Automotive hacking describes any illegitimate access to a connected car's computer system. This could be opening the car without permission, controlling its driving capabilities remotely, or accessing its data.
As road vehicles adopt new technologies, new risks inevitably arise. And as cars become increasingly connected and powered by computers, automotive hacking is one of the most troubling of these new risks.
In this article, I want to discuss some of the security threats that connected vehicles have faced. For instance, keyless cars are now twice as likely to be stolen than cars that still use physical keys, according to claims data from Aviva.
Similar data from the Office for National Statistics shows that keyless entry was also the most common way for thieves to break into vehicles, accounting for 36% of break-ins.
The new technology also raises new cyber threats - but solves older security problems. For instance, starting a car through biometrics is a lot safer than through a key (that you can lose).
In this article, I explore automotive hacking in detail, including the risks it poses for consumers and insurers and what the industry can do about it.
What are the risks of automotive hacking to connected vehicles?
Vehicles equipped with onboard computers have been vulnerable to some sort of automotive hacking since the 90s. But today, modern vehicles are constantly connected to the internet (even when out of wi-fi range) and can make use of more complex, multifaceted computer systems than ever before.
This technology enables the vehicles to have more powerful functions, including vehicle-to-vehicle communication and remote parking.
As with any new features, there are new vulnerabilities too. Given that 100% of new cars sold will be connected by 2026, according to Statista, the threat of car hacking is likely to become increasingly relevant.
Here are 3 specific threats that connected cars face.
1. Thieves can gain access to vehicles without a key
Keyless entry began as a feature on luxury cars back in the 90s. But since then, it’s become much more widespread. Thanks to its ubiquity, keyless entry makes up 18% of automotive hacking incidents, according to Upstream’s 2023 auto cybersecurity report.
Typically, keyless access has been possible thanks to a technology known as remote keyless entry (RKE). This is the technology that lets drivers open their vehicle by pressing a button on their keyfobs when they’re a short distance away.
It works by transmitting constantly changing codes over radio frequencies between the keyfob and the vehicle. The vehicle captures the radio signal from the keyfob, decodes it, and unlocks the entry system.
This widespread technology is made much more secure by its rolling code system. Yet RKE is not without its vulnerabilities.
For instance, back in 2015, a hacker shared his cheap device that could be installed on the vehicle to read the code transmitted by the keyfob even before the vehicle itself. Then, the hacker showed that the code could be used later to unlock the car.
With the introduction of connected cars, keyless access is becoming more advanced, with the newest vehicles making use of the driver’s phone or device. However, even this technology still has its vulnerabilities.
Tesla cars, for example, use near-field communication systems (NFC) to allow keyless entry. This is the same tech that contactless debit cards use. However, this can be intercepted. Security researchers found that two thieves working together—one next to the vehicle and one next to the driver—could easily open a Tesla by intercepting the NFC signal.
That said, while this tech presents new risks, it also solves major old ones. A lot of car theft is opportunistic. By having no key in the ignition, there’s no risk that someone will leave their keys in the vehicle, meaning opportunists won’t be able to easily steal it.
Likewise, the hacks described above are exceptions rather than the rule. Car security increases constantly, and it’s never been better.
2. Hackers can control vehicles remotely
As connected vehicles are leveraging ever more computer technology, a new risk is that they’re becoming vulnerable to remote access and control.
A famous example of this came from researchers Charlie Miller and Chris Valasek, who demonstrated the weakness of some connected vehicles in a 2015 article for Wired. They managed to interrupt and control a Land Rover’s infotainment system, climate, and speed remotely—from 10 miles away.
This case was from 2015, nearly 10 years ago. Clearly, security measures have come a long way.
Still, more recently, another researcher was able to remotely control cars by hacking a commonly used app: Sirius XM. It’s an app that’s commonly used in Nissan, Honda, Toyota, and other brands of connected vehicles.
To take control of a vehicle, all the researcher needed was its vehicle identification number (VIN), the 17-digit number that’s unique to every vehicle. He could then gain access to the app code and start, stop, lock, and unlock that vehicle from a distance.
Typically, hackers exploit weaknesses in the cars’ APIs, the technology that allows computer systems—such as vehicles and apps—to integrate and communicate. According to Upstream, these API attacks account for 12% of automotive hacking cases.
The research highlights the unique vulnerabilities of connected cars, as older vehicles have simpler electronic control units that operate basic gadgets. There are no advanced computer systems in these older vehicles that can be infected by malware or hacked.
With the advent of autonomous vehicles seemingly just around the corner, cyberattacks could become more common – and more dangerous.
Still, it’s important to note that hacking a car remotely is not an easy task – and it gets harder each year as OEMs improve their security measures.
While older cars may not have the capability to be hacked, they are far easier to steal in the first place, often through brute force. The newer, smarter technology in modern cars can be hacked by an expert: but they’re very difficult to steal by traditional means.
For consumers, insurers, and the automotive industry as a whole, connected cars solve old security problems but do present new challenges through rare instances of automotive hacking.
3. Hackers can access personal data in the computer systems
Another aspect of connected vehicles that is at risk is drivers’ personal data.
Connected vehicles potentially know a lot about drivers, including sensitive information like their names, email addresses, physical addresses, and more. There’s a risk that cybercriminals can access all this information – or it could be exposed in a data breach.
Car manufacturers are starting to store biometric information, too. Car brands such as Hyundai are using fingerprint sensors on car doors to allow vehicle access. And in 2023, we saw the first vehicle that unlocks with facial recognition. If hackers can access the information that vehicles have on drivers, the risk of identity theft is high.
In turn, this may increase the risks that car insurers need to be prepared for. Alongside conventional threats, such as theft and injury, drivers now face their personal and financial information being stolen via their vehicle.
However, this might be a small risk that consumers are happy to take. After all, all of this information is already stored on their phones and easily accessible from multiple sources. The chances of a hacker targeting a car for personal data in the first instance, rather than a phone, are unlikely.
Still, the advanced capabilities of connected vehicles require OEMs to make sure that they’re taking care of user data as well as the physical car.
Are connected cars presenting new automotive hacking risks to insurers?
Automotive hacking isn’t new. Insurers have been adapting to new technologies like keyless entry for decades.However, as vehicles have more advanced features than ever before, insurers themselves may face new risks.
1. Insurers face new threats and opportunities that affect risk and the price of policies
Every new security threat requires a new risk calculation from insurers.
For instance, connected cars are now at risk of “bricking”, where hackers can potentially shut down the vehicle’s entire computer system. Before they can offer cover for such a threat, insurers need to assess its frequency, impact, and potential cost.
That can’t always happen immediately, as it takes time to collect the right data. And so there have been instances when insurers have temporarily refused to insure vehicles due to the many unknowns about their security.
For example, in a case in 2014, many insurers were reluctant to cover Range Rovers (not a connected car) due to weaknesses in the vehicle’s RKE system. So, drivers of this vehicle were required to deploy additional security measures as a condition of their insurance policy.
This was 10 years ago, and security measures have come a long way. However, in 2023, Tesla recalled 2 million vehicles due to a security fault. Even if new features may have long-term benefits, they pose additional challenges to insurers when the technology is not fully mature.
At the same time, insurers face the issue of repairs. Connected vehicle technology costs more and requires niche expertise, which typical mechanics don’t have. It means that insurers typically have to price higher for their insurance policies overall.
2. Insurers face fraudsters that have a new source of personal data
Insurance fraud is changing in the face of new sources of personal data and new technologies such as AI.
Typically, fraudsters use data to make fraudulent insurance claims more convincing. Whereas once they may have used a single email address across multiple fraudulent applications, today they have a wider range of personal data at their disposal.
Personal information stored in connected vehicles and their apps could be an additional source of data for these fraudsters. They could access email addresses, phone numbers, and vehicle information from vehicle computer systems.
But fraudsters could also access this data through simpler means (such as hacking an email account). The unique risk comes with the telematics that connected vehicles store data on driving behaviour, such as speeds, mileages, and usage habits.
Will most insurers won’t use this data to calculate a premium, it’s not far-fetched to think they might in the future. This user-specific data could potentially be used by fraudsters who can deploy it in convincing fraudulent insurance applications. As such, it could make these applications harder to spot.
What can insurers do to adapt to automotive hacking?
Hackers will always try to find ways around vehicles’ security systems. But there are ways that insurers can protect against it.
1. Insurers can keep a close eye on vehicle technology trends
With keyless entry now accounting for over a third of vehicle break-ins, automotive hacking is already a real threat. As an increasing proportion of vehicles will have advanced keyless entry through connected cars in the coming years, the frequency of these break-ins could increase.
This data may soon become irrelevant. Most new cars are keyless entry, so it makes sense that we will continue to see keyless entry theft rise.
Likewise, it’s unlikely that connected vehicles increase the risk of break-ins overall. Instead, with the additional security features they often contain—such as GPS tracking or immobilisation technology—we may see that the risk of break-ins actually drops. For instance, thieves may be reluctant to steal cars they know can be followed or immobilised.
As technology advances and changes, risk is constantly changing. When one problem is solved, another will be presented. As such, it’s imperative that insurers continue to follow vehicle technology trends to accurately assess the risk.
2. Insurers can encourage customers to ensure their vehicle security is up to date
Currently, if drivers don’t adequately protect, maintain, and service their vehicles, they can be in contravention of their insurance policies. This can mean that insurers won’t pay for any claims, or they may pay out less.
When it comes to the risk of automotive hacking, insurers may take a similar approach. For instance, if a car is hacked and the vehicle’s software is out of date, insurers could argue that the driver has been negligent.
As such, insurers can emphasise to customers the importance of adequately securing their vehicle’s computers. For instance, customers should:
- Secure and regularly change the passwords on their vehicles or any apps
- Install the latest software and keep it up to date
- Avoid downloading unauthorised third-party applications onto the vehicle system
Insurers can encourage and remind customers to do this via online content, email and app notifications, as well as through policy stipulations.
Ultimately, it’s in the interests of insurers, not just the customers. Insurers shouldn’t have to pay out on policies where customers didn’t do enough to protect their vehicles.
Insurers and consumers can counter the threat of automotive hacking
Connected cars solve a lot of problems. The chances of vehicle theft, as a whole, are likely to decrease. That being said, automotive hacking is a threat that drivers and the insurance industry will need to be prepared to face.
Consumers can reduce the risk by taking simple, concrete steps to protect their vehicles’ computers. Insurers, too, have a role in encouraging customer action and protecting themselves.
Yet technology changes, risks and threats will change as well. That’s why insurers need to monitor technology trends to ensure they can discourage hackers in the future.
To stay in the loop about how the industry is adapting, learn more about what we do at Confused.com.