False Alarm: The Truth About Automotive Security

A couple of months ago, Autoblog revealed that you could open a locked Mazda3 by smacking the door panel. Shortly afterwards, they posted a video demonstrating how to unlock a car using a tennis ball. Car owners and manufacturers greeted the revelation with indignant outrage. How dare these “anyone with a keyboard” communicators tell the whole wide world how to commit an illegal act? Clearly, the automotive community hasn’t grasped the lessons learned by the computer security industry.

In the billion dollar world of computer software, whether or not to disclose a potential security hazard is a genuine dilemma. On one hand, software developers don’t want nefarious forces to know that their product is vulnerable to attack. The law (i.e. the DMCA) is on their side, and they’re not afraid to use it. On the other hand, users have a compelling desire to know if they’ve bought a product that may endanger their intellectual property.

Thankfully, the users’ needs usually prevail. In this day and age, keeping a computer security story under wraps is more difficult than hiding a new Subaru Impreza from the press’ prying eyes. Inevitably, word gets out, warnings are sent, breaches repaired.

Unfortunately, the same pattern does NOT apply to vehicular vulnerability. Security issues are suppressed, the press isn’t bothered and automakers keep their distance from both problem and patch.

And so Mazda3 owners who learned about the door trick via the web were understandably irked. While it’s easy to focus on the anger they felt towards the messenger, the deeper and more important antagonism fell upon Mazda’s head. Why did the Ford subsidiary design such an easily defeated locking mechanism? When did they know it was game, set and match criminal, and why didn’t they do anything about it? What ARE they doing about it?

As is the way of such things, Mazda3 owners will eventually get over this entire incident. They’ll quickly learn to manage the “additional” (if only perceived) risk by changing their behavior (e.g. altering their parking geography) or adding defensive technology (e.g. upgrading their security system). Either that or they’ll do nothing and continue to take their chances, feeling slightly less secure. Until they don’t.

From a corporate PR POV, Mazda played it exactly wrong. The automaker failed to capitalize on their customers’ brand loyalty by quickly acknowledging the problem. To their credit, when they did put their hands up, Mazda also admitted that other of their vehicles may be susceptible to the same technique. But they refused to name names, ostensibly “protecting” the very consumers their slipshod door design had left vulnerable.

Vehicles from various manufacturers are prone to the same door lock weakness. But that doesn’t excuse Mazda’s piss-poor crisis management. Mazda violated the three rules of news containment: speed, honesty and transparency. They should have immediately admitted the door lock problem and honestly addressed its ramifications. Which are, in fact, none.

The majority of automotive alarm systems are nothing more than what security guru Bruce Schneier calls “security theater.” All those plips and beeps and flashing headlights may make owners feel better about leaving their car behind, but they do little to decrease the actuall odds that the vehicle will be violated. Immobilizers? Random key codes? High tech gadgetry be damned. Anyone with the motive, means and opportunity can pwn your car just as quickly and easily as a hacker can pwn your Windows server.

Car security companies like Crutchfield promise “When the bad guys see you have a security system, they'll most likely move on to an easier target.” But there’s precious little statistical science behind the claim. Common sense suggests there are far more important variables in play: the aforementioned spoils on display, whether or not your car is being stolen to order (for a chop shop or export), the likelihood of a rapid counter response, etc.

Whether a thief has to rap your door with his fist or hurl a brick through your window simply isn’t a mission critical issue– for them. Truth be told, most owners would prefer the former.

Car manufacturers know that the modern car alarm is little more than a psychological security blanket. But they’re happy to perpetuate the illusion of impregnability, rather than add genuine security (which would require some serious usability and affordability trade-offs). The now ubiquitous car alarm is an important sales-oriented gimme: a cheap way to convince the buyer that the manufacturer cares about protecting the customer’s property rights. And it makes the car seem more valuable.

When Autoblog pulled back the veil, telling the world that thieves had discovered a new way to break into Mazda3 owners’ cherished whip, the likelihood that a crime would be committed didn’t alter. The information simply reminded Mazda3 owners that if they leave a handbag or briefcase in their backseat overnight, they’ll probably be filing an insurance claim in the morning.