Yash, a tech worker in San Francisco, learned the hard way that his connected car wasn't a safe as he thought.
Like a lot of new high-tech cars, his vehicle — a 2013 Mazda3 Hatchback — was secured using a key-less entry. The fob in his pocket automatically opens the car trunk as he approaches the vehicle.
One day recently, the trunk opened automatically to reveal all of his belongings, a computer and other valuables, were missing. Panicked, he checked the windows, the doors, and the backseat. But while his belongings were nowhere to be found, there was absolutely no sign of a break-in.
Key-less entry is increasingly a standard feature on new cars. What few new owners realize, however, is how vulnerable this, and other new features of the connected car leave them.
What Yash, who declined to give his last name, likely experienced was one of two forms of auto burglary. An "amplification attack" happens when a thief uses a device to "amplify" the signal generated by a key-less remote (perhaps one left on a kitchen table) to open a car's doors and trunk.
In another method, the door code is intercepted by a device planted nearby — some are sold under names like "RollJam" and HackRF One Kit — that is then used to break into the car later. These devices sell for around $30.
"If the cryptography of the car is implemented well, it should be impossible that a brute force attack would work," said Silvio Cesare, a researcher for security firm Qualys. "This [kind of attack] could be implemented against baby monitors, Internet cameras and even phone calls."
"The vehicle increasingly is like a computer on wheels." said Maryanna Saenko, a research analyst with Lux Research whose background is in robotics and automation
The problem is that different manufacturers build different parts of the final product, but don't always talk to each other.
"There are the tier one and tier two suppliers that make components and sub-components, and then there are the third party people selling you apps. What you have is a messy infrastructure of the car itself," said Saenko.
Tesla has taken a pro-active approach to identify vulnerabilities in their system. In June of 2015 they launched a bug bounty program, offering experts between $100 and $10,000 in exchange for reporting vulnerabilities. Lookout co-founder and CTO Kevin Mahaffey and Cloudflare researcher Marc Rogers were able to hack into the Tesla Model S. They found six vulnerabilities, enabling them to take full control of the infotainment system, remotely open and close doors, and even start the car.
"It started out as a side project, I like to break things. I'm a hacker, I liked to hack stuff," said Rogers. "When the Tesla came out, for me it was like nirvana — the world's perfect car with software I could hack."
A common point of entry for hackers looking to steal a car is the OBD-II port, a small port found under the steering wheel in most cars manufactured later than 1996. This port is a direct connection from the car's on-board diagnostics to the computers on the network.
Dongles that cost roughly $1,000 can be put to use by smashing the driver side window and plugging it into the ODB-II port. "You can steal these cars in some cases in less than 20 seconds" said Rogers.
Since competitive pressures often mean that car makers bring new functionality to their products before they're fully tested, new vulnerabilities are likely to be generated with each new feature.
There's also the question of liability: Who reimburses you if there's no physical evidence that your car was actually broken into?
For Yash, there wasn't much he could do. After consulting with the Mazda Service Center, he was told his auto insurance didn't cover theft without proof, and there was no evidence of a break-in. Ultimately he relied on his renter's insurance for damages instead.