Russian Porsches Have Stopped Working, Digital Security Vulnerabilities Faulted

Hundreds of Porsche models sold in Russia have mysteriously shut down. Reports from within the country, backed by countless angry posts online, have claimed that the vehicles now refuse to start. Speculation abounds as to whether this was the result of a coordinated cyber attack or simply an egregious mistake. But one thing is for certain, despite assurances to the contrary, connected cars remain shockingly vulnerable.

Based upon reporting from The Moscow Times, which ironically is based in Amsterdam, the issue stems from the Porsche Vehicle Tracking System. It’s effectively an onboard anti-theft feature that’s supposed to function akin to something like General Motors’ OnStar. While the system’s function varies based on the age of the car, it typically includes satellite-based vehicle tracking and some form of immobilizer that’s tied to a card or mobile device possessed by the vehicle’s owner.

The manufacturer pitches it as “an additional layer of security and peace of mind.” But that’s not likely much of a consolation to Russian Porsche owners that now have extravagantly priced paperweights sitting outside their homes.

Things apparently kicked off on Friday, as Russian dealerships experienced a deluge of service requests that all pertained to vehicles being unable to start. The cars had apparently lost connection to the security network.

The outage affects all Porsche models and engine types, and any vehicle could potentially lock itself automatically, a representative from Russia’s largest dealer network, Rolf, told RBC News.

From The Moscow Times:

Owners’ groups say the problem appears tied to the Vehicle Tracking System, or VTS, which is an onboard security module.

The Russian Porsche Macan Club said some drivers had restored function by disabling or rebooting the VTS, while others reported success after disconnecting their car batteries for up to 10 hours, according to the Telegram channel Mash.

Rolf said specialists were still investigating the root cause of the problem. Porsche’s office in Russia and its global headquarters in Germany have not yet commented on the system failure.

Porsche halted deliveries and suspended its commercial operations in Russia after the full-scale invasion of Ukraine in February 2022. However, the company still retains ownership of three subsidiaries in the country, which it has so far been unable to sell.

This has led to claims that the shutdown was part of an intentional cyber attack. But it’s not clear if that’s actually the case. Even if it is, we likewise don’t know if Porsche’s network was targeted or just happened to get caught up in the storm.

Impacted cars include basically everything that had the Vehicle Tracking System, which can accommodate just about any Porsche model built since roughly 2013. However, there have been claims that older models equipped with the system have experienced lost features and odd behavior. We’ve also seen isolated claims made that some cars had shut themselves down while being driven.

Solutions to the problem have varied and those seeing the most success involve disconnecting the car from the network and removing VST. Some have claimed that disconnecting the battery for the better part of a day can also work as a temporary remedy. However, there is no formal fix for the issue as of the time of this writing. Russian dealers say they’re doing what they can while launching into conjecture about what caused the issue in the first place.

Theories about Western involvement look to be quite popular and are often supported by Russian-language media reports. This has also led to concerns that vehicles could be remotely hacked and forced to crash. Despite there being no official instances of this happening, hackers proved that it was theoretically possible over a decade ago. Thanks to the “Vault 7” Wikileaks published in 2017, likewise know that the United States’ Central Intelligence Agency (CIA) had a program designed to identify vulnerabilities in connected vehicles so they could be remotely hacked to create widespread chaos or conduct nearly undetectable assassinations.

It’s highly plausible that the CIA was not the only agency conducting such research. Meanwhile, Porsche and Volkswagen Group have said they’ll be launching an investigation into the matter.

Whether this was an issue with the relevant satellites or a premeditated cyber attack, it’s another example of how vulnerable connected cars happen to be. While the Lada Riva Classic (or VAZ-2105) isn’t known for being a stellar automobile, Russia also isn’t having any issue with those because the models being built in 2013 weren’t much different from the ones being built in 1980. With no satellite to connect to and no modem to speak of, it becomes impossible to exploit a vulnerability that doesn’t exist.

Sadly, the situation in Russia is another case of real-world events undermining manufacturer assurances that today’s connected cars are totally secure. Despite this being an issue exclusive to Russian Porsches, the company owes the world an explanation as to what exactly happened. Are we seeing fifth-generation warfare or simply the relevant connected systems going on the fritz?

[Images: Porsche; aapsky/Shutterstock; bigwa11/Shutterstock]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.