Shortly after Rolling Stone contributing editor Michael Hastings died in a fiery auto crash in Los Angeles, conspiracy theories began to pop up online. The mysterious circumstances practically begged for a new brand of ’70s-era Nixonian paranoia. Hastings had regularly pushed buttons in DC. The accident occurred at around 4:00 AM. Only hours earlier, Hastings had been at the sold-out premiere of friend Jeremy Scahill’s Dirty Wars documentary. And, most notably, Hastings spoke to a WikiLeaks lawyer Jennifer Robinson hours before his death, then sent a panicky email to BuzzFeed staff, stating he was “onto a big story” and going off the grid for a bit.
The conspiracy theory suggesting Hastings’ Mercedes C250 was hacked is both extremely unlikely and near impossible to prove. That said, is such a hack even possible? Yes. Various researchers have proven that cars can be hacked. This article, however, is chiefly concerned with what types of car hacking are possible.
In 2010 and 2011, researchers from the University of Washington and UC San Diego published two studies concerning vulnerabilities of car computers. The first, “Experimental Security Analysis of a Modern Automobile,” focused on what could be done once a hacker gained access to a vehicle’s internal network. The second, “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” demonstrated how a hacker could compromise a car’s internal network without having any direct physical access to the car itself.
At Def Con 21 in August, Charlie Miller, a Twitter security engineer, and Chris Valasek, director of security intelligence at IOActive, will deliver a talk titled “Adventures in Automotive Networks and Control Units.” Miller and Valasek will address security flaws with automobile software, with particular emphasis on breaking and steering. Miller told me he was unable to provide more details on his Def Con talk, but suffice it to say that they wouldn’t be giving the talk if cars can’t be hacked. For now, we’ll take a look at what we do know.
According to the UW and UCSD study, “there are over 250 million registered passenger automobiles in the United States,” and the “vast majority of these are computer controlled to a significant degree and virtually all new cars are now pervasively computerized.” As with everything technological, this computerization will only accelerate, for better or worse.
In the first study, researchers, led by UW professor Tadayoshi Kohno and UCSD professor Stefan Savage, were able to hack just about everything electronic in a car. They demonstrated the ability to mess with the car’s radio and instrument panel cluster (to falsify fuel level and speedometer readings), jam locks, pop the trunk, honk the horn, enable/disable windshield wipers, control the A/C environment. Most importantly, they were able to disable the engine, disable or enable brakes, and create a general denial of service while the car’s wheels were doing 40 mph.
That was all done in a stationary testing setup. The researchers noted that road testing was “the ‘gold standard’ for our attacks as they represent realistic conditions (unlike our controlled stationary environment).”
Again, they were able to manipulate speedometer readings, but they also exploited the system to turn interior and exterior lights, including headlights, off. This hack’s real world implication was particularly frightening.
“One can imagine this attack to be extremely dangerous in a situation where a victim is driving at high speeds at night in a dark environment,” wrote the researchers. “[T]he driver would not be able to see the the road ahead, nor the speedometer, and people in other cars would not be able to see the victim car’s brake lights.”
The terror of this scenario was only surpassed when the researchers described how malicious code could be erased, leaving no trace of who had done it. As they wrote (emphasis mine):
Hosting our own code within a car’s ECU enables yet another extension to our attacks: complicating detection and forensic evaluations following any malicious action. For example, the attack code on the telematics unit could perform some action (such as locking the brakes after detecting a speed of over 80 MPH). The attack code could then erase any evidence of its existence on the device… If the attack code was implanted within the telematics environment itself, then more sophisticated techniques may be necessary to erase evidence of the attack code’s existence. In either case, such an attack could complicate (or even prevent) a forensic investigation of a crash scene. We have experimentally verified the efficacy of a safe version of this attack while driving on a runway…
The researchers used their CarShark software to listen in on the test cars’ Controller Area Network (CAN) system, then exploited it with their very own network packets.
“Occam’s Razor suggests that this is perhaps the least likely way that your car might ever crash.”—Professor Stefan Savage
They acknowledged the skepticism, such as a statement made by independent security expert Ken Tindell to The Register, in which he stated: “Until I sold my company to Bosch in 2003, I was heavily involved in this area of computing, so I can say with some confidence that this ‘discovery’ is sheer foolishness. The only risk they encountered was a theoretical one (viz. that a telematics system connected to the in-vehicle networking could hack the car). It’s highly theoretical because the challenges of hacking a car are vastly more than hacking a banking system. I just can’t see anyone bothering.”
Trend Micro security analyst Rik Fergson, while not skeptical, noted that a car’s internet connectivity is a key issue. “Cars benefit from the fact that they are (hopefully) not connected to the internet (yet) and currently are not able to be remotely accessed,” Fergson told BBC News. “So in order to carry out a successful attack you would already need to have physical access to the vehicle, as a break-in or as a mechanic, seem the two most likely scenarios.”
The UW and UCSD researchers took the criticism to heart, and published a follow-up paper in 2011. Specifically, they set out to prove that physical access was unnecessary.
In this paper, the researchers found that indirect physical access to the car’s computer system could be undertaken via the OBD-II port, which is a federally-mandated access point. In this scenario, a hacker would need access to the car at a dealership, or, theoretically, via an electric car’s external charging cable. They also found that that CDs, USBs and iPods could possibly be used to deliver malicious code.
Now, this might seem difficult if the car is turned off and locked, but the researchers demonstrated that a hacker could gain access to the car via “Bluetooth, Remote Keyless Entry, RFIDs, Tire Pressure Monitoring Systems, WiFi, and Dedicated ShortRange Communications.” To do this, the hacker would have to be within 5 to 300 meters from the car’s receiver. On the high end, that’s 984 feet of distance from hacker to hacked car. Point being, the hacker need not actually be in the car to deliver the malicious code.