SoylentNews

janrinok [soylentnews.org] writes:

https://www.theregister.com/2025/12/09/porsche_bricked_russia/ [theregister.com]

Hundreds of Porsches in Russia were rendered immobile last week, raising speculation of a hack, but the German carmaker tells The Register that its vehicles are secure.

According to reports, local dealership chain Rolf traced the problem to a loss of satellite connectivity to their Vehicle Tracking Systems (VTS). This meant the systems thought a theft attempt was in progress, triggering the vehicle's engine immobilizer.

Porsche HQ was unable to help or diagnose the nature of the problem. It's understood that systems like VTS are operated by local Porsche subsidiaries or dealer networks.

But following Russia's invasion of Ukraine and the imposition of sanctions, Porsche no longer exports to the country or provides after-sales service.

In a statement to The Register, a Porsche spokesperson said no other markets were affected by the issue.

"The cybersecurity of our vehicles is a central concern for Porsche," the spokesperson told us. "Protection against cybersecurity attacks is ensured by comprehensive security processes and technical measures over the entire life cycle of our vehicles. The measures include, among other things, secure software updates, protected communication channels, and regular security tests for the early detection of suspicious activity," they added.

Resourceful Russian owners have reportedly resorted to workarounds to overcome the problem, including disabling or rebooting the VTS, or removing it entirely.

Others have claimed that disconnecting their car's batteries for ten hours does the trick. These have worked in some but not all cases, apparently.

The issue sparked speculation of a cyberattack, but security and privacy experts we spoke with were dubious.

Cian Heasley, principal consultant at Acumen Cyber, said the wave of shutdowns could be well within the capabilities of a hacktivist group, but said there had been no chatter indicating this was the case.

"If this were a coordinated cyberattack, I would have expected one of the larger pro-Ukraine groups to have claimed this attack by now and posted some sort of evidence, similar to what we saw when Russian airline Aeroflot was attacked in July of this year."

Rik Ferguson, VP Security Intelligence at Forescout, said: "Modern immobilizers don't react only to what happens around the vehicle, they depend on a constant 'trust heartbeat' signal from cloud or satellite backends. From the outside, a deliberate hack and an intentional backend shutdown can look almost identical: the tracking service disappears, the car interprets that as theft, and the immobilizer kicks in."

High-end vehicles rely on a long tail of services outside the owner's control, Ferguson said, spanning the cloud, satellite operators, and regional partners.

"Sanctions, contract disputes, misconfigurations, or attackers can all break that chain, and when they do, a six-figure car is suddenly just a very expensive ornament."

Bugcrowd CSO Trey Ford added: "It sounds like the system design has a fail-safe where if there is a loss of satellite service (platform issues, military, etc.) can lead to a lockout of the vehicle to help mitigate theft – which makes sense."

Otherwise, a criminal could create a Faraday cage to block the antenna and prevent tracking.

He continued: "It also stands to reason that a platform with the ability to lock down vehicles could inadvertently do that." This could be down to an engineering issue, failed update, a database problem, "or something as trivial as a service plan accounting error impacting satellite communication services."

The issue highlights broader concerns around connected vehicles.

Chris Hauk, consumer privacy advocate at Pixel Privacy, said engine kill systems were pushed as an anti-theft device. But "the technology could also be used by hackers to cause havoc and could also be used by totalitarian governments to shut down vehicles belonging to 'enemies of the state.'"

Paul Bischoff, consumer privacy advocate at Comparitech, added: "Any feature that requires a network connection should not affect the basic functionality of the vehicle."

"Besides remote hacks, drivers also have to worry about privacy. Newer cars collect and share a lot of information about their users, often without explicit informed consent."

It's worth noting that most Russian Porsche owners were probably not stranded without wheels, as no other brands have been affected – Russia's elite are also enthusiastic fans of Bentleys, Aston Martins, and other luxury marques.

Original Submission