At a Glance
Once upon a time, all it took to steal a car was a large rock and a pair of wire cutters. However, today’s vehicles have more in common with your laptop than they do with their mechanical ancestors from the 1900s. Sure, the ability to unlock and remotely start your vehicle via your smartphone is undoubtedly cool and convenient. But, in a world where TikTokers can use a USB charging cable to start a Kia, is it dangerous?
While automotive companies may have more than a century’s experience in making vehicles, they have very little experience in securing the systems they use to unlock and start the car. This means there are bound to be security holes that can be used by bad actors to steal your car or just screw with your head by making your vehicle misbehave.
How Do “Phone as Key” Systems Work?
The way “Phone as Key” systems for vehicles work can vary from manufacturer to manufacturer. Some “Phone as Key” systems use NFC or Bluetooth (or a mixture of both technologies) to make a local connection between your smartphone and your vehicle.
If a hacker is nearby, they may be able to intercept and monitor the communication between your smartphone and vehicle, allowing them to open and start your vehicle whenever they’d like to do so.
Some systems use a cellular or home WiFi connection to communicate between your phone and your vehicle, with the carmaker’s cloud servers acting as a go-between to ferry commands back and forth between your smartphone and your vehicle.
These systems are usually more advanced than the NFC/Bluetooth-based systems and often allow you to track your car’s GPS, and remotely shut down your vehicle in case of theft.
What Can a Bad Actor Do Once They’ve Gained Access to My Vehicle’s “Phone as Key” System?
There are several things a bad actor can do once they’ve gained control of your vehicle’s “Phone as Key” system. First of all, they can open the car, start it, and drive away, which is the most likely result.
A few years ago, a researcher working for the cybersecurity firm NCC Group used a laptop equipped with a small relay device to unlock and drive away in a 2021 Tesla Model Y. Weaknesses such as those used in the demonstration are not limited to the Tesla, as the vulnerabilities used in the demonstration apply to any vehicle or smart lock on the market.
Your car could also be taken by mistake. Rajesh Randev, an immigration consultant in Vancouver and a Tesla owner, was able to start and drive away in another owner’s Tesla by using the Tesla app on his phone. The man says both cars were the same model and color, and as he was in a hurry, he simply assumed that since the car allowed him to enter it and start it must be his.
He didn’t realize his mistake until a few hours later when the owner of the purloined Tesla texted him. Randev had also noticed that the Tesla he was driving had a crack in the windshield, which his car did not have.
“Apparently I found some glitch,” Randev said.
Recently, a British car owner woke up to a stolen car after two thieves used an iPad to unlock it and drive away, with no need for the auto’s key fob.
Mischievous hackers could also start and stop your automobile’s engine, lock or unlock the doors, or disarm the security system, etc.
In 2018, one hundred Austin, Texas drivers found their cars completely disabled or their cars’ horns honking out of control after a hacker had some fun web-based vehicle-immobilization system.
Some researchers fear that hackers will someday remotely start a gas or diesel vehicle as it sits in an attached garage, allowing the car to run for hours, until it fills the house with carbon monoxide, possibly killing an entire family.
Don’t Car Makers Know About These Vulnerabilities?
Unfortunately, no matter how hard automotive engineers attempt to make their remote starting systems more secure, there are always vulnerabilities that they may not be aware of or have not yet been able to fix. This happens even to Apple and Microsoft, both of which release security fixes on a regular basis for macOS and Windows, respectively.
Car manufacturers have little experience with securing their vehicle systems, and are actually learning as they go. That said, vehicle manufacturers should keep an eye out for reports of hackers (or TikTokers) figuring out ways around their security systems. Manufacturers need to protect their apps against tampering, using strong and secure user authentication and keeping application keys secure.
After all, if a bad guy manages to compromise the security of a certain vehicle/app combination, that attack method could be used against other owners of that vehicle model and could be modified to allow access to other models.
We’re already seeing dark web marketplaces selling hacking tools to exploit all sorts of vulnerabilities in several electronic devices, so it’s not a huge leap to expect hackers to someday sell a service that can unlock and start a car with just a few taps of an iPhone or Android smartphone’s screen.
It may be a good idea to take a step backwards and adopt a feature Ford has used since the 1980s. Ford’s SecuriCode keypad is a $50 option that has proven to be popular with Ford customers (I have it on my car and love it).
SecuriCode incorporates a small keypad that is built into the vehicle’s driver-side door. Instead of using a key fob or a smartphone app to unlock the car, the driver merely enters a numeric code that they can easily customize. No Bluetooth or WiFi signal is required, meaning there is no signal to intercept or spoof to open the door.
What Can I Do to Protect Myself Against Bluetooth “Phone as Key” Hacking?
While I would normally suggest that whenever possible you should disable the “Phone as Key” feature on your car, never installing the required app on your iPhone or Android smartphone and simply using the vehicle’s key to unlock the doors, that really is a last-ditch resolution. Few drivers want to disable a feature that they likely paid extra for.
That’s why I suggest that users keep their smartphone updated to the latest version of its operating system, while also making sure the app used for “Phone as Key” is also updated to the latest version. This helps to prevent hackers from using known flaws in the operating system or app to perform their “open sesame” magic.
The good news is that most car thieves don’t have the time or the knowledge to hack and steal your vehicle. Instead, they’ll use the tried and true “brick through the driver’s door window” technique.
In Closing
As we’ve learned, hackers can indeed hack their way into your vehicle, allowing them to steal the vehicle or tamper with it in some way. Before buying any vehicle with a Bluetooth “Phone as Key” system, do some research, searching for any news reports or technical papers related to the system used by your prospective vehicle.
If your vehicle is prone to being stolen or tampered with, it could not only lead to having it stolen, but it may also cause your car insurance rates to be higher than on vehicles that do not offer similar systems.