Automotive

Automobile computer systems successfully hacked

Automobile computer systems su...
Researchers have managed to hack into vehicle computer systems and remotely take control of a car on the move
Researchers have managed to hack into vehicle computer systems and remotely take control of a car on the move
View 3 Images
The specially developed CarShark CAN sniffer sofftware
1/3
The specially developed CarShark CAN sniffer sofftware
Taking control of key systems whilst on the move
2/3
Taking control of key systems whilst on the move
Researchers have managed to hack into vehicle computer systems and remotely take control of a car on the move
3/3
Researchers have managed to hack into vehicle computer systems and remotely take control of a car on the move
View gallery - 3 images

The alarming number of safety recalls appearing in headlines of late is worrying enough. Now researchers have shown that it's possible to take away driver control of a moving vehicle by remotely hacking into relatively insecure computer systems common in modern automobiles. The team managed to break into key vehicle systems to kill the engine, apply or disable the brakes and even send cheeky messages to radio or dashboard displays.

Many of the safety, efficiency and performance improvements seen in today's automobiles have been achieved with the help of the numerous computerized systems monitoring and controlling various aspects of what makes up a modern car. According to an article in IEEE Spectrum last year, an "S-class Mercedes-Benz requires over 20 million lines of code alone" and "contains nearly as many ECUs as the new Airbus A380 (excluding the plane’s in-flight entertainment system)." The author notes that cars will soon "require 200 million to 300 million lines of software code."

The search for security holes

With the vast majority of registered cars in the U.S. having key components controlled by computer technology and completely autonomous vehicles currently in development, a couple of research teams from the Computer Science and Engineering departments of the University of Washington and the University of California San Diego decided to fill a gap in automotive security research and look at whether such systems were vulnerable to the kind of attacks which have plagued Internet-connected computers for years.

Coming together as the Center for Automotive Embedded Systems Security, the Washington team led by Professor Tadayoshi Kohno and the San Diego team led by Professor Stefan Savage first bought a couple of 2009 test cars containing "a large number of electronically-controlled components and a sophisticated telematics system."

Direct access to internal systems was achieved by connecting a laptop to the on-board diagnostics port, which is now mandatory in the United States and "provides direct and standard access to internal automotive networks." Attached to these networks are all sorts of sensors, diagnostics and wireless systems - many of which can be directly upgraded by a user - which could be used to attack or control automotive subsystems.

The research team then developed Controller Area Network (CAN) protocol sniffing software to locate, observe, monitor and subsequently take advantage of security weaknesses to bypass rudimentary protection within the car and take over aspects of control from the driver. Perhaps more worryingly, they also managed to plant malicious code which would completely erase its tracks after any crash.

The specially developed CarShark CAN sniffer sofftware
The specially developed CarShark CAN sniffer sofftware

Systems failure

For the actual experiments, components were stripped out and bench tested under laboratory conditions, in a stationary vehicle and with live road tests on a closed track. The team managed to bring a wide range of systems under external control, from the engine to brakes to locks to the instrument panel to (the first to fall) the radio and its display. The attackers posted messages, initiated annoying sounds and even left the driver powerless to control radio volume.

The Instrument Panel Cluster/Driver Information Center faired no better, as well as cheeky messages, the team altered the fuel gauge and speedometer readings, adjusted panel illumination and in one experiment, a 60-second countdown clock was displayed on the dashboard. When time ran out, the engine died and the door locks engaged. Subsequent hacks took over the Engine Control Module which lead to uncontrollable engine revving, readout errors and complete disabling of the engine.

Taking control of key systems whilst on the move
Taking control of key systems whilst on the move

As if the spirit of John Carpenter's "Christine" was alive and well, the team was also able to "lock and unlock the doors; jam the door locks by continually activating the lock relay; pop the trunk; adjust interior and exterior lighting levels; honk the horn (indefinitely and at varying frequencies); disable and enable the window relays; disable and enable the windshield wipers; continuously shoot windshield fluid; and disable the key lock relay to lock the key in the ignition."

Even the Electronic Brake Control Module was no match for the onslaught, with both individual and sets of brakes locked up at a whim. Equally worrying, the researchers were also able to completely disengage the brakes "even with car’s wheels spinning at 40 MPH while on jack stands" in the lab and then out on the test track (a de-commissioned airport runway) "forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly." The track test car had a laptop connected to the CAN bus via the OBD-II port which allowed a chase vehicle's laptop to wirelessly control in-car systems.

Open to attack

The research team concluded by saying that they "have endeavored to comprehensively assess how much resilience a conventional automobile has against a digital attack mounted against its internal components. Our findings suggest that, unfortunately, the answer is 'little'."

The team had "expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability. However, we found existing automotive systems - at least those we tested - to be tremendously fragile. Indeed, our simple fuzzing infrastructure was very effective and to our surprise, a large fraction of the random packets we sent resulted in changes to the state of our car."

As more manufacturers announce intentions to open up vehicle-to-vehicle and vehicle-to-infrastructure communications networks to third party development, the potential attack window could open even further. It is hoped that after the research paper, entitled "Experimental Security Analysis of a Modern Automobile", is presented at the IEEE Symposium on Security and Privacy in Oakland that manufacturers will take measures to tighten automotive system security.

View gallery - 3 images
16 comments
marshall91t
This is one of the main reasons a computer controlled car is a BAD idea, imagine having total control of your car taken away from you because somone has hacked into the systems...the results could be catastrophic...
r4990
This is a scare story for the technically uninitiated. In order to \"Hack\" an automotive system you have to have physical access. That means you have to be in the car with your computer hooked up to the diagnostic port. While some prankster could break into your car and wreck the ecu programming, it isn\'t going to happen as you are driving down the street as many would assume from the headline. The first key to computer security is controlling physical access. No system, regardless of how it is configured is safe if the hacker can gain physical access to the computer.
So don\'t worry, your Honda is safe.
cwolf88
I\'m confused. The lead paragraph suggests that they can control a car remotely, implying they can do that to any car at will.
The article states they modified the car to accomplish this. \"The track test car had a laptop connected to the CAN bus via the OBD-II port which allowed a chase vehicle\'s laptop to wirelessly control in-car systems.\"
Sort of like breaking into a house, rewiring the security system, then claiming you can control any house\'s security system. Or network.
windykites
This looks like a traffic cop\'s dream. Also how long before the government is able to track everybody\'s movements?
Ed
John Carpenter\'s \"Christine\" Uh, it was Stephen King\'s, Christine!
This is most telling: \"a large fraction of the random packets we sent resulted in changes to the state of our car.\"
Makes you say Hmmmmm.
Facebook User
There already are small diagnostic devices that plug onto the OBD-II connector in a car and wirelessly transmit data by Bluetooth radio.
Not such a leap from there for hackers to build a similar device able to receive commands and take control of various functions of today\'s over-computerized cars.
Physical access to the interior of the vehicle would be required to install the device, which would only take a few seconds. The connector is supposed to be located within a foot of the center of the dash, on the driver\'s side. Some cars (mostly Chryslers) ignore the location rule and put the connector out next to the door.
In any case the connector is often tucked underneath the bottom of the dash, often with a removable panel to conceal it. Those wireless diagnostic devices are small enough to for most of the cover panels to be installed over them.
A driver would have to know where the OBD II connector is located then get down low and look for it to see if there\'s anything plugged in. Not something you could notice just getting in a car normally, especially on newer models. Some earlier ones, where adherence to the plug location rules was less lax, the connector could be seen peeking out at the bottom edge of the dash.
So if you\'re paranoid and drive a car with lots of computer controlled functions, find out where the diagnostic plug is and check to make sure nothing is plugged into it.
\'Course the really determined assassins will hide their remote control hack by splicing into the wires behind the diagnostic plug... ;) But the simple \"plug and hax0r\" module would be easy to remove undetected at the scene of a crash where a hard wired version would be rather obvious to any investigator looking for such.
But in any case what is NOT possible (yet) is remote control of all functions as seen in movies like \"After the Sunset\", because the two way wireless communication and other required hardware is not built into any production vehicle.
Facebook User
@r4990: Oh, I don\'t know. A hacker gaining access to a computer with a 512-bit encrypted Raid 0 1 array seems like it would still be very secure without the decryption algorithm if it was to say, be stored on a USB drive.
ömer Koman
this hacking not fully true. obdii protocols very changes car by car. can bus systems only listeening solution and car configuration not simply.
Will, the tink
We are OWN ur systems! Now I wonder if Toyota was sabotaged for profit? OK, here goes another conspiracy theory!
Will, the tink
Hey r4990! You don\'t have to have physical access. Ever heard of \"Onstar\"??