The motor insurers’ automotive research centre is updating the New Vehicle Security Assessment (NVSA) programme, centred on securing cars against the growing threat presented by digital compromise.
Simultaneously, Thatcham Research has issued advice to drivers to help them combat digital car theft. Drivers, says the organisation, should:
- Understand the digital functions of their car: does it have a keyless entry system? If so, can the fob be switched off overnight? Speak to the dealer about software updates and whether new key fobs with added security are available.
- Store keys away from household entry points: a keyless fob should be stored as far into a home as is possible, hampering a criminal’s ability to detect and relay its signal.
- Make sure shielding devices work: Faraday pouches and containers will block the signal from a keyless entry fob – but test this to make sure it is effective.
- Be vigilant: choose well-lit areas to park in, observe that the car has locked correctly and report any suspicious behaviour to the police
The NVSA is the security standard against which all new cars are assessed as part of the insurance Group Rating and will be updated in 2019 giving carmakers the opportunity to bring in fresh measures.
The new criteria will be designed to shut down the keyless entry vulnerability, while anticipating other potential methods of digital and cyber-compromise.
Richard Billyeald, chief technical officer, Thatcham Research, said: “Car crime is on the increase, with intelligence suggesting that electronic compromise is a factor in as many as one in four vehicle thefts.
“In the 1990s, the NVSA effectively brought an end to a car crime epidemic by introducing alarms and double-locking door functions, amongst other measures. Initiated in 1992, a year which saw 620,000 car thefts, this approach was instrumental in driving theft levels down by 80% up to 2016.
“In the same way, collaborative and concerted action from Thatcham Research, carmakers, police and insurers will close the digital vulnerabilities exploited by today’s criminal gangs.”
Thatcham Research has identified vulnerabilities in on-board electronic systems and criteria covering those areas will be included in the new standards.
In addition, police authorities have drawn attention to the increase in ‘chop shops’ – illicit garages where cars are dismantled to be sold on the spare parts market – and therefore criteria related to parts identification will also be carefully reviewed.
Mr Billyeald continued: “CCTV footage of criminal gangs exploiting a vulnerability in keyless entry systems has been highly visible in recent months. However, we estimate that only 1% of cars on the road have this technology. Carmakers are already introducing keys with motion sensors which deactivate when stored, and new secure signal transmission technologies. In the short term, while these counter-measures come into the market, concerned drivers should contact their dealer to discuss the digital functionality of their cars.
“The online availability of tools which criminals can plug into vehicles to programme a false key is also a concern. We support recent calls from the police for closer regulation of the sale of these devices, which have no use outside of a licensed bodyshop or garage.”
Current digital theft technique highlighted by Thatcham Research are:
- The on-board diagnostic (OBD) port hack: The port gives licenced garages access to a car so that service fault lights can be reset, and a new key programmed if the owner requires one. Because of European Union fair-trading legislation, the OBD port must be easily accessible and uniform – allowing non-franchised garages to access using on-board diagnostic tools. The tools can be expensive – up to £5,000 – but kits which allow a blank key to be reprogrammed can cost as little as £50.
- The Relay Attack: This exploits a vulnerability in passive keyless entry systems, which allow drivers to open and start their cars without removing the key fob from their pocket. Usually operating in pairs, one criminal will hold a device up against the front wall or porch of a home, searching for a signal from the keyless fob. The device then relays the key’s signal to an accomplice, who is holding another device against the car door. The car is effectively fooled into believing that the owner is within a defined range – usually two metres – and is approaching the car with the key. The door opens, and the signal is relayed to the accomplice a second time, allowing the car to start. Once started the engine will not restart without the key present.
- Jamming: This relies on driver inattentiveness. A criminal will hide a signal blocking device in a residential street or car park – preventing the locking signal from standard remote fobs from reaching the car. The car thief will then return to the location and test all the car doors within range of the device. Once opened the car can be stolen using an OBD device or the car’s contents taken. Drivers can protect against this technique by observing for visual confirmation that their car has locked successfully – audible locking sound, flashing indicators or folding wing mirrors.