In the next article in our 50th Anniversary Driving Change series, Adrian Holliday interviews our chief technical officer, Richard Billyeald, on the ongoing battle to close down car security loopholes faster than thieves can exploit them…
Billyeald demonstrates the Relay Attack theft method for BBC Crimewatch
Back in the 1980s the most common security deterrent was the steering wheel lock, a notoriously unreliable mechanism vulnerable to physical attack. Electronic protection such as transponders or immobilisers? Forget it. Even car alarms were thin on the ground. No wonder car crime – around 592,000 reported UK thefts a year in 1992 – was rampant.
“Cars,” points out Richard Billyeald, Thatcham Research’s chief technical officer, “were becoming more desirable at that time. Much of it was opportunistic crime. Too often their security was non-existent.”
Yet fast-forward to 2014 and car theft had been slashed to 70,053 a year, according to the Office of National Statistics. A staggering 88% reduction. How to explain it? Enter Thatcham Research’s New Vehicle Security Assessment (NVSA) program.
Risk profile power
Pioneered in the 1990s the NVSA took a ‘whole vehicle’ approach based on a point-scoring system, which then fed into an insurance rating. “We spurred the debate and the response,” Billyeald goes on, “in the same way we do now: creating an insurance framework for a security assessment. It’s about guidance. How do you make a car secure? What do insurers want to see?”
It’s also about influence. What the NVSA niftily managed to do was amplify the importance of car insurance group ratings – contrasting, comparing and, most importantly, clarifying – to consumers in a simple, easy-to-grasp way. No manufacturer wants their vehicles judged higher risk than a competitor.
As information sharing ballooned, so has public safety and security awareness. Particularly around keyless technology. Poorly integrated, criminals can hack keyless tech and steal a car within seconds (see box-out).
To tackle this, Thatcham Research recently launched a separate Consumer Security Rating (CSR) system to help the public evaluate theft risk. Vehicles rewarded with a Superior CSR rating in 2019 includes the Audi e-tron, Jaguar XE, Mercedes B-Class and Porsche Macan. To date, nine vehicles have been down-rated to ‘Poor’ having failed ‘relay attack’ testing. ‘Superior’ ratings for all-round security and for having a fix to the keyless vulnerability in place have been awarded to 14 cars.
The good news is that most car makers, in part due to public awareness generated by the CSR around keyless tech weakness, are addressing fixes. “We’re seeing solutions applied to some new cars,” says Billyeald. “Now let’s see them applied to all.”
Wargaming the enemy
Billyeald cautions that many car manufacturers, even in a dramatically different digital landscape, fail to meaningfully plan ahead. At least compared to some car thieves. So the NVSA, on its sixth iteration and now a respected global standard, keeps the pressure up.
“Unlike safety, which is often improved incrementally, with security you’ve always got someone working against you,” Billyeald explains. “If you close a loophole, you make it more secure. Then you have someone else trying to exploit the next vulnerability. As long as criminals can make money out of it, they will.”
Car crime meanwhile has increasingly switched from opportunistic theft to organised gangs – there’s thought to be around 4,600 in the UK – stealing cars or car parts to order. The ‘want’ list can be highly à la carte.
If the shift from physical to electronic vulnerability is profound, then the financial liability shouldered by insurers is just as marked. High tech claims don’t come cheap. Which means on-going conversations with government and the police – getting the right people in a room together to talk and share information.
Looking ahead, Bluetooth and mobile ‘phone development will likely support car security in future predicts Billyeald. “If there’s one thing that everyone carries on them these days it’s a mobile ‘phone. The Telsa Model 3 has a system where you can register your phone to your car and your ‘phone effectively becomes the ‘key’. I’d say there’s a big appetite for that kind of technology.”
There’s no point resisting technology, or favouring one protocol over another says the Thatcham Research technical chief. “That’s not our job. If we resist it we will get nowhere. It’s about how we enable the technology so it can be implemented securely – and also how we help car manufacturers get to that place.”
Complex, cutting edge tech introduces even more potential for costly repairs Billyeald acknowledges. Yet few other organisations scrutinise this area in-depth. Or partner with car makers to achieve internationally accepted standards. “While cars right across the world are much more secure, it’s only Thatcham Research that provides the detailed security assessment.”
By Adrian Holliday
Richard Billyeald, chief technical officer, Thatcham Research