High tech gadgetry is turning cars into a thief’s dream

Andrew Orlowski
Car keys in a Tin - blocking the signal - Faraday cage
Car keys in a Tin - blocking the signal - Faraday cage

Pagers and radios exploded in Lebanon last week, giving Hezbollah a dramatic lesson in how consumer technology can be turned into a lethal weapon. But the carnage could usefully give the rest of us a wake-up call too.

The attack shed light on the “dark corners of Asia supply chains”, wrote Reuters, with an audacious operation that relied on the terrorists failing to perform due diligence on their shady supplier, and hoping none of their members prised open the pager and peeked inside. Remarkably, none did.

But we’re hardly more curious: we don’t care how the sausage is made, and thanks to globalisation, it’s harder than ever to find out what’s in it. Nowhere is the supply chain as complex, and security as challenging, as in the automotive industry.

Just look at the scale of car theft. Relay theft, or carless key theft, contributed to 132,489 vehicles being stolen last year in England and Wales, with some high-end brands becoming virtually uninsurable.

Land Rovers were being stolen at three times the rate of any other model, with one owner quoted a £48,000 annual insurance premium for a car worth £45,000. Three in four thefts go unsolved.

The company has worked hard on fixes, with new models more secure and hopes that premiums now coming down. But the scale of attacks has forced the industry to cooperate more closely.

Shoving the latest high tech gadgetry into a car doesn’t always help. Mercedes thought it had found the answer to theft by putting fingerprint sensors on vehicles’ control panels. Until one day a Malaysian accountant found that thieves had not only robbed him of his S class Merc, but of his index finger, too. Wisely, manufacturers have not returned to this method.

Today, automotive supply chains are very long, very deep, and fiendishly complex. A decade ago, academics calculated that Ford used 1,400 companies across 4,400 locations in its Tier 1 suppliers alone.

There are more in Tier 2 – and that’s two out of ten tiers of suppliers. Nor is it easy to define what a car company actually does in 2024 – it’s like trying to capture fog with a fishing net.

Strip it down to the basics, and the core business involves maintaining the brand, marketing, after-sales support and the final integration. And maybe some manufacturing, but often not.

So much has been outsourced, sceptics say there’s more financial engineering here than there is real engineering.

Car companies use shared car “platforms”, with the same underlying technology badged up differently. For example, Volkswagen’s MQB platform pops up under the Skoda, Audi, and SEAT badges.

China’s Geely is a sprawl of fully-owned IP, investments and joint ventures, spanning Volvo, Polestar, and Aston Martin amongst several others.

And can we say with any confidence where a vehicle has originated? At the highest level, Jaguar Land Rover Group (JLR) is Indian, while Geely is Chinese, and emphatically so.

But as sanctions are imposed on cheap electric vehicles (EVs), the country of origin is turning out to be quite malleable: China is confident that EVs “finished” in the European Union will evade EU tariffs expected to be imposed this week.

“It’s a real challenge to make it all work together safely and reliably”, says auto security expert Ken Tindell, chief technology officer of Canis Automotive Labs and the founder of a new microchip startup.

“If you are supplying a software component and have no idea how it’s being integrated, you can’t accept liability for how things could go wrong.”

He brought a hack that allowed Toyota cars to be stolen to wide attention last year, and describes a cat and mouse game between hackers and motor companies.

The industry buzz phrase today is “software defined cars”. But Volkswagen’s much touted Cariad software division has run over budget and has been hit by delays. Egos there were bruised when it made a $5bn deal with EV company Rivian.

Tindell, an adviser to industry and government, fears that the skill set required to make a car operate reliably – hard electrical engineering skills – is getting rarer.

“IT guys who are coming in with a background working in data centres can live with a key exchange that takes two seconds. But if you’re in a vehicle like a steer-by-wire Tesla Cybertruck, you can’t wait for two seconds for the system to recover after a watchdog reset. It would mean you can’t steer the car for two seconds.”

Connecting a car or truck to the internet also opens up new attack vectors. The Pentagon acknowledged in 2019 that within weeks of the US Army’s Stryker Dragoon armoured vehicles arriving in Afghanistan, they had been hacked. Why would we expect our cars to be any more secure than a military vehicle?

Connectivity has its uses. Imagine, as a driver, being warned of black ice before you reach it, for example. But any private electronic interface that is open to the world via a network becomes a target. Security vulnerabilities are demonstrated at events like Pwn2Own, where “white hat” hackers compete for big money prizes. Tesla is a top target.

A cyberattack on our trucking fleet would quickly bring the UK economy to a halt. Once a lorry has been compromised, the attacker could choose when and where to disable it.  With our road haulage disabled, supermarket shelves would quickly empty and fuel stations rapidly run out of supplies.

The consequences don’t bear thinking about.

CORRECTION: The headline of this article has been amended to clarify that the article refers to cars generally, not just electric vehicles.

Advertisement