'Tis the season for (cyber) car thieving...

(The following article was originally a response to comments in a post, which has now turned into a bigger review/awareness summary).

A few weeks ago, I shared a piece of content that really caught my eye:

The video is of car thieves stealing a high-end BMW, but in a non-typical fashion... Via communication interception, aka in the information security space a "relay attack".

Wikipedia describes a relay or "man-in-the-middle" type of attack as the following:

"A relay attack (also known as the two-thief attack)[1] in computer security is a type of hacking technique related to man-in-the-middle and replay attacks. In a classic man-in-the-middle attack, an attacker intercepts and manipulates communications between two parties initiated by one of the parties. In a classic relay attack, communication with both parties is initiated by the attacker who then merely relays messages between the two parties without manipulating them or even necessarily reading them."

So, cyber is now playing a part in physical theft?

This has lead me to writing the following article and collating comments from cyber professionals, industry experts and car owners of whom, have had this happen to them...

Security Awareness 101

Everyone uses a mobile device nowadays. Considering modern day cars are like computers on wheels, there should be a more rigorous authentication method as opposed to just being able to intercept the keys signal and therefore, acting as the key itself. Multi Factor Authentication (MFA) should be able to solve the majority of these issues, including the use of biometrics and pin authentication.

Trefor, a director at a semiconductor manufacturer "Tesla works around this by not having keys (it’s a phone app or card) and with pin to drive for 2 factor authentication. I think other manufacturers could do something similar."

Security awards. Notice how many car manufacturers are quick enough to tell the buyer of their NCAP 5* safety rating, why aren't they as quick to tell them of their security rating? Firstly, its not in the sellers best interests, more as to how the car makes them feel and the fact its going to keep their family safe whilst in transit, but also, the fact there ISNT ONE. I would be keen to understand how quick the rest of the industry would follow suit should the likes of VW, KIA, Mercedes etc start to implement a rating as to how secure their cars were. Do we believe this would then change consumer decision making when buying a new car?

Dinis a CISO at a leading food retailer "... We also need a good security rating/label that shows the buyers of those cars the current level of security of their car"

Awareness. Apart from owning a property, a car is likely to be most peoples second biggest expenditure in their lifetime. If you buy a new watch, you put it in a case at night. If you buy a new phone, you buy the case but also a screen protector. The same goes for owning a bike with a D-Lock and so on and so forth... So, onto awareness.

As technology moves on, we need to be aware of the implications this may mean, a lot like how the UK Gov is making decisions on the future of AI with the world's first AI Safety Institute. Speed is key in almost every type of transaction, mostly from the seller but also, from the consumer buying the product and it not becoming a tedious process. However, what would peoples thoughts be if there was a 5 minute security video right after signing the paperwork on how to keep your vehicle secure at night. 5 minutes, considering you're likely to be driving the vehicle for 2-3 years minimum, in hindsight, is a minor setback if your knowledge of the vehicle is going to increase that much more.

Changes on an industrial scale

This is but a small pointer in what seems to be a far more larger systemic issue within the automotive industry by implementing heaps of technology for ease in their vehicles, but fundamental flaws in the cars when it comes to security still.

Stuart, a Cloud Security Director at a leading Cyber Security company "... Fully agree and putting the responsibility on the customer due to insecure architecture" after referring to previous comments around the need for a faraday box (another solution on top of).

Summary of a summary...

Theft by a means of cyber intervention has taken place for years. However, its not been until something of significant value (like the BMW) being stolen right in front of your eyes, have people started to sit up and think... "Am I going to be next?".

Awareness is key in all that we do and I'm a big advocate of the "always learning" approach to work and in my home life. If I can be that bit more savvy, I can hopefully stay one step ahead of most things whilst keeping hold of key assets.

I hope this article has been useful and if possible, share it with your family and loved ones, as well as other folk in the automotive and IT industries in the hope that they can learn something new, but also with enough voices heard, the industry may just change for the better and for all of us consumers...

Thank you for reading and comments/shares/likes are always welcome.

Joel