IT students at KTH have succeeded in hacking a long line of new cars, and were able to show that data from the car is being sent to China.
Most new cars are connected to the internet to be controlled by apps, receive traffic information and have the software updated.
IT security students from the Royal Institute of Technology (KTH) have together with the newspaper Vi Bilägare tried to hack a number of cars that the newspaper had in for testing. The students have also looked at what kind of data is sent away from the car, and where it goes.
Can spy for China
One of the cars examined is an MG. According to MG, the car sends so-called “log data” to the Chinese server when the car’s app for listening to music crashes. But according to the students’ tests, the Chinese server is contacted continuously without the app ever crashing.
– If it’s just statistics over the service history of the car being shipped to china it might not be too much of a concern. But if you send data from the car’s GPS or audio recordings, it is something completely different. It creates a very good picture of people’s lives for those who are looking to spy, and it can create anxiety among many, says Pontus Johnson who is professor of network and systems engineering at KTH.
More people send data outside the EU
The test also shows that Nissan and Seat send data outside the EU. If it is personal data that is sent, it is prohibited, because that type of data must be kept within the EU according to the so-called GDPR regulation.
Violating it can cost billions in fines. Both Nissan and Seat insist that no personal data leaves the EU.
Wide open data ports
Another security flaw revealed in MG’s electric car is that several of the car’s so-called doors are wide open. The ports are used to send and receive data over the network, but should not be left open for no reason. None of the other cars in the test have open doors in this way and the MG is thus clearly the worst in the review.
An open port does not in itself have to be a security problem, but it can make it easier for hackers who want to get into the car’s system and, according to Pontus Johnson, it is an example of “sloppy development”. Researchers in the US have previously exploited that kind of vulnerability to be able to control a car with a laptop from the back seat, but MG insists it won’t be possible in this case.
MG confirms for We Car Owners that the doors are open and that they are connected to the car’s internal wireless network that the passengers can connect to. After our disclosure, the gates will be closed, but the update will not be mandatory for the car owners.
The students open the doors of the car with the help of a computer.
Can be opened without a key
The students have succeeded in opening the doors to five of the magazine’s long-distance test cars – without the key nearby. It can be done with the help of a laptop and a gadget that can be bought online for a few thousand Swedish kroner.
The key sends out a radio signal that opens the car. What the car thieves do is record that signal in a small gadget and then play it back to the car at a later time. Since the car cannot distinguish between the key and the “thieves’ gadget”, the car is opened regardless.
– It doesn’t have to be like this. There are other techniques you can use to communicate securely, says Pontus Johnson.
Stay up to date with the newsletter!
Miss nothing! Subscribe to our newsletter.
Photo: Fredrik Diits Vikström / OK-förlaget
