Your car can be held for ransom

Connected cars prove vulnerable to malware.

This story first aired in May 2016.

Today's connected cars are loaded with software and are internet-connected.

They're also proving vulnerable to malware, including so-called "ransomware," where a car is disabled by malicious code until a ransom is paid.

Before I just stole your car if I wanted a car, now I'm going to steal your car if I want all your payment information.

Ransomware has been in the news a lot the last few years, mostly for high profile cases involving large institutions.

For example, a Los Angeles hospital had to pay $17,000 US in Bitcoins so that hackers who had disabled their computer system would give the hospital the decryption key.

Kirsten Thompson is a partner in the National Technology Group at the law firm, McCarthy Tétrault.

Kirsten Thompson
Recently, she's come across cases of ransomware being installed via the USB port on connected cars.

One way this happens is through an innocuous visit to the mechanic.

"The mechanic plugs something into the USB port and runs a diagnostic," or the mechanic may simply be trying to install software updates, Thompson explains.

"If I'm a bad guy, I can drop or send a USB that looks like it's come from the manufacturer. So the mechanic…sticks it into the USB port and malware is installed."

"The malware will actually…"brick" a car, it will shut it down," Thompson adds, "and then a message appears saying 'if you pay us the money, we'll release the car'."

She has even come across a case of an entire fleet of vehicles disabled by ransomware.

The USB port is not the only source of the problem.

"Cars are now becoming Wi-Fi enabled, which means lots of interesting things can get pushed to you," she adds.

"Software updates can be pushed over the air now…and that's another way to infect a car with malware."

Thompson points out that exposure to malware is likely to be a significant risk in the future, especially as cars themselves become convenient payment mechanisms.

"I press a button and my car makes the payment. I've already loaded my debit or credit card on there," Thompson says.

"Vehicles are now becoming point of sale devices, and a lot of the big malicious malware hacks in the past couple of years have been at point of sale devices…and that's one of the basic ways of installing malware."

That would make connected cars vulnerable not only to ransomware, but also theft of sensitive data.

"Before I just stole your car if I wanted a car, she says, "Now I'm going to steal your car if I want all your payment information."


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?