If that sounds frightening, Valasek says, it's time to imagine the possibility that tomorrow's hackers won't need a plug-in cable — and they could do more than give their victims a little scare. "There's a lot of wireless communications in the car, and I assume connected vehicles will add more wireless communications," he said. "The more ways to wirelessly communicate with something, the more attack surface there is. Added complexity many times gives an attacker more ways to attempt to get into a vehicle."
Attack surface is another way of describing the wireless entry points to a vehicle. Cars can use cellular networks to place calls or receive navigation. They use Wi-Fi to connect devices in the vehicle to the Internet. They link to phones with Bluetooth. Even their tires can send wireless signals to indicate low pressure.
Today's cars have upward of 100 microprocessors to sort this data and send signals throughout the vehicle. The problem comes when one of these signals is breached. A computer, by contrast, has safeguards to protect systems like disk storage if another area, such as a Web browser, is hacked. This is known as preventing "lateral movement."
"Cars aren't really there yet," Valasek said. "Many automobiles don't have a layered approach to security right now. They just assume somebody can't break in."¦ You want to segregate portions."
And while the internal workings of today's cars lack protection, the software of tomorrow's vehicles will add another challenge. With Android and CarPlay on the horizon — and most automakers on board — a whole generation of cars will soon hit the road en masse with virtually identical operating systems.
"The new operating systems will make the market less heterogeneous, which potentially is more dangerous," said Vicente Diaz, a security researcher at Kaspersky Lab. "Attackers will be more familiar with these systems."
Of course, hackers have already had years to practice breaking into those systems on mobile devices. "People have been hacking those operating systems for a long time," Valasek said. "It may give them a more familiar method to get in."
Another issue, Diaz warned, is that while phones tend to get replaced every few years, the longer lifespan of a car could make it increasingly vulnerable as time goes on.
Without further testing, it's hard to say just what a cybercriminal could do with a given hack. No one knows how hard it would be to wirelessly replicate Valasek's complete control of a car — or how many vehicles will suffer that vulnerability.
But other concerns could give car buyers pause. Hackers could steal a driver's location data or use Bluetooth to activate a phone's microphone and eavesdrop. Some remote unlock applications could even let hackers gain entry to a vehicle.
These violations won't necessarily happen because a hacker targets a specific car. In most cases, hackers will gain access to a user's online profile first, then wait for it to get linked to a vehicle. "[If] the app in your phone or your Web portal credentials get hacked, an attacker will have access to the data of your car," Diaz said. "They could see all the details of your car, even its location, and in some cases be able to unlock the doors. All this may start with a simple phishing message, so consumers should be aware of what this new ecosystem represents and the consequences."