Automotive Cyber Security Timeline
The Internet has become an important service for the operation of modern society, as important as energy distribution, water supplies, transportation infrastructure, and telecommunications networks. The Internet is spreading into all the devices we use, our houses are becoming smarter and the cars with drive are connected. However, as the previous decades of office-based information technology (IT) has shown, if something is connected to the Internet it becomes a target. Hackers probe the Internet to find exploitable weaknesses in the software and hardware that run the connected devices. This applies to the connected car, if a car is connected to the Internet then the car's systems need to be secure and able to withstand attacking attempts. This article explores automotive cyber security in the form of a timeline. It traces back from recent research into automotive hacking, to the beginning of the technology that enabled the emergence of the connected car. Reading this automotive cyber security timeline will provide a sense of the importance of vehicle cyber security research, and the technological advances that enabled the concept of connected cars.
A List of Events related to Vehicle Hacking
Car hacking has occured ever since digital electronics appeared in vehicles. Starting with chipping engine Electronic Control Units (ECUs) for more engine power and using laptops to alter digital odometers, through to researchers proving that unaltered cars can be hacked remotely over the Internet. This timeline, from the latest to the earliest, on car hacking looks at the key technologies and events that brought about the computerised car and how it can be hacked. If you have a suggestion for the timeline please send an email to dan@tekeye.uk.
February 2022 - University of Oxford and armasuisse S+T researchers are able to instantaneously stop multiple electric vehicles (EVs) from charging using electromagnetic interference (radio waves). Their Brokenwire attack is against the common Combined Charging System (CCS) of direct current (DC) rapid chargers for EVs. The attack disrupts and breaks charging communications between the EV and charger to abort a charging session. The attack is wireless and be conducted from a distance.
January 2022 - Security failures in a open source app for Tesla users enabled researcher, David Colombo to access the functions of Teslas owned by others in disparate locations.
August 2021 - The joint ISO and SAE international standard ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering is published.
https://www.iso.org/standard/70918.html
June 2020 - The UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) issued vehicle regulations on a Cyber Security Management System (CSMS) and on vehicle software updates.
https://unece.org/fileadmin/DAM/trans/doc/2020/wp29grva/ECE-TRANS-WP29-2020-079-Revised.pdf https://undocs.org/ECE/TRANS/WP.29/2020/80
January 2020 - Using an image projector it is possible to fool camera based Advanced Driver Assistant (ADAS) systems into believing a ghost object, road marking or a person is present infront of the vehicle.
https://www.nassiben.com/phantoms
November 2019 - Using Bluetooth Low Energy (BLE) as a vehicle identifier can lead to privacy and tracking issues, so Have a Tesla Model 3? This app can track its location.
https://the-parallax.com/2019/11/14/tesla-radar-model-3-phone-key-ibeacon/
November 2019 - Man pleads guilty to stalking and controlling ex-girlfriend's car with his computer
September 2019 - As physical security is displaced by computer controlled security, a computer issue can affect lots of vehicle owners at once as when Tesla Owners Locked Out of Cars on Labor Day When Phone Key App Goes Down.
https://www.caranddriver.com/news/a28904319/tesla-owners-locked-out-of-cars-phone-key/
April 2019 - Fleet management apps are cracked, allowing data from thousands of accounts to be obtained and potential immobilisation of thousands of vehicles.
See: https://www.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps
May 2019 - Despite all the publicity on key fob relay hacks, they are still a weakness in vehicle security and this hack could take control of your Ford.
https://the-parallax.com/2019/05/03/hacker-ford-key-fob-vulnerability/
December 2018 - PAS 1885:2018, The fundamental principles of automotive cyber security. Specification - Published by the British Standards Institute (BSI), builds upon the UK Government's guidelines published in 2017.
https://shop.bsigroup.com/ProductDetail/?pid=000000000030365446
November 2018 - CarsBlues, A vehicle Bluetooth hack that exploits infotainment systems to allow for access to call logs, text messages and other privacy data.
https://www.privacy4cars.com/can-my-car-be-hacked/
May 2018 - Researchers find vulnerabilities in BMW head units and telematics ECUs using fake GSM base stations.
April 2018 - Dutch security researchers remotely access Volkswagon Group infotainment units made by Harman.
https://www.computest.nl/nl/knowledge-platform/rd-projects/car-hack/
August 2017 - The key principles of vehicle cyber security for connected and automated vehicles - The UK Government publishes cyber security guidelines for connected and automated vehicles (CAVs).
March 2017 - The WikiLeaks Vault 7 documents reveal that "As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks" and "The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations."
September 2016 - Keen Security on Car Hacking Research: Remote Attack Tesla Motors
November 2015 - Hackers Cut a Corvette’s Brakes Via a Common Car Gadget
https://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
September 2015 - EPA, Learn About Volkswagen Violations. The US Environmental Protection Agency issues a notice of Violation to the Volkswagon Group over the use of a software defeat device for emissions testing. The manufacturer’s hack affects vehicle models from 2009.
https://www.epa.gov/vw/learn-about-volkswagen-violations
2015 - Hackers remotely kill a Jeep on the highway – with me in it, Wired
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
2015 - Markey, Blumenthal To Introduce Legislation to Protect Drivers from Auto Security and Privacy Vulnerabilities with Standards and - Cyber Dashboard”, Senator Edward Markey
July 2015 - Markey Report Reveals Automobile Security and Privacy Vulnerabilities, Senator Edward Markey
2015 - Hackers Can Take Control of Cars From 3,000 Miles Away, NBC 4 New York
https://www.nbcnewyork.com/news/local/hack-a-car-computer-wifi-remote-vehicle-hacking-291272611.html
2014 - A Survey of Remote Automotive Attack Surfaces
https://ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf
2014 - Auto Alliance Initiates New CyberSecurity Forum, Automotive Information Sharing and Analysis Center
https://www.automotiveisac.com/
2014 - Most Hackable Cars, CNN Money
https://money.cnn.com/2014/08/01/technology/security/most-hackable-cars/index.html?hpt=hp_t2
2014 - The Robot Car of Tomorrow May Just Be Programmed to Hit You, Wired
https://www.wired.com/2014/05/the-robot-car-of-tomorrow-might-just-be-programmed-to-hit-you/
2014 - Open Garages
http://opengarages.org/index.php/Main_Page
2013 - Sen Markey (D-MA) Letter to GM
https://www.markey.senate.gov/documents/2013-12-2_GM.pdf
2013 - Jury Finds Toyota Liable in Fatal Wreck in Oklahoma, New York Times
https://www.nytimes.com/2013/10/25/business/jury-finds-toyota-liable-in-fatal-wreck-in-oklahoma.html
August 2013 - Adventures in Automotive Networks and Control Units, presented at DEF CON 21, PDF here.
https://www.theregister.co.uk/2013/06/25/miller_car_hacking/
2013 - Car Hacking Your Computer-Controlled Vehicle Could Be Manipulated Remotely, CBS
https://losangeles.cbslocal.com/2013/11/20/car-hacking-michael-hastings/
2013 - How to Hack Your Mini Cooper, Reverse Engineering CAN Messages on Passenger Automobiles, Jason Stags, Defcon 21
July 2013 - Researchers Charlie Miller and Chris Valasek control a Prius from a laptop, there are links to lots more car hacking videos in the Tek Eye article Car Hacking Videos
https://www.youtube.com/watch?v=oqe6S6m73Zw
July 2013 - It is alleged that the journalist Michael Hastings was killed via a car cyber-attack.
https://www.huffingtonpost.co.uk/entry/michael-hastings-car-hacked_n_3492339
September 2012 - UK Channel 4 News report on a, then, weakness in electronic car key fobs that allowed easy car theft.
https://www.youtube.com/watch?v=HuLKormzWE4
September 2012 - Korean researchers use a malicious Android app to control a car
https://news.sbs.co.kr/news/endPage.do?news_id=N1001370933
August 2012 - The first annual Cyber Auto Challenge takes place.
https://www.sae.org/attend/cyberauto/
2011 - Can Your Car be Hacked?, Car and Driver
https://www.caranddriver.com/features/a15124906/can-your-car-be-hacked-feature/
August 2011 - Comprehensive Experimental Analyses of Automotive Attack Surfaces, Center for Automotive Embedded Systems Security (CAESS)
February 2011 - Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars
2010 - Security and Privacy Vulnerabilities of In-Car Wireless Networks, A Tire Pressure Monitoring System Case Study, Rutgers, USC
https://cse.sc.edu/~wyxu/papers/TPMSUsenix.pdf
2010 - Experimental Security Analysis of a Modern Automobile, Center for Automotive Embedded Systems Security (CAESS)
http://www.autosec.org/publications.html
2010 - Hacker disables more than 100 cars remotely, Wired
https://www.wired.com/2010/03/hacker-bricks-cars/
2009 - The Spirit of Berlin was an autonomous vehicle project by Freie Universität Berlin, started in 2007 for participation in the DARPA Urban Challenge as Team Berlin (a joint team by the Freie Universität Berlin, Rice University, Fraunhofer IAIS, and industrial partners Micro-Epsilon, Berlin Sciences, IBM Germany, IBEO), drivable remotely by an iPhone
https://www.youtube.com/watch?v=oHDwKT564Kk
2009 - Google's Self-Driving Car Project (renamed Waymo in December 2016)
https://en.wikipedia.org/wiki/Waymo
July 2008 - EVITA (E-safety Vehicle Intrusion proTected Applications) was a European project investigating improved vehicle security that ran till December 2011.
https://www.evita-project.org/
2007 - At CanSecWest RDS-TMC hacking is demonstrated: Satnav hacking made simple - Create your own traffic jam, bull fight or air raid, later demonstrated at BlackHAt and DEF CON 15
https://www.theregister.co.uk/2007/04/20/satnav_hack/
2007 - DARPA Urban Challenge
https://archive.darpa.mil/grandchallenge/
2005 - Defeating the security of RFID Chips in Car Keys and Gas Pump, John Hopkins University, Security Analysis of a Cryptographically-Enabled RFID Device
2005 - DARPA Grand Challenge
https://archive.darpa.mil/grandchallenge05/
2005 - Linux Bluetooth hackers hijack car audio – The Register reporting on the Bluetooth hack
https://www.theregister.co.uk/2005/08/02/car_whisperer/
2005 - Hacking the Hybrid Vehicle, Wired
https://archive.wired.com/science/discoveries/news/2005/11/69519
July 2005 - Vehicle audio eavesdropping and injection via Bluetooth using The Car Whisperer Linux software.
https://trifinite.org/blog/archives/2005/07/introducing_the.html
May 2005 - A Toyota vehicle was provide to F-Secure to prove that the Toyota and Lexus Bluetooth virus could not infect their vehicles. (Note the strange behaviour of the vehicle electronics at low battery levels. Could this ever be utilised to break a system?)
https://www.f-secure.com/weblog/archives/00000553.html
January 2005 - Unsubstanstiated claims that Toyota and Lexus navigation systems can be infected with a computer virus via Bluetooth.
https://www.scmagazine.com/home/security-news/mobile-virus-infects-lexus-cars/
June 2004 - A Bluetooth proof-of-concept worm (virus) named SymbOS.Cabir is announced.
http://virus.wikidot.com/caribe
February 2004 - The NY Times article DRIVING; Altering Your Engine With New Chips discusses pitfalls of changing the software in ECUs and some implications for vehicle damage.
https://www.nytimes.com/2004/02/13/travel/driving-altering-your-engine-with-new-chips.html
January 2004 - Chrysler offer Bluetooth in their UConnect telematics system (Intel X-Scale ARM CPU, Broadcom Bluetooth chipset, IBM ViaVoice software, and the QNX operating system).
https://www.pcmag.com/archive/the-bluetooth-car-117748
November 2003 Bluetooth vulnerabilities are published by security researchers Adam Laurie and Ben Laurie on bluestumbler.org (no longer available).
https://web.archive.org/web/20031118173621/http://www.bluestumbler.org/
September 2003 - In America Acura TL (Honda) cars are equipped with Bluetooth.
https://en.wikipedia.org/wiki/Acura_TL#2004
October 2003 - The UK Government made the The Road Vehicles (Construction and Use) (Amendment) (No. 4) Regulations 2003 banning driving whilst using of a mobile phone. Effectively mandating the use of hands free kit and thus phone to car links.
https://www.legislation.gov.uk/uksi/2003/2695/made
October 2003 - Orange UK (now EE) partners with Smart Automobile to offer a Smart City Coupe with Bluetooth hands free.
https://www.carpages.co.uk/smart/smart_orange_gets_smart_08_10_03.asp
May 2003 - Thailand's Finance Minister Suchart Jaovisidha is trapped in a BMW due to a malfunction of the vehicle's computer system.
https://www.theage.com.au/technology/computer-glitch-traps-thai-minister-in-bmw-20030513-gdgr7n.html
2003 - The NY Times story Gentlemen, Start Hacking Your Engines on ECU modifications and a full injection system control by a digital organiser (Palm Pilot).
https://www.nytimes.com/2003/01/09/technology/gentlemen-start-hacking-your-engines.html
August 2002 - A Forbes article How To Hack Your Car is on ECU programming. It includes comments on the lack of code security.
https://www.forbes.com/forbes/2002/0708/148.html
Start of the 2000's - The telematics solutions of ATX Technologies Inc., with Tele Aid, and General Motors with OnStar, have security weakness exposed (https://web.archive.org/web/20141023194256/http://silverstr.ufies.org/blog/archives/000455.html - Dana Epp - Security Expert) and are used for covert FBI surveillance.
https://www.theregister.co.uk/2003/11/20/court_limits_incar_fbi_spying/
1999 - The Mercedes S Class has Distronic, the World's first Adaptive Cruise Control (ACC) system (applying braking as required), and the Pre-Safe collision and avoidance response system.
https://en.wikipedia.org/wiki/Autonomous_cruise_control_system
1999 - The first Bluetooth specification is released.
https://www.bluetooth.com/media/our-history
1999 - Anderson on hacking lorry tachographs, On the security of digital tachographs
https://link.springer.com/chapter/10.1007/BFb0055859
September 1997 - Intel's Announces Connected Car Technology at IAA Frankfurt
At the Internationale Automobile Ausstellung (IAA) in Frankfurt, Germany chip manufacturer Intel reveals it's Connected Car PC:
"passengers in the Citroën Xsara are entertained by a DVD film with Dolby Surround Sound Stereo, while the RDS-Radio continually updates the driver with the latest traffic news. On request, the Connected Car PC picks up the travelers' incoming e-mail and, using a text to speech converter, reads it to them. Up to date information on weather, traffic and tourism can also be downloaded on demand by the Connected Car PC from the Internet"
https://www.intel.com/pressroom/archive/releases/1997/IC090997.HTM
1997 - General Motors Corporation offer Cadillacs with OnStar telematics.
https://en.wikipedia.org/wiki/OnStar#History
1996 - Only done 30,000. Honest, guv, car clocking has always been an issue, by using a laptop digital odometers can be altered.
https://www.independent.co.uk/life-style/motoring/only-done-30000-honest-guv-1345479.html
October 1992 - Third generation Mitsubishi Debonair limousine came with the world's first Lidar based distance warning.
https://en.wikipedia.org/wiki/Mitsubishi_Debonair#Third_generation
1987 to 1995 - The European Eureka PROMETHEUS Project (Programme for European Traffic of the Highest Efficiency and Safety) researched autonomous driving and related technologies with €749 million.
1980's - The early autonomous driving experiments using a Mercedes-Benz van equipment with machine vision led by Ernst Dickmanns.
Mid 1970's - In the 1970's Aston Martin began incorporating digital electronics into their luxury Lagonda car, the touch switches and LED displays only lasted to 1980 because of reliability issues.
Early 1970s - General Motors early computerised car experiments, The Feasibility of a Car Central Computer
https://www.sae.org/publications/technical-papers/content/730126/
1960's and 1970's - Early experiments in self-driving vehicle's go back as far as the 1960's and originate from ideas for remote Moon missions.
1960's - ARPANET, from the Wikipedia article: The Advanced Research Projects Agency Network (ARPANET) was an early packet-switching network and the first network to implement the TCP/IP protocol suite. Both technologies became the technical foundation of the Internet.
1930's and 1940's - The Soviet Union used remote controlled tanks, the Teletank, during World War II.
1898 - Nikola Tesla's patent for a remote controlled boat, Method of and Apparatus for Controlling Mechanism of Moving Vessels or Vehicles, demonstrated wireless command and control of a machine at the 1898 Electrical Exposition in Madison Square Gardens. This event is discussed in the thesis I, Robot: Nikola Tesla's Telautomaton.
See Also
- A list of Car Hacking Videos
- For a full list of all the articles in Tek Eye see the full site Index
Author:Daniel S. Fowler Published: Updated: