Could Hackers Take Your Car for a Ride?
by George Lawton
Cars are becoming increasingly networked, leading to concern among some security experts that hackers could exploit this to cause potentially serious problems.
Vehicles have internal networks accessible from within the car. They are also increasingly working with external networks like that used by General Motors' OnStar driver-assistance system.
Researchers have shown that hackers could even compromise automobiles via their entertainment systems by, for example, using specially crafted malicious CDs or music files.
Thus far, only one carhacking incident has occurred, in which a disgruntled former car-leasing company employee allegedly remotely disabled about 100 vehicles.
However, although most security experts say carhacking doesn't represent a serious threat now, they contend this could change as automobiles become more networked and hackers become more sophisticated.
Carhacking
About 10 years ago, enthusiasts started using a form of carhacking to get into an automobile's computer system, modify settings, and improve engine performance, noted University of Washington graduate student Karl Koscher, who studies the security of vehicular computer and communications systems.
Real-life incident
In 2010, a former car dealership employee in Austin, Texas, was arrested for allegedly using a password stolen from a former coworker to hack into a remote immobilizer system and disable about 100 already-purchased cars.
The hacker is accused of attacking the WebTeckPlus system, operated by Pay Technologies, which the dealership used with customers who didn't make their payments.
Dealers install WebTeck devices — which obey commands issued over a wireless pager network — in cars they sell. If a car payment is past due, the dealer could use the system to disable the vehicle's ignition system or activate the horn.
Research
Researchers have demonstrated the possibility of various internal and external attacks.
Attacks requiring vehicle access. In 2010, University of Washington and University of California, San Diego (UCSD), researchers reverse-engineered a new car to produce working exploits.
They developed several attacks using a technique called fuzzing, in which a large number of packets with randomly generated data are sent to an automotive system to determine which, if any, cause problems. Hackers could use such information to launch attacks.
"We constructed attacks that would control many of the car's systems including the engine, the brakes, and the lights," said UCSD doctoral candidate Steve Checkoway.
He noted that fuzzing required the researchers to access the OBD-II port for onboard diagnostics, located under the dashboard.
Attackers could also use specially crafted CDs or Windows Media Audio files that include a Trojan horse. When these files are played on certain vehicular media-control systems, hackers could gain control of various automotive systems.
In some cases, attackers could also exploit vehicles' built-in Wi-Fi, Bluetooth, and cellular connections.
Checkoway said that computerized systems within a car typically aren't isolated from one another. Thus, he explained, "compromising a single computer is sufficient to compromise all of them. This means that compromising even something as innocuous as the car's radio [via a maliciously formatted CD] can compromise the brakes."
Remote attacks. Researchers Alan Bailey and Matthew Solnik with security consultancy iSec Partners recently demonstrated a fundamental weakness in the baseband general-packet-radio-service (GPRS) cellular and short-message-service (SMS) infrastructures used in remote-vehicular assistance services and in Internet-enabled security systems.
They first figured out how to intercept wireless messages between the car and a remote vehicle-assistance network such as OnStar, Ford's MyFord Touch, BMW Assist, and Mercedes Benz's mbrace.
Using a laptop with a GPRS radio, they then recreated the messages and remotely compromised a car with an Internet-enabled security system, which lets drivers open the doors via a smartphone. The researchers were thus able to unlock the vehicle and start the engine.
Hackers could remotely identify and interact with cars that work with remote-assistance systems via war texting. With this technique, the hacker drives around with a specially equipped laptop and sends out malicious SMS messages until one is received by a vulnerable vehicle.
University of South Carolina researchers discovered that it's possible to fool the communications system in the electronic tire gauges in late-model cars into reporting a tire problem to the driver via a dashboard display. They accomplished this by jamming and overpowering the tire-pressure system's radio signal with their own specially crafted radio.
This could let criminals trick drivers who think they have tire problems into stopping, at which point they could be robbed.
Researchers at the Swiss Federal Institute of Technology Zurich studied automobile keys with wireless-communications capabilities, which are popular in many late-model cars.
They found a way to trick the car into asking the key for the unlock code. They then recorded this code and generated it using a computer connected to a radio. This could enable a hacker to follow a victim, capture their unlock code, open the door when the car is unattended, and start the vehicle.
Driving ahead
With one exception, carhacking has been demonstrated only in laboratories and only against certain types of automobile components.
Carhacking attacks are hard to launch today, in part because finding a vulnerable vehicle could be difficult and time-consuming, noted the University of Washington's Koscher. For example, only a minority of vehicles have remote car-assistance systems such as OnStar
However, automobiles could face new hacking threats in the future.
For example, car owners can plug a growing number of products into their ODB-II ports, including Bluetooth-based diagnostic dongles and insurance companies' tracking devices. This could create vulnerabilities.
Moreover, new wireless networks — such as those between vehicles and those between vehicles and the Internet — could open additional hacking routes.
In response to the threats, Checkoway said, automobile companies and regulators have begun taking steps to secure vehicles.
For example, the Society of Automotive Engineers and the US Council for Automotive Research have created vehicular-cybersecurity working groups.
"Ford is … investing in security solutions that are built into the product from the outset," said Alan Hall, communications manager for technology, research, and innovation with the company. "The use of threat modeling and documenting potential areas of vulnerability is a critical element of our design efforts."
Ford is taking steps such as building firewalls into the networks within automobiles, whitelisting applications that can safely access vehicular networks, separating the car-control network from the infotainment network, and deploying Wi-Fi Protected Access security technology.
"One thing to keep in mind is that [carhackers] don't have to have a 100 percent success rate," said the University of Washington's Koscher. "If you take what seems like the most likely hacking scenario, in which people use technological means to steal cars, you can spread your malware broadly and wait for the vulnerable cars to report back to you. You may have a low chance of success, but when it works, there's a big payday."
George Lawton is a freelance technology writer based in Guerneville, California. Contact him at glawton@glawton.com.
