Blog: Automotive Security

Hacking tractors is a thing. Is it the start of something else for connected cars?

Tony Gee 26 Apr 2017

I found an article on MOTHERBOARD a wee while ago:

https://motherboard.vice.com/en_us/article/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware

It talked about how US farmers are turning to Ukrainian hackers to allow them to use cheaper repair parts and independent garages to fix their tractors, this is in contravention of the contracts they signed with John Deere.

With connected/autonomous cars, how long before a) manufacturers start implementing contractual restrictions on where you can get them serviced and what you can do with them? and b) how long before hackers start trying to reverse the controls/restrictions put in place, not only to take over the car and crash it, but also to simply enable more features?

What’s the rules?

Currently under the EU Block Exemption Regulation (BER) manufacturers are required to allow owners to use independent garages to service and maintain their car for them without impacting a warranty. Independent garages are authorised in law to have access to repair and maintenance information to diagnose faults with vehicles and implement fixes.

This is typically performed through the ODB2 port, especially important with older cars out of warranty, as often the second-hand owner market won’t use a dealer given the increased cost of using them.

An interesting point raised by one of my colleagues is how does it work when you have a leased car? More and more people are choosing leasing or at least a personal contract purchase agreement. A leased car is not owned by the person leasing the car, but by the leasing firm, so how does the EU BER apply there? Will the user of the car be forced to use a dealer or be financially liable for the car?

Well, little concrete information is known, but it is generally understood that the leasing firm will mandate dealer service-and-repair as it enhances the value of the car when they come to sell it on after it is handed back. In fact, many offer dealer only maintenance plans as part of the leasing agreement. But this does present the question, what about the second-hand market? A lot of people are likely to choose an independent garage.

Now that’s fine with new cars, even new ‘dumb’ cars, but what happens when you throw second-hand connected cars or autonomous vehicles in to the mix?

Used connected cars

The current crop of connected cars is just starting to come to the age where they will be resold to the second hand market and are likely to be taken to independent garages. Just how much work will they be able to do? Will we be forced to use dealer garages for some fixes?

As cars get more ‘connected’ and smarter will manufacturers start to restrict what independent garages can do, be that contractually or technically. I think it is inevitable that they will and if we do start to see this you can bet that hackers like the Ukrainian tractor hackers will start to extend their skill set.

I know I have modified my own (old & dumb) car through the ODB2 port to allow me to open all windows from my key, something that wasn’t previously possible from the standard settings menu. There are many stories on car forums of people doing similar small scale tweaks, but nothing yet that really is ground-breaking.

There are certainly some hoaxes – such as playing DOOM in your Porsche! What about unlocking expensive options? Perhaps features that are a paid-for option or standard on the more expensive models. There is already talk of this type of modification.

With autonomous cars this could get even more deadly. What about unlocking a faster mode, turning off systems that will prevent the car moving if a seatbelt is not on? Or more even more sinister, overriding the security systems that will prevent collisions. None of this needs to be done remotely. Often the fear is that a remote hacker will take over our car and cause a collision, but it may not need to be that way, owners may modify their own car for their own gain.

Car manufacturer or software developer…

Car manufacturers should now really be seen primarily as software developers. Tesla is a perfect example of this. They are a software firm who happen to make hardware. This is becoming true of all car manufacturers. I was at an automotive conference last year and was not at all shocked to hear that the current crop of connected cars now have millions of lines of code.

Autonomous vehicles will need to have billions.

To put that in to perspective Windows XP had 45 million lines of code and we all know how many vulnerabilities that operating system had…

It is simply unfathomable that connected or autonomous cars won’t have vulnerabilities.

Then you have the support model. Car manufacturers estimate that they need to support a car for 16+ years now. How will they patch the inevitable vulnerabilities? I think it is safe to say that they won’t bother or in some cases won’t be able to. With the exception of Tesla, very few cars have automatic over-the-air updates, so IF there is an update that car will need a trip back to the dealer for the update.

And then we come back to the problem facing independent garages. Will they be able to update the cars? Will they even know how? If they will do the update, how do they securely get the code to apply the update? Given the seemingly constant leaks of secure code, how can we be sure that the code will be delivered securely to the car without being leaked and hacked as seen with John Deere.

In the future could we see attackers buying second hand autonomous cars, downloading or creating a dodgy firmware update to enable them to modify the car to use as a guided weapon from the safety of their home. I sincerely hope not. Sadly however it’s a big stretch of the imagination.

BTW we’ve just acquired a John Deere tractor to “evaluate”…