vulnerable to cyber attacks, followed by models such as the Ford F-150, Dodge Ram 1500 or Chevrolet Silverado, the three leading pickup trucks on the market.
More recently, in 2018, a BMW was attacked by Keen Security Lab analysts. They performed three different attacks, one local via the OBD port and two more sophisticated remote attacks. The most successful was to establish
a man-in-the-middle (MitM) exploit to receive all GPRS data generated by the vehicle and sent via the Connected Drive service to the manufacturer’s server and thereby be able to send arbitrary messages using the CAN protocol and thus control the control unit .
Source: La Verdad