Car Hackers Are Out for Blood

When a group of German hackers breached a Tesla, they weren’t out to remotely seize control of the car. They weren’t trying to access the owner’s WiFi passwords, nor did they want a way to steal credit-card numbers from a local electric-vehicle charging network.

Their target was its heated seats.

The Tesla in question was equipped with heated rear seats, but the feature is hidden behind a paywall and activated only after the driver forks over $300. To get around that, three Ph.D. students from Technische Universität Berlin, along with an independent researcher (and the Tesla’s owner), say they physically tampered with the voltage supply that powers the car’s infotainment system. This allowed them to essentially glitch the computer, in the process gaining access to the rear heated seats free of charge. By “jailbreaking” the car, they were also able to access many of its internal systems and private user data. “We are not the evil outsider, but we’re actually the insider, we own the car,” one of the researchers told TechCrunch last month ahead of a cybersecurity conference where they presented their findings. “And we don’t want to pay these $300 for the rear-heated seats.”

As part of the move toward electric cars, most automakers are copying Silicon Valley’s playbook and making drivers pay monthly or yearly fees to unlock new features. Sometimes those features are fairly basic, like a remote starter; in other cases they’re more advanced, like autonomous parking assistance. Accessing them typically requires just a few taps on a car’s touchscreen or its related smartphone app, the same way you might subscribe to anything else online. It’s part of why the new generation of cars is often described as “smartphones on wheels”: Cars now offer various downloadable apps, automated driver assistance, and even integration with platforms such as Spotify and TikTok. But more digital features that connect your car to the internet provide openings for data theft, tampering, and other cybersecurity risks that simply have not existed on the roads until now.

Car hacking may call to mind action-movie-like scenes of millions of Teslas being remotely seized by terrorist groups and commanded to drive into hospitals. That’s thankfully far-fetched. The bigger risk is to personal and financial information related to various digital add-ons and connected features, which are essentially unavoidable with modern EVs—as is the requirement that you pay for them over time. Mercedes-Benz will unlock more horsepower for up to $90 a month, BMW lets its cars’ safety cameras record 40-second snapshots of video for $39 a year, and Ford’s BlueCruise hands-off driver-assist feature is now $75 a month. Many major automakers have big plans for this approach, if they don’t already offer them: Ford just made a big executive hire from Apple to grow future subscription revenue, while General Motors plans to offer more than 50 such features by 2026. And rather than conveniently listing these costs online, some automakers have you find out via the car’s infotainment system itself.

Understandably, these moves have not gone over well with the car-buying public. A BMW plan to charge $18 a month for heated seats (it’s always heated seats, somehow) in countries including the United Kingdom and Korea proved so unpopular that BMW just announced it will be dropping the idea entirely. The company still plans to offer subscriptions for software such as automated parking help, and Jay Hanson, a BMW spokesperson, told me that such subscriptions offer drivers a level of flexibility they’ve never had before. “A customer may choose to add a feature that was not specified when the vehicle was originally ordered,” he said, “or experiment with a feature by purchasing a short-term trial before committing to a purchase.”

There is another explanation for the pivot to subscriptions. Although subscription features aren’t exclusive to electric cars, they are inextricably tied to the EV revolution. Developing and building EV batteries is staggeringly expensive—less a “shift” and more a total reinvention of the industry costing hundreds of billions of dollars. And because EVs generally have far fewer mechanical components than gas cars, they require very little maintenance, meaning that car makers, suppliers, and dealers are poised to lose a significant amount of revenue made from selling parts for repairs. One Hyundai executive told me earlier this year that the company wants 30 percent of future profits to come from software, downloadable features, in-car entertainment, and other subscription features.

Nature finds a way, and so do hackers. Putting these features behind a paywall could encourage tampering from owners looking to get stuff for free, just as some smartphone owners jailbreak their devices. One of the German Tesla hackers, Christian Werling, told me in an email that he anticipates a rise in tactics like the ones they used. “I would be surprised if [other Tesla owners] didn’t adapt similar techniques to ours,” he said. Tesla did not respond to a request for comment, though Werling said that the team shared its data with Tesla, as is the norm for benevolent “white hat” hackers. “They did respond to our findings and were grateful for the heads-up,” he said.

But surely most EV owners aren’t going to bother jailbreaking their $50,000-plus car, even if they have the technical expertise to do so. The bigger threat, experts told me, is remote software hacks from malicious actors. Each time a car gets a new touchscreen app or subscription feature, it provides a potential way in for hackers who are after your credit-card information, personal data, and more. Let’s say you pay your car company $20 a month for something like those much-maligned heated seats, and this includes the ability to remotely warm them up on cold days through a smartphone app. An intrepid hacker could use various tools or techniques to find a security vulnerability in that app and remotely log in. From there, they might be able to access the credit card you use to pay for those heated seats, or tamper with other functions on your car that are tied to the smartphone app. They might discover ways in from forums such as Reddit, the deep web, or even publicly available databases, and then try something that worked on one car with another brand. Or they might launch a distributed denial-of-service attack on one of the communication systems these digital car features depend on.

The potential risks are amplified because of the countless third-party companies that automakers rely on for hardware and software alike. The German researchers were able to jailbreak their Tesla because of a vulnerability in the processor that powers the car’s touchscreen, made by the company AMD. (The company did not respond to a request for comment.) Last year, the cybersecurity researcher Sam Curry and his cohorts found a way to unlock, start, and honk the horn of scores of Nissan, Honda, Infiniti, and Acura vehicles because they all used a common provider of internet-connected features, SiriusXM Connected Vehicle Services. Cars may especially be a target of hacks because of the massive amounts of personal and location data that they now collect. “Cars are the worst product category we have ever reviewed for privacy,” a recent report from the nonprofit Mozilla Foundation concluded. Depending on what exactly gets breached, a car hacker could see where your home or office is or where you go to spend your money, or even have a window into much more personal matters, such as whether you drove to an abortion clinic.

This is not to say that car hacking is now a daily fact of life with EV ownership. An Israeli cybersecurity and data-management company called Upstream, which monitors millions of cars across the world, reported that of 1,173 publicly reported car cyberattacks they examined since 2010, almost 23 percent happened in 2022, tracking with the rise of connected features in cars. Exactly how big of a problem this might become remains unclear, though Vyas Sekar, a Carnegie Mellon professor who has studied car cyberattacks, told me a major concern is that the connectedness of modern cars also increases the “scalability” of threats. “If the attacker finds a weakness,” he said, “they can compromise a large number of connected cars simultaneously without much cost or effort.” Last year, a 19-year-old discovered a vulnerability in a popular third-party program that lets Tesla owners access their data, allowing him access to dozens of Teslas worldwide. He was able to control the cars’ windows, doors, and horn, and even obtain the owners’ email addresses.

The threat of cyberattacks is not new for tech companies; it’s part of why your phone is always bugging you to upgrade its operating system. But now an industry that spent a century building gasoline engines has to be in the cybersecurity business too, and it’s not necessarily going well. Upstream’s VP of data, Shachar Azriel, told me that auto companies can take months to respond to vulnerabilities. “I worry the industry isn’t agile enough,” he said. “These companies don’t know how to move fast here.” I reached out to several car companies—including Tesla, Ford, Toyota, and BMW—to ask about their cybersecurity operations, and only BMW and Toyota would comment on the record. Even then, the carmakers shied away from specifics. Hanson, the BMW spokesperson, said the German automaker has an automotive-security division that works to prevent both hacking and jailbreaking. “This division uses all available, state-of-the art measures to ensure our digital products are guarded from external threats in the best possible way,” he said.

For individual drivers, security likely means making sure that your car’s software is up-to-date just as you would with your phone, or even being judicious about where and how you dole out credit-card information—something that doesn’t bode well for the multitude of apps required for EV charging. But most of us still think of our cars in terms of filling up gas, oil changes, and rotating tires, not data privacy. If the auto industry wants drivers to see cars as “smartphones on wheels”—and pay the same way—it’s got to be prepared for the worst. That, or we learn to just skip the heated seats.