The alarming number of safety recalls appearing in headlines of late is worrying enough. Now researchers have shown that it's possible to take away driver control of a moving vehicle by remotely hacking into relatively insecure computer systems common in modern automobiles. The team managed to break into key vehicle systems to kill the engine, apply or disable the brakes and even send cheeky messages to radio or dashboard displays.
Many of the safety, efficiency and performance improvements seen in today's automobiles have been achieved with the help of the numerous computerized systems monitoring and controlling various aspects of what makes up a modern car. According to an article in IEEE Spectrum last year, an "S-class Mercedes-Benz requires over 20 million lines of code alone" and "contains nearly as many ECUs as the new Airbus A380 (excluding the plane’s in-flight entertainment system)." The author notes that cars will soon "require 200 million to 300 million lines of software code."
The search for security holes
With the vast majority of registered cars in the U.S. having key components controlled by computer technology and completely autonomous vehicles currently in development, a couple of research teams from the Computer Science and Engineering departments of the University of Washington and the University of California San Diego decided to fill a gap in automotive security research and look at whether such systems were vulnerable to the kind of attacks which have plagued Internet-connected computers for years.
Coming together as the Center for Automotive Embedded Systems Security, the Washington team led by Professor Tadayoshi Kohno and the San Diego team led by Professor Stefan Savage first bought a couple of 2009 test cars containing "a large number of electronically-controlled components and a sophisticated telematics system."
Direct access to internal systems was achieved by connecting a laptop to the on-board diagnostics port, which is now mandatory in the United States and "provides direct and standard access to internal automotive networks." Attached to these networks are all sorts of sensors, diagnostics and wireless systems - many of which can be directly upgraded by a user - which could be used to attack or control automotive subsystems.
The research team then developed Controller Area Network (CAN) protocol sniffing software to locate, observe, monitor and subsequently take advantage of security weaknesses to bypass rudimentary protection within the car and take over aspects of control from the driver. Perhaps more worryingly, they also managed to plant malicious code which would completely erase its tracks after any crash.
Systems failure
For the actual experiments, components were stripped out and bench tested under laboratory conditions, in a stationary vehicle and with live road tests on a closed track. The team managed to bring a wide range of systems under external control, from the engine to brakes to locks to the instrument panel to (the first to fall) the radio and its display. The attackers posted messages, initiated annoying sounds and even left the driver powerless to control radio volume.
The Instrument Panel Cluster/Driver Information Center faired no better, as well as cheeky messages, the team altered the fuel gauge and speedometer readings, adjusted panel illumination and in one experiment, a 60-second countdown clock was displayed on the dashboard. When time ran out, the engine died and the door locks engaged. Subsequent hacks took over the Engine Control Module which lead to uncontrollable engine revving, readout errors and complete disabling of the engine.
As if the spirit of John Carpenter's "Christine" was alive and well, the team was also able to "lock and unlock the doors; jam the door locks by continually activating the lock relay; pop the trunk; adjust interior and exterior lighting levels; honk the horn (indefinitely and at varying frequencies); disable and enable the window relays; disable and enable the windshield wipers; continuously shoot windshield fluid; and disable the key lock relay to lock the key in the ignition."
Even the Electronic Brake Control Module was no match for the onslaught, with both individual and sets of brakes locked up at a whim. Equally worrying, the researchers were also able to completely disengage the brakes "even with car’s wheels spinning at 40 MPH while on jack stands" in the lab and then out on the test track (a de-commissioned airport runway) "forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly." The track test car had a laptop connected to the CAN bus via the OBD-II port which allowed a chase vehicle's laptop to wirelessly control in-car systems.
Open to attack
The research team concluded by saying that they "have endeavored to comprehensively assess how much resilience a conventional automobile has against a digital attack mounted against its internal components. Our findings suggest that, unfortunately, the answer is 'little'."
The team had "expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability. However, we found existing automotive systems - at least those we tested - to be tremendously fragile. Indeed, our simple fuzzing infrastructure was very effective and to our surprise, a large fraction of the random packets we sent resulted in changes to the state of our car."
As more manufacturers announce intentions to open up vehicle-to-vehicle and vehicle-to-infrastructure communications networks to third party development, the potential attack window could open even further. It is hoped that after the research paper, entitled "Experimental Security Analysis of a Modern Automobile", is presented at the IEEE Symposium on Security and Privacy in Oakland that manufacturers will take measures to tighten automotive system security.
So don\'t worry, your Honda is safe.
The article states they modified the car to accomplish this. \"The track test car had a laptop connected to the CAN bus via the OBD-II port which allowed a chase vehicle\'s laptop to wirelessly control in-car systems.\"
Sort of like breaking into a house, rewiring the security system, then claiming you can control any house\'s security system. Or network.
This is most telling: \"a large fraction of the random packets we sent resulted in changes to the state of our car.\"
Makes you say Hmmmmm.
Not such a leap from there for hackers to build a similar device able to receive commands and take control of various functions of today\'s over-computerized cars.
Physical access to the interior of the vehicle would be required to install the device, which would only take a few seconds. The connector is supposed to be located within a foot of the center of the dash, on the driver\'s side. Some cars (mostly Chryslers) ignore the location rule and put the connector out next to the door.
In any case the connector is often tucked underneath the bottom of the dash, often with a removable panel to conceal it. Those wireless diagnostic devices are small enough to for most of the cover panels to be installed over them.
A driver would have to know where the OBD II connector is located then get down low and look for it to see if there\'s anything plugged in. Not something you could notice just getting in a car normally, especially on newer models. Some earlier ones, where adherence to the plug location rules was less lax, the connector could be seen peeking out at the bottom edge of the dash.
So if you\'re paranoid and drive a car with lots of computer controlled functions, find out where the diagnostic plug is and check to make sure nothing is plugged into it.
\'Course the really determined assassins will hide their remote control hack by splicing into the wires behind the diagnostic plug... ;) But the simple \"plug and hax0r\" module would be easy to remove undetected at the scene of a crash where a hard wired version would be rather obvious to any investigator looking for such.
But in any case what is NOT possible (yet) is remote control of all functions as seen in movies like \"After the Sunset\", because the two way wireless communication and other required hardware is not built into any production vehicle.