Hopping into an Uber or a Car2Go is a great way to get around. Unfortunately, hackers agree, exploiting weaknesses in apps to go on “phantom rides” with someone else’s profile.
From such trips—like a man in Australia who went on more than 30 free drives on the GoGet car-sharing platform before being arrested—to vehicle theft and taking wireless control of cars, reported attacks on smart cars have ballooned six-fold over the past four years, according to research from cyber-security platform Upstream Security Ltd.
While companies have taken note, with Daimler AG’s Car2Go car sharing beefing up security measures after a limited number of accounts were hacked, risks around vehicle cybercrime are only going to get worse. Connected cars are forecast to double to 775 million by 2023, according to Juniper Research, enlarging the pool of convenience features like keyless entry, apps to turn on heating remotely and smartphone connection via bluetooth.
“Each new service connected to a vehicle is a new potential entry point for hackers,” Upstream wrote in a report published Monday. “Worst-case scenarios are loss to business earnings, theft, data privacy or property damage.”
Carmakers from Mercedes-Benz maker Daimler to Toyota Motor Corp. are pursuing digital services as potentially lucrative additional sources of revenue, as well as keeping pace with growing competition from the likes of Uber Technologies Inc. Daimler and BMW AG are in the process of combining their car-sharing platforms, to build a far broader suite of services including a ride-hailing app, electric-car charging and digital parking services.
Car-sharing platforms lack adequate protection, said cybersecurity and anti-virus provider Kaspersky Lab after testing 13 apps from Russia, the U.S. and Europe. Most of them allowed for weak passwords, didn’t protect against reverse engineering, and failed to stop phishing attempts, according to a July report that didn’t name the services tested.
In the race to thwart cybercriminals, carmakers regularly invite software experts to test the robustness of their setups. While phantom rides are relatively harmless, hacks can be far more dangerous. In 2015, Fiat Chrysler Automobiles NV recalled 1.4 million cars and trucks after Wired magazine published a story about software programmers who were able to take over a Jeep Cherokee it was driven on a Missouri highway.
Uber, the ride-hailing app that's preparing a public share sale, says it has introduced security features like two-step log-in verification, since fraudsters in China used fake accounts to go on free rides.
“We have entire systems and organizations at Uber that are able to detect this kind of fraudulent activity,” Uber told Bloomberg News in a statement. “Criminals will keep trying new ways to get what they want and we need to constantly respond to their evolving techniques. Fighting fraud never ends.”