Is your auto repair shop at risk for cyberattacks?

June 20, 2017
Software and computer networks have opened up the automotive market to the world of hackers, malware and computer viruses.

The intense focus on pre- and post-repair scans is an effective reminder of just how far vehicle and automotive repair technology have evolved in just the past decade. Automobiles are no longer simply petroleum-powered metallic people movers with computer controlled fuel injection and emissions. Today’s cars and trucks are mobile computer networks providing safety, efficiency and convenience that motorists couldn’t have dreamed of just a decade ago but what consumers fully expect now.

All this sophisticated technology (and the cutting-edge tech needed to repair it) has come at a price — potentially a steep price. Software and computer networks have opened up the automotive market to the world of hackers, malware and computer viruses.

(Image courtesy of Ford Media) Researchers similarly worry that Apps and other devices that come into contact with critical vehicles systems could contain malware that might overcome security protocols and cause harm in a number of ways.

So serious are these threats that manufacturers have made cybersecurity a priority and actually banded together to search for ways to protect their products. The Association of Global Automakers and Alliance of Automobile Manufacturers set up an Information Sharing and Analysis Center (ISAC) to enable the sharing of data involving cyber security. (While that might spark optimism that the industry is on track to handle cyber threats, keep in mind that this effort is well-behind similar movements in the healthcare, financial and other markets decades ago.)

Not concerned? Maybe it’s time to start or at least become more familiar with security issues. When the auto manufacturing world begins putting computer threats at the forefront, shops need to take notice. Their work intersects in a variety of ways with cybersecurity issues that are serious enough to put the livelihood and survival of shops in jeopardy.

Consider the following examination of trends and likely threats that might affect your business, along with the steps you can take to prepare. Warning: Speculation ahead. But entering the murky waters of hacking threats requires looking at the world in terms of what could be to prepare for the problems that will be at your door in the very near future.

The WIFI-hackable vehicle: The facts behind the story

In 2015, automotive cybersecurity researchers were able to hack into a 2014 Jeep over the Internet, gain control of the vehicle and bring it to a stop in traffic. The stunt forced Chrysler to issue a recall on 1.4 million vehicles that would need a software patch installed.

The hack sent shockwaves through the consumer market, causing motorists to question whether their vehicles could fall victim to similar, and extremely dangerous, takeovers. Chrysler and other automakers were quick to point out that the researchers were only able to perform the hack after first connecting a computer to the vehicle’s onboard diagnostic (OBD) port. In short, they claimed researchers had essentially “gamed” the situation. In no way was this vehicle or any other that had not been similarly physically manipulated at risk.

(Image courtesy of Chrysler Media) Researchers used the Internet to gain control of a 2014 Jeep Cherokee like this to prove that automobiles were vulnerable to cyberattacks.

Researchers countered that their work provided an example of just how susceptible automobiles were to cyberattacks. Since there is no template defining how an automobile — or for that matter any product using a computer — could be hacked, seeking out potential weaknesses hackers could exploit demands looking at such an issue from all angles. These researchers and others have continued working on other potential security breaches and shortcomings in automotive designs they believe could be vulnerable to attacks.

One such area they point to is the emergence of Over the Air (OTA) software updates — upgrades that would be delivered via Wi-Fi to a vehicle with no need for owner intervention (the same way upgrades are automatically made to your laptop or other electronic devices). Several of the world’s largest automakers have either started or begun putting together plans to enable some of their vehicles to receive OTA software updates. These include:

  • BMW and Hyundai — Implementing an LTE-telematics architecture to enable navigation system map updates (Hyundai's currently is only targeting vehicles in Korea).
  • Ford — Moving to Blackberry's QNX Car platform to permit Sync 3 infotainment systems to receive OTA updates.
  • Honda — Planning to allow OTA upgrades via a home Wi-Fi network.
  • Toyota and Lexus — Enabling OTA upgrades for the EnTune infotainment system by Bluetooth either paired or physically connected to a smartphone or tablet.
  • Nissan and Infinity — Putting an OTA upgrade platform in place.

The concern in these cases is that hackers could bypass OEM security protocols and transmit their own OTA content to manipulate vehicle systems. Automakers note that currently OTA transmissions are intended only for navigation and entertainment/infotaiment systems, not powertrain or any other systems related to vehicle operation that could be manipulated into causing an accident.

Critics say compromised navigation/entertainment systems still represent a dangerous threat. For example, hacked music systems could present distractions that remove a driver’s attention from the road should the volume suddenly increase. Hacked navigation systems could create the same kind of confusion or pull drivers well off course and into areas of heavy road construction or traffic congestion.

The projected growth of software OTA, and eventually Firmware Over-the-Air (FOTA), upgrades makes them even more attractive. OTA updates offer manufacturers both tremendous cost-saving potential and convenience they’re eagerly looking to leverage.

From 2014-2016, the recall rate among four major OEMs rose nearly 46 percent, costing a combined $20 billion in 2015 in warranty reserves. Auto markets analysts ABI Research prepared a study showing that close to one-third of 2015’s recalls alone could have been addressed with OTA, saving OEMs at least $6 billion.

Moreover, the company forecasts approximately 203 million OTA-enabled cars shipping by 2022, with nearly 180 million new cars supporting OTA, and 22 million supporting FOTA by then.

Considering the many billions of dollars in potential savings at hand, OEMs eventually could look into secure ways to use OTA or FOTA to update vehicle operational systems. While such a movement raises risk levels, it also offers advantages related to vehicle security. Namely, it would help ensure vehicles receive necessary upgrades and software patches that otherwise might require a customer to make an inconvenient visit to a dealer or perform the work themselves.

(Image courtesy of Ford Media) Ford is preparing to update software on its Sync infotainments systems using Over the Air (OFA) upgrades. Doing so provides significant convenience to the OEM and consumers, but researchers worry about potential dangers and its effect on the industry.

For comparison, automakers need only look at the experience of Chrysler, which drew serious criticism for its handling of the 2014 recall when it mailed out USB drives containing the necessary software patch. The responsibility of applying the fix was left to consumers—many of whom might never performed the work. OTA upgrades remove such variables from the repair equation.

On an interesting side note, the growth of OTA upgrades could produce significant fallout throughout the repair industry. Ordinarily, many of these updates would have been performed at a dealer shop. Shifting these tasks back to the OEM means taking billions of dollars away from dealers who depend in large part on warranty income to stay afloat. Any significant repercussions in the dealer repair market could affect independent repairers in the form of disrupted parts supply lines or similar effects that might reshape shop/dealer relationships.

At the shop level

Potential problems from OTA transmission are more of a concern down the road. More immediate threats to vehicle cybersecurity are at the shop level —specifically with the vehicle itself and the very equipment shops use to diagnose and perform repairs.

As it turns out, your tools could be the “soft target” hackers are looking to exploit. During a recent cybersecurity conference in Louisville, Ky., a security consultant demonstrated how he spent $20 on hardware and free software to build a tool that could deliver malware to a vehicle via its On-Board Diagnostic (OBD) ports. Such a vehicle could then be dropped off for work at a shop and pass on the malware to diagnostic tools that would continue passing malicious code onto any other vehicle they connected to, potentially compromising critical driving systems like the brakes or transmission. In short order, a number of vehicles in an area could quickly become “infected.” Should those vehicles be brought to another shop, it’s tools similarly could become infected and continue spreading malware.

Just as worrisome, experts note that such an infection wouldn’t need an infected vehicle to produce this kind of malware epidemic. They say a shop’s Wi-Fi could be hacked and a virus introduced there could find its way through the shop’s computer systems and into diagnostic tools.

Other experts note the potential danger of aftermarket products that make use of OBD ports, particularly the “dongles” designed to fit into the OBD II port under the dashboard. Designed to perform services such as tracking driving habits and statistics for motorists and insurers (who use the data to determine rates), these devices connect directly to a vehicle’s internal network where they could be manipulated to deliver malicious code — which could be passed onto shop tools.

With collision repairers needing to perform pre- and post-repair scans to produce a thorough repair on every vehicle that passes through their doors, the collision industry becomes an obvious starting point for a cyberattack.

This isn’t just science fiction. Cybersecurity experts fully expect automobiles to be targeted, and shops currently provide one of the most attractive paths for a malware attack. If that news isn’t sobering enough, consider the fact that shops who pass on viruses that compromise vehicle safety might be liable for damages — even if they were completely unaware of the danger.

The who, what, when and why of auto hacking

So why would anyone want to hack an automobile — especially since there seems to be little or no financial gain in producing accidents? For the same reasons your laptop, tablet and smartphone are constantly being targeted by hackers: Someone, somewhere, gets a sense of satisfaction by invading a technological/personal space and manipulating or harming it. Perpetrators could be anyone from terrorists, activists trying to make political points and pranksters looking for attention to social malcontents seeking some way to lash out. Because hackers of all kinds share information across the internet, they pass on security vulnerabilities as soon as they’re detected. They’re continually at work looking for ways to exploit potential breaches.

Fortunately, auto and tool manufacturers also are working overtime to find ways to defend their products (their livelihood depends on protecting customers). Being vigilant against cyberthreats is a team battle, where all areas of the auto industry must take their part. Here’s what you can do to protect your customers and your shop:

  1. Stay informed. Keep abreast of the threats facing your industry. Pay attention to industry news and other sources that track cyberthreats and note those that could affect your business.
  2. Follow all security recommendations. Work with your tool vendors and vehicle manufacturers to adhere to their guidelines on keeping computer systems safe. Install and update cyber protection products and any updates.
  3. Guard the office. Make sure your internal computer systems also are protected. Keep Internet firewalls and anti-virus products up to date. Regularly change passwords, and require employees to update their passwords every 30-90 days. Separate internal Wi-Fi from Wi-Fi offered to customers. In the case of the latter, require a password for customer use, and update it regularly. That might seem like a bit much, but you want to keep hackers away from every part of your business.
  4. Talk to your customers. Warn customers of the potential dangers of aftermarket dongles. Should a scan of a vehicle register odd codes or if anything about the functioning of entertainment or navigation systems appears out of sorts, query the customer on who may have accessed an OBD port or come into contact with the system.
  5. Spread the word. In an industry already dealing with a number of repair and business issues, repairers might feel inclined to dismiss talk of cyberthreats as an overreaction or reckless hype. This simply isn’t the case. While there isn’t reason to panic, there are plenty of reasons to prepare to handle a threat on the minds of both manufacturers and cybersecurity experts. With so many different parties working on the same vehicles, repairers and other industry members can best protect customers by working together. Reach out to your colleagues. Don’t hesitate to share information and your thoughts with others.

The era of computer systems, micro controllers and vehicle connectivity has revolutionized the automobile world. Information technology research and advisory firm Gartner says that within five years most new vehicles will be connected to the internet. Research firm IHS Automotive declares a decade after that almost 21 million autonomous vehicles will be on world roadways. The billions of lines of computer code and the technology needed to make all these vehicles and their systems work together will continue being rich territory for hackers to exploit.

By doing your part today, you’ll help ensure the safety and survival of the repair market tomorrow and the tomorrow after that.

Sponsored Recommendations

ZEUS+: The Cutting-Edge Diagnostic Solution for Smart, Fast, and Efficient Auto Repairs

The new ZEUS+ simplifies your diagnostic process and guides you through the right repair, avoiding unnecessary steps along the way. It gives you the software coverage, processing...

Diagnostic Pre- and Post-scan Reports are Solid Gold for Profitability

The following article highlights the significance of pre-scans and post-scans, particularly with Snap-on scan tools, showcasing their efficiency in diagnosing issues and preventing...

Unlock Precision and Certainty: TRITON-D10 Webinar Training for Advanced Vehicle Diagnostics

The TRITON-D10 lets you dig deep into the systems of a vehicle and evaluate performance with comparative data, systematically eliminating the unnecessary to provide you with only...

APOLLO-D9: Trustworthy Diagnostics for Precision Repairs

The APOLLO-D9 provides the diagnostic information and resources you need to get the job done. No more hunting through forums or endlessly searching to find the right answers. ...

Voice Your Opinion!

To join the conversation, and become an exclusive member of Vehicle Service Pros, create an account today!