Cyber-attacks that reports describe as out of “a James Bond movie” could target a car near you

Article content

Give a man a fish, and you feed him for a day. Teach a man to ransom your data, and you feed a cyber-criminal for life.

—modernized take on an ancient Chinese proverb

Ransomware is officially a billion-dollar industry. Actually, that’s not a completely accurate statement. It’s not like Conti Ransomware and the fittingly-named Evil Corp — two of the prime movers in the increasingly lucrative hacking industry — are listed on the NASDAQ and have to report their earnings to the SEC. Nonetheless, estimates place ransomware payments in the region of US$450 million in the first six months of last year. According to Nikkei Asia, cyber-attacks are so lucrative that North Korea gets half its foreign currency from cyber-theft.

Advertisement 2

Article content

Worse yet, the number of the attacks and the payments the “abductors” exact seem to be doubling every year, The Economist reporting that the average payment for an “attack” increased from US$800,000 in 2022; to more than US$1.5 million in 2023. As to why what was once regarded as a “niche cyber-crime problem” is now so very ubiquitous, that’s simple: virtually all the experts Motor Mouth spoke with say we have the anonymity of cryptocurrency to thank for the increasingly frequent attacks. Their “exploits” are not only now more profitable, but their filthy lucre easier to hide.

For those that don’t know what ransomware is, it is officially – assuming the Oxford Dictionary is still “official” — defined as “a type of malicious software designed to block access to a computer system until a sum of money is paid.” In simpler terms, someone — most often Russian hackers, it seems — holds your data “hostage” until you, well, pay a ransom. Hospital emergency centres, medical research labs, essential utilities, or really anything deemed essential — even, says The New Yorker, London’s world-renowned British Library, since “ransomware-as-a-service” provider Rhysida recently stymied access to its 14 million books — are deemed prime targets.

Advertisement 3

Article content

Recommended from Editorial

In the automotive world, the basest form of ransomware attack would be a thief stealing your car without, well, ever taking possession of it. Imagine the frustration of being able to see, touch, or even, if Vlad-the-digital-delinquent wanted to be especially diabolical about it, sit in your vehicle, but it remaining functionally useless to you — “bricked,” as they say in biz — until you pay a ransom to someone whose only connection to you and your car is but some distant cyber-link.

As horrific as the “theft” of your pride and joy might seem — and traditional car theft is also on the rise, the Toronto Star recently reporting that auto theft in the city is at a 20-year high — it is but the tip of the proverbial cyber-attack iceberg. The truth is that, although the auto industry has managed to keep most of its vulnerabilities out of the spotlight, transportation-sector ransomware attacks are growing. Exponentially, in fact, with Yoav Levy, co-founder and CEO of Upstream Security, an Israeli company that combats data exploitation in the automotive sector, estimating that cyber-related “exploits” have nearly doubled in the last few years.

Advertisement 4

Article content

Charlie Miller (L) and Chris Valasek give a briefing during the Black Hat USA 2015 cybersecurity conference in Las Vegas, Nevada August 5, 2015
Charlie Miller (L) and Chris Valasek give a briefing during the Black Hat USA 2015 cybersecurity conference in Las Vegas, Nevada August 5, 2015 Photo by Steve Marcus /Reuters

And not only are they increasing in frequency, they are growing in magnitude, as well. In just one of the vulnerabilities exposed this year, a ransomware attack on Orbcomm, a fleet management provider, prevented trucking companies across North America from making deliveries or even tracking their inventory. According to — yes, the absolutely best name for a website ever — truckers were forced were forced to to go back to paper logs to make what deliveries they could.

Whatever the hack, the message is always the same: pay the ransom, or welcome back the 20th century. Automakers, meanwhile, are the most targeted manufacturing subsector, says SOCRadar, accounting for one-third “of the total attacks against the manufacturing industry:” VINs, phone numbers, emails, and even physical addresses are the most targeted data.

Advertisement 5

Article content

Imagine the frustration of being able to see, touch, or even sit in your vehicle, but it remaining functionally useless to you until you pay a ransom to someone whose only connection to you is but some distant cyber-link

What truly strikes fear into everyone involved in automotive connectivity, however, is the possibility someone could control or even weaponize vehicles. It’s hardly surprising, considering current geopolitics, that much of the early “research” in the field is occurring in the midst of the Russia-Ukraine war. In one instance, a fleet of John Deere farm machinery stolen from a Ukrainian dealership — isn’t it wonderful when Putin’s righteous “special military operation” is really nothing more than a scavenger hunt for tractors that Russia can’t engineer itself? — ended up useless and bricked somewhere in the Chechen Republic.

In another, Anonymous — a hacktivist collective that sees itself as a digital Robin Hood — infiltrated Russia’s Yandex Taxi ride-hailing app and ordered “all available taxis” to the Kutuzovsky Prospekt, one of Moscow’s main thoroughfares. The ensuing digitally-created traffic jam was described by one local reporter as just %7B%22provider_name%22:%22Twitter%22,%22provider_url%22:%22https:%5C/%5C/,%22object_url%22:%22https:%5C/%5C/,%22html%22:%22



Advertisement 7

Article content

Nor are such vulnerabilities just figments of an overactive imagination. Sam Curry, the most recent of (white-hat) hackers to expose the porosity of automotive cybersecurity, revealed some “Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More” not too long ago. According to the Yuga Labs security engineer, he could easily unlock, gain access to, and start the engines of a number of Kias, Hyundais, Genesises, Hondas, Infinitis, Nissans, and Acuras (not to mention take over Ferrari customer accounts, retrieve sales documents for any number of BMWs and Rolls-Royces, and send vehicle commands to Porsches).

The truly scary bit of this story, though, is how easy these vulnerabilities were to exploit. It turns out, says Curry, that the vehicle telematics systems of “nearly every automobile manufactured in the last [five] years had nearly identical functionality.” Indeed, as Curry tells it, the only reason he and some fellow hackers got involved in the project was that they just happened to come across a fleet of electric scooters at the University of Maryland and, seemingly on a whim, started poking at the scooter’s mobile app until they had all their horns honking and headlights flashing.

Advertisement 8

Article content

We apologize, but this video has failed to load.

Advertisement 9

Article content

Now, the honking of horns — and if you listen to this video, not very loud horns — is hardly the stuff that made Skyfall a legendary secret-agent flick, but, according to both Curry and Levy, all these automotive cyber-attacks are made so much easier by the same kind of mobile apps that he exploited on those lowly scooters.

And the reason this new generation of software-defined vehicles (SDV) are so vulnerable is that, according to Levy, hackers no longer need to understand a car’s underlying computer architecture to wreak their havoc, as Charlie Miller and Chris Valasek had to in their famed Jeep hack of 2015. Vulnerabilities in authentication, validation, and encryption in the APIs (Application Programming Interfaces) that apps use to communicate with cars are the weaknesses that now allow Curry and his band of merry (white-hat) hackers to wreak havoc on all those luxury auto cars I mentioned earlier.

Advertisement 10

Article content

The New York Times recently recounted the story — Your Car Is Tracking You. Abusive Partners May Be, Too — of an irate divorcee tracked his unsuspecting ex-wife through their C 300 sedan’s “Mercedes me” app. As scary — and off-putting! — as that tale might have been, the far more pressing issue is that it wouldn’t be all that hard for a hacker to track anyone through such a connected services app.

An engineer used the Mercedes me App to remotely open and close a car’s windowsMercedes me App: Open/close windows
An engineer used the Mercedes me App to remotely open and close a car’s windowsMercedes me App: Open/close windows Photo by Mercedes-Benz

Christine Dowdall’s husband might have had a leg up in that they once shared the car — and, according to the Times, he was a DEA agent — but this is exactly the kind of app that leaves our modern cars vulnerable to these API hacks. Oh, and a word to wise soon-to-be-ex-spouses, make sure both your names are on a car’s title, so you will be allowed to disable future surveillance.

Advertisement 11

Article content

Before I end all this doom and gloom, I should mention that there might be, depending on your ethical rigidity and/or loyalty to an automaker, a few hacks that are actually beneficial. The most useful — but ethically challenging — is that rolling back a car’s odometer is now relative child’s play. What was once difficult enough to warrant a $1,500 cash payment can be had for a hundred bucks, handed over to any smart kid with a new-ish iPad. Ditto for cars hard-wired to only accept specific OEM parts; it would now seem fairly easy to over-ride those protocols to allow the installation of lower-cost aftermarket parts.

A hacker watching a car on a monitor in a dark hideout during a cyberattack
A hacker watching a car on a monitor in a dark hideout during a cyberattack Photo by Evgeniy Shkolenko /Getty

And finally, to end on a high note, Ms. Dowdall, unable to get help from Mercedes-Benz in preventing her car tracking her movements — her husband’s was the only name on the title — was able to find an independent mechanic to hack the “Mercedes me” app and disable the remote tracking function.

Advertisement 12

Article content

But that’s about it for good news. Indeed, the one point we haven’t discussed in all this talk of cyber-hacking and ransomware is the penalty for not paying up. According to, the consequence of non-payment are simple and direct: your name or company name — and all the personal, proprietary, and financially sensitive information that goes along with it — are published on public “leak sites,” not just as fulfillment of a threat, but also the digital equivalent of the old mafioso “sending a message.” It’s probably time we all started listening.

To hear more on this most important of subjects, please register here (for free!) for the last of Driving into the Future’s fifth season of webinars on January 17 at 11:00 AM Eastern. Both Levy and Curry will be joined by Sebastian Fischmeister, a professor of Electrical and Computer Engineering at the University of Waterloo and an expert in cyber supply-chain security for the auto industry.

David Booth picture

David Booth

David Booth is Driving’s senior writer as well as the producer of’s Driving into the Future panels and Motor Mouth podcasts. Having written about everything from the exact benefits of Diamond Like Coating (DLC) on motorcycle camshafts to why Range Rovers are the best vehicles for those suffering from opiod-induced constipation, Booth leaves no stone unturned in his quest for automotive veritas. Besides his long tenure with Driving, he was the editor in chief of Autovision magazine for 25 years and his stories has been published in motorcycle magazines around the world including the United States, England, Germany and Australia.


Graduating from Queen Elizabeth High School in 1973, Booth moved to from his Northern Quebec home town of Sept-Iles — also home to Montreal Canadiens great, Guy Carbonneau, by the way — to Ottawa to study Mechanical Engineering at Carleton University where he wrote a thesis on the then burgeoning technology of anti-lock brakes for motorcycles and spent time researching the also then burgeoning use of water tunnels for aerodynamic testing.


After three years writing for Cycle Canada magazine and another three working for the then oldest magazine in Canada, Canadian Automotive Trade, Booth, along with current Driving writer, Brian Harper, and then Toronto Star contributor, Alex Law, created an automotive editorial services group that supplied road tests, news and service bulletins to what was then called Southam newspapers. When Southam became Postmedia with its purchase by Conrad Black and the subsequent introduction of the National Post, Booth was asked to start up the then Driver’s Edge section which became, as you might suspect, when Postmedia finally moved into the digital age. In the past 41 tears, Booth has tested well over 500 motorcycles, 1,500 passenger cars and pretty much every significant supercar of the last 30 years. His passion — and, by far, his proudest achievement — however is Motor Mouth, his weekly column that, after some 30 years, remains as incisive and opinionated as ever.


Booth remains an avid sports enthusiast — that should be read fitness freak — whose favourite activities include punching boxing bags until his hands bleed and running ski hills with as little respect for medial meniscus as 65-year-old knees can bear. His underlying passion, however, remains, after all these years, motorcycles. If he’s not in his garage tinkering with his prized 1983 CB1100RC — or resurrecting another one – he’s riding Italy’s famed Stelvio Pass with his beloved — and much-modified — Suzuki V-strom 1000. Booth has been known to accept the occasional mojito from strangers and the apples of his eye are a certain fellow Driving contributor and his son, Matthew, who is Global Vice-President of something but he’s never quite sure what. He welcomes feedback, criticism and suggestions at [email protected]



By admin