Automotive Cyber Security Timeline
The Internet has become an important service for the operation of modern society, as important as energy distribution, water supplies, transportation infrastructure, and telecommunications networks. The Internet is spreading into all the devices we use, our houses are becoming smarter and the cars we drive are connected. However, as the previous decades of office-based information technology (IT) have shown, if something is connected to the Internet it becomes a target. Hackers probe the Internet to find exploitable weaknesses in the software and hardware that run the connected devices. This applies to the connected car, if a car is connected to the Internet then the car's systems need to be secure and able to withstand attacking attempts. This article explores automotive cyber security in the form of a timeline. It traces back from recent research into automotive hacking, to the beginning of the technology that enabled the emergence of the connected car. Reading this automotive cyber security timeline will provide a sense of the importance of vehicle cyber security research, and the technological advances that enabled the concept of connected cars.
A List of Events related to Vehicle Hacking
Car hacking has occurred ever since digital electronics appeared in vehicles. Starting with chipping engine Electronic Control Units (ECUs) for more engine power and using laptops to alter digital odometers, through to researchers proving that unaltered cars can be hacked remotely over the Internet. This timeline, from the latest to the earliest, on car hacking looks at the key technologies and events that brought about the computerised car and how it can be hacked. If you have a suggestion for the timeline please send an email to firstname.lastname@example.org.
April 2023 - CAN Injection: keyless car theft - Ken Tindell documents how a vehicle Controller Area Network (CAN) system flaw allows the vehicle to be stolen by hacking into vehicle wiring. For example, how thieves accessed the CAN bus via the front headlight wiring loom after snapping off front bumper fittings.
March 2023 - Pwn2Own Hackers Breach a Tesla (Twice), Earn $350K and a Model 3 - The ethical hackers' favourite car target, Tesla, is breached again to earn bug bounties.
January 2023 - FAA outage: US airline regulators blame contractor for travel chaos - When travel chaos happens because of a computer failure it can be assumed that a system was hacked. However, a careless engineer can cause similar issues.
January 2023 - Security Researchers Say They Hacked California's Digital License Plates, Because Duh - Gizmodo provides some more background on ethical hackers breaking the Reviver RPlate electronic vehicle number plate system.
January 2023 - Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More - Ethical hacker Sam Curry lists all the auto manufacturers' apps and application programming interface (API) issues he has found.
November 2022 - Researchers find bugs allowing access, remote control of cars - Ethical hackers find weaknesses within vehicle apps and applications programming interfaces (APIs) to breach connected vehicle systems. Researcher Sam Curry later documents more automotive-related issues in a January 2023 blog post, see above.
October 2022 - You Can't See Me: Physical Removal Attacks on LiDAR-based Autonomous Vehicles Driving Frameworks - Researchers use a laser-based spoofing technique to remove objects being detected by vehicles' LiDAR-based sensors.
August 2022 - Gone in 130 seconds: New Tesla hack gives thieves their own personal key - A researcher finds a weakness in the Tesla NFC key card usage to clone the car on a mobile phone and use it to steal the car.
May 2022 - Review of Electric Vehicle Charger Cybersecurity Vulnerabilities, Potential Impacts, and Defenses - Researchers publish a paper listing the many security issues with EV chargers that have been discovered.
May 2022 - Reversing Kia Motors Head Unit to discover and exploit software vulnerabilities - Researchers document how they find potential vulnerabilities in a vehicle infotainment unit.
February 2022 - University of Oxford and armasuisse S+T researchers are able to instantaneously stop multiple electric vehicles (EVs) from charging using electromagnetic interference (radio waves). Their Brokenwire attack is against the common Combined Charging System (CCS) of direct current (DC) rapid chargers for EVs. The attack disrupts and breaks charging communications between the EV and charger to abort a charging session. The attack is wireless and is conducted from a distance.
January 2022 - Security failures in an open source app for Tesla users enabled researcher, David Colombo to access the functions of Teslas owned by others in disparate locations.
August 2021 - The joint ISO and SAE international standard ISO/SAE 21434:2021 Road vehicles - Cybersecurity engineering is published.
August 2020 - The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy - An article covers how a Tesla enthusiast found flaws in Tesla systems.
June 2020 - The UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) issued vehicle regulations on a Cyber Security Management System (CSMS) and on vehicle software updates.
March 2020 - Keen Security Lab use a multistage attack to achieve a compromise of a Lexus vehicle and transmit Controller Area Network messages that can perform potentially dangerous actions.
January 2020 - Using an image projector it is possible to fool camera-based Advanced Driver Assistant (ADAS) systems into believing a ghost object, road marking or a person is present in front of the vehicle.
November 2019 - Using Bluetooth Low Energy (BLE) as a vehicle identifier can lead to privacy and tracking issues, so Have a Tesla Model 3? This app can track its location.
November 2019 - Man pleads guilty to stalking and controlling ex-girlfriend's car with his computer
September 2019 - As physical security is displaced by computer-controlled security, a computer issue can affect lots of vehicle owners at once as when Tesla Owners Locked Out of Cars on Labor Day When Phone Key App Goes Down.
April 2019 - Fleet management apps are cracked, allowing data from thousands of accounts to be obtained and the potential immobilisation of thousands of vehicles.
May 2019 - Despite all the publicity on key fob relay hacks, they are still a weakness in vehicle security and this hack could take control of your Ford.
December 2018 - PAS 1885:2018, The fundamental principles of automotive cyber security. Specification - Published by the British Standards Institute (BSI), builds upon the UK Government's guidelines published in 2017.
November 2018 - CarsBlues, A vehicle Bluetooth hack that exploits infotainment systems to allow for access to call logs, text messages and other private data.
May 2018 - Researchers find vulnerabilities in BMW head units and telematics ECUs using fake GSM base stations.
April 2018 - Dutch security researchers remotely access Volkswagon Group infotainment units made by Harman.
August 2017 - The key principles of vehicle cyber security for connected and automated vehicles - The UK Government publishes cyber security guidelines for connected and automated vehicles (CAVs).
March 2017 - The WikiLeaks Vault 7 documents reveal that "As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks" and "The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations."
September 2016 - Keen Security on Car Hacking Research: Remote Attack Tesla Motors
September 2016 - Your Car’s New Software Is Ready. Update Now? - The New York Times reports how remote updates of vehicle software are increasingly common. General Motors (GM) has been doing it with their OnStar system since 2009, and Tesla since 2012. The issue of security for those updates is raised.
November 2015 - Hackers Cut a Corvette’s Brakes Via a Common Car Gadget
September 2015 - EPA, Learn About Volkswagen Violations. The US Environmental Protection Agency issues a notice of Violation to the Volkswagon Group over the use of a software defeat device for emissions testing. The manufacturer’s hack affects vehicle models from 2009.
2015 - Hackers remotely kill a Jeep on the highway – with me in it, Wired
2015 - Markey, Blumenthal To Introduce Legislation to Protect Drivers from Auto Security and Privacy Vulnerabilities with Standards and - Cyber Dashboard”, Senator Edward Markey
July 2015 - Markey Report Reveals Automobile Security and Privacy Vulnerabilities, Senator Edward Markey
2015 - Hackers Can Take Control of Cars From 3,000 Miles Away, NBC 4 New York
2014 - A Survey of Remote Automotive Attack Surfaces
2014 - Auto Alliance Initiates New CyberSecurity Forum, Automotive Information Sharing and Analysis Center
2014 - Most Hackable Cars, CNN Money
2014 - The Robot Car of Tomorrow May Just Be Programmed to Hit You, Wired
2014 - Open Garages
2013 - Sen Markey (D-MA) Letter to GM
2013 - Jury Finds Toyota Liable in Fatal Wreck in Oklahoma, New York Times
August 2013 - Adventures in Automotive Networks and Control Units, presented at DEF CON 21, PDF here.
2013 - Car Hacking Your Computer-Controlled Vehicle Could Be Manipulated Remotely, CBS
2013 - How to Hack Your Mini Cooper, Reverse Engineering CAN Messages on Passenger Automobiles, Jason Stags, Defcon 21
July 2013 - Researchers Charlie Miller and Chris Valasek control a Prius from a laptop, there are links to lots more car hacking videos in the Tek Eye article Car Hacking Videos
July 2013 - It is alleged that the journalist Michael Hastings was killed via a car cyber-attack.
September 2012 - UK Channel 4 News report on a, then, weakness in electronic car key fobs that allowed easy car theft.
September 2012 - Korean researchers use a malicious Android app to control a car
August 2012 - The first annual Cyber Auto Challenge takes place.
2011 - Can Your Car be Hacked?, Car and Driver
August 2011 - Comprehensive Experimental Analyses of Automotive Attack Surfaces, Center for Automotive Embedded Systems Security (CAESS)
February 2011 - Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars
2010 - Security and Privacy Vulnerabilities of In-Car Wireless Networks, A Tire Pressure Monitoring System Case Study, Rutgers, USC
2010 - Experimental Security Analysis of a Modern Automobile, Center for Automotive Embedded Systems Security (CAESS)
2010 - Hacker disables more than 100 cars remotely, Wired
2009 - The Spirit of Berlin was an autonomous vehicle project by Freie Universität Berlin, started in 2007 for participation in the DARPA Urban Challenge as Team Berlin (a joint team by the Freie Universität Berlin, Rice University, Fraunhofer IAIS, and industrial partners Micro-Epsilon, Berlin Sciences, IBM Germany, IBEO), drivable remotely by an iPhone
2009 - Google's Self-Driving Car Project (renamed Waymo in December 2016)
July 2008 - EVITA (E-safety Vehicle Intrusion proTected Applications) was a European project investigating improved vehicle security that ran till December 2011.
2007 - At CanSecWest RDS-TMC hacking is demonstrated: Satnav hacking made simple - Create your own traffic jam, bullfight or air raid, later demonstrated at BlackHAt and DEF CON 15
2007 - DARPA Urban Challenge
2005 - Defeating the security of RFID Chips in Car Keys and Gas Pump, John Hopkins University, Security Analysis of a Cryptographically-Enabled RFID Device
2005 - DARPA Grand Challenge
2005 - Linux Bluetooth hackers hijack car audio – The Register reporting on the Bluetooth hack
2005 - Hacking the Hybrid Vehicle, Wired
July 2005 - Vehicle audio eavesdropping and injection via Bluetooth using The Car Whisperer Linux software.
May 2005 - A Toyota vehicle was provided to F-Secure to prove that the Toyota and Lexus Bluetooth virus could not infect their vehicles. (Note the strange behaviour of the vehicle electronics at low battery levels. Could this ever be utilised to break a system?)
January 2005 - Unsubstantiated claims that Toyota and Lexus navigation systems can be infected with a computer virus via Bluetooth.
June 2004 - A Bluetooth proof-of-concept worm (virus) named SymbOS.Cabir is announced.
February 2004 - The NY Times article DRIVING; Altering Your Engine With New Chips discusses pitfalls of changing the software in ECUs and some implications for vehicle damage.
January 2004 - Chrysler offer Bluetooth in their UConnect telematics system (Intel X-Scale ARM CPU, Broadcom Bluetooth chipset, IBM ViaVoice software, and the QNX operating system).
November 2003 Bluetooth vulnerabilities are published by security researchers Adam Laurie and Ben Laurie on bluestumbler.org (no longer available).
September 2003 - In America Acura TL (Honda) cars are equipped with Bluetooth.
October 2003 - The UK Government made the The Road Vehicles (Construction and Use) (Amendment) (No. 4) Regulations 2003 banning driving whilst using a mobile phone. Effectively mandating the use of hands-free kits and thus phone-to-car links.
October 2003 - Orange UK (now EE) partners with Smart Automobile to offer a Smart City Coupe with Bluetooth hands-free.
May 2003 - Thailand's Finance Minister Suchart Jaovisidha is trapped in a BMW due to a malfunction of the vehicle's computer system.
2003 - The NY Times story Gentlemen, Start Hacking Your Engines on ECU modifications and a full injection system control by a digital organiser (Palm Pilot).
August 2002 - A Forbes article How To Hack Your Car is on ECU programming. It includes comments on the lack of code security.
Start of the 2000s - The telematics solutions of ATX Technologies Inc., with Tele Aid, and General Motors with OnStar, have security weaknesses exposed (https://web.archive.org/web/20141023194256/http://silverstr.ufies.org/blog/archives/000455.html - Dana Epp - Security Expert) and are used for covert FBI surveillance.
1999 - The Mercedes S Class has Distronic, the World's first Adaptive Cruise Control (ACC) system (applying a brake as required), and the Pre-Safe collision and avoidance response system.
1999 - The first Bluetooth specification is released.
1999 - Anderson on hacking lorry tachographs, On the security of digital tachographs
September 1997 - Intel Announces Connected Car Technology at IAA Frankfurt
At the Internationale Automobile Ausstellung (IAA) in Frankfurt, Germany chip manufacturer Intel reveals its Connected Car PC:
"passengers in the Citroën Xsara are entertained by a DVD film with Dolby Surround Sound Stereo, while the RDS-Radio continually updates the driver with the latest traffic news. On request, the Connected Car PC picks up the travelers' incoming e-mail and, using a text to speech converter, reads it to them. Up to date information on weather, traffic and tourism can also be downloaded on demand by the Connected Car PC from the Internet"
1997 - General Motors Corporation offer Cadillacs with OnStar telematics.
1996 - Only done 30,000. Honest, guv, car clocking has always been an issue, by using a laptop digital odometers can be altered.
October 1992 - Third generation Mitsubishi Debonair limousine came with the world's first Lidar-based distance warning.
1987 to 1995 - The European Eureka PROMETHEUS Project (Programme for European Traffic of the Highest Efficiency and Safety) researched autonomous driving and related technologies with €749 million.
The 1980s - The early autonomous driving experiments using a Mercedes-Benz van equipment with machine vision led by Ernst Dickmanns.
Mid-1970s - In the 1970's Aston Martin began incorporating digital electronics into their luxury Lagonda car, the touch switches and LED displays only lasted until 1980 because of reliability issues.
Early 1970s - General Motors early computerised car experiments, The Feasibility of a Car Central Computer
1960s and 1970s - Early experiments in self-driving vehicles go back as far as the 1960s and originate from ideas for remote Moon missions.
1960s - ARPANET, from the Wikipedia article: The Advanced Research Projects Agency Network (ARPANET) was an early packet-switching network and the first network to implement the TCP/IP protocol suite. Both technologies became the technical foundation of the Internet.
1930s and 1940s - The Soviet Union used remote-controlled tanks, the Teletank, during World War II.
1898 - Nikola Tesla's patent for a remote-controlled boat, Method of and Apparatus for Controlling Mechanism of Moving Vessels or Vehicles, demonstrated wireless command and control of a machine at the 1898 Electrical Exposition in Madison Square Gardens. This event is discussed in the thesis I, Robot: Nikola Tesla's Telautomaton.
Author:Daniel S. Fowler Published: Updated: