An unlocked door in cybersecurity: The aftermarket

The success of "white hat" hackers in remotely penetrating vehicle controls through aftermarket car-alarm systems has sounded a new warning in cybersecurity circles.

The hacks, carried out last year by a research team in the U.K., make plain that the entire automotive supply chain will probably have to be enlisted to ensure future vehicle security — including Tier 2 and even aftermarket manufacturers, experts say.

Being able to reach into a vehicle through parts made outside of an automaker's control represents a new wrinkle in cybersecurity. The vast and growing marketplace of aftermarket add-on electronics remains a largely unmonitored field of activity, said Ken Munro, a security researcher with Pen Test Partners of Buckingham, England, which conducted the hacks.

"There is so much more vulnerability," Munro told Automotive News. "In my experience, the OEMs are really waking up. But they have a lot of legacy product in the market already.

"My concern is not so much the OEMs, it's all their suppliers and the aftermarket."

Munro said the Pen Test team hacked into vehicles through alarm systems from Directed Electronics of Vista Calif., and from the Russian-based Pandora Car Alarm Systems. Directed's products include Viper-brand car alarms that are available in the United States.

Pen Test normally conducts what is referred to as "penetration testing" as a service to companies that want their security put to the test. But Munro said his company hacked the car alarms not for a client, but simply as a challenge.

Directed Electronics said in a written statement that Pen Test had notified it about its vulnerability. Pandora Car Alarm Systems could not be reached for comment.

"We appreciate the diligence of groups like Pen Test Partners in bringing this matter to our attention and are happy that it was quickly and successfully addressed," Chris Pearson, director of marketing for Directed Electronics, said in the written statement. "The issue was quickly rectified."

Directed Electronics said it believes "no customer data was exposed, and that no accounts were accessed without authorization during the short period this vulnerability existed."

Pen Test conducted the research in a controlled experiment after equipping different vehicle makes and models with car alarms that researchers purchased.

The results varied by vehicle and alarm brand. But once the systems were hacked, researchers could locate a vehicle in real time; identify the car type and the owner's identity; disable the alarm; unlock the vehicle; possibly eavesdrop on the vehicle's occupants; and in some cases, kill the engine, even when the vehicle was moving, Munro said.

David Barzilai, chairman of Karamba Security of Hod Hasharon, Israel, said the Pen Test hack did not surprise him. Security hackers never cease trying to break into any unprotected access to any connected device, he said.

Karamba has gathered intelligence on hacking activity by setting up what Barzilai calls "honey pot" decoys, connected to the Internet with no security protection or with easily guessed passwords. He said that within a month, each decoy recorded more than 300,000 hacking attempts.

All those attempts were almost certainly carried out by automated means. Hackers don't necessarily know what kind of device they're breaking into, Barzilai said. But once robotic hackers gain access to a device, any device running sophisticated programs such as those used in vehicles would become targets, he said.

Karamba's security technology will go into its first mass-produced vehicles later this year, Barzilai said. He declined to disclose the OEM customer.

Monique Lance, marketing director for another Israeli supplier, Argus Cyber Security of Tel Aviv, said she was aware of the Pen Test hack. Argus is part of Elektrobit, which is owned by the global Tier 1 supplier Continental AG.

"It's just another example of how increased connectivity is exposing OEMs to higher and higher risks," Lance said. "It's a warning signal for all the OEMs."