Imagine driving along the freeway, quietly minding your own business. Suddenly, the engine revs increase dramatically and the car starts accelerating on its own. You take your foot off the accelerator, but it still continues to increase in speed. You tap the brake, but that has no effect, as if the brake pedal has been de-activated. The steering starts to veer from left to right all of its own accord, first gradually then violently. To add to the confusion, the headlights flash on and off, the radio plays at full volume, and the driver-side airbag deploys. Thinking quickly, you move the gearshift into neutral, but this makes no difference. At this point you are no longer in control of the vehicle, but are a mere passenger in a remote-controlled drone.
The consequences of having your car hacked can be considerably more dangerous than having your PC or mobile hacked.
As the functions of the automobile are increasingly software controlled and increasingly connected to the internet, the threat of car hacking grows. A luxury vehicle now has 100 MB of code spread across 50 to 70 computing devices. It is ironic that many of the vehicle software-controlled features were introduced to improve safety, but that these same features introduce the threat of remote control by a hacker.
If the vehicle has an anti-lock braking system, then a hacker can control the brakes. If the car has automatic transmission, then it can be overridden preventing the driver putting it in neutral. Steering can be controlled if the car has an automatic parking feature. A video clip showing this in operation is here. If the car is fitted with electronic stability control or active cruise control, then the speed can be varied by a hacker. Brakes can be manipulated if the car is fitted with roll stability control. If the car has pushbutton start, then this can be electronically overridden so that the driver cannot switch the car off. Driverless cars pose even more of a threat.
Recently, Charlie Miller of Twitter and Chris Valasek from IOActive, demonstrated how they could control a vehicle by hacking into its electronic system. Their work was financed by a grant from the Defense Advanced Research Projects Agency (DARPA).
Miller and Valasek were present in the vehicle operating their PC which was connected by cable to the vehicles electronic system. Someone sitting in your vehicle with a PC plugged into the electronics behind the dashboard is a bit of a give-away, so how easy or difficult would it be to gain remote access? A group of researchers showed how they could gain remote access to the vehicles electronics system, through the cellular connection in the vehicles built-in call centre support services.
One access to a vehicles electronics system is through the On Board Diagnostics (OBD) port. That’s the port that the auto mechanic plugs his diagnostic machine into when the vehicle is undergoing a service. If a hacker was able to gain access to the vehicle, either by breaking in, or through the automotive technician when he services the vehicle, he could then attach a cellular data device to the OBD port providing him with remote access for later use. If DARPA want to flick me some of their research funds we could demonstrate a more convincing remote vehicle hack via the OBD port.
Has car hacking been used in an assassination before? Some suspect it caused the recent car crash resulting in the death of investigative journalist Michael Hastings. Richard Clarke, the former chief counter-terrorism advisor to the National Security Council, maintains that car hacking techniques are today well within the capabilities of all the major countries. Clarke believes that car hacking was possibly the cause of Michael Hastings death.
It is not beyond the bounds of credibility to imagine a scenario of car hacking combined with an element of social engineering, where a terrorist group send a box of cellular data devices to a car dealer with instructions to install into the OBD port before the vehicle is returned to the customer after its next service.
What is clear, is that the security of vehicle software is certainly going to be a major issue in the future. Car manufacturers are sure to put more focus on this threat, as a proven car hacking incident could have catastrophic consequences on their sales, and put a large dent in their litigation fund.
Excellent post and somewhat disconcerting!
[…] Read more Listen more Read more […]
The organization I work for proved this as well for an auto-manufacturer client. We were able to penetrate the vehicles systems through bluetooth and other methods – hit the accelerator, lock the doors, set off the airbag and steal personal information from the entertainment system. Silver lining: some car companies are paying attention to these issues.