Wait, Now I Need Security Software For My Car, Too?

from the trojan-brakes? dept

Remember a few months ago when a disgruntled ex-employee from a car dealer was able to login to the dealer's computer system and remotely disable over 100 cars? And, of course, there have been concerns over the ability to use systems like OnStar to remotely disable cars as well, with concerns about what would happen if malicious hackers were able to get their hands on the controls. Now, to add to those concerns, some researchers are reporting that modern day car computing is vulnerable to malicious hacks that could put drivers in danger.
The scientists say that they were able to remotely control braking and other functions, and that the car industry was running the risk of repeating the security mistakes of the PC industry....

The researchers, financed by the National Science Foundation, tested two versions of a late-model car in both laboratory and field settings. They did not identify the maker or the brand of the car, but said they believed they were representative of the computer network control systems that have proliferated in most cars today.

The researchers asked what could happen if a hacker could gain access to the network of a car, said Tadayoshi Kohno, a University of Washington computer scientist. He said the research teams were able to demonstrate their ability to circumvent a wide variety of systems critical to the safety of drivers and passengers.

They also demonstrated what they described as "composite attacks" that showed their ability to insert malicious software and then erase any evidence of tampering after a crash.

The researchers were able to activate dozens of functions and almost all of them while the car was in motion.
Happy driving, everyone...

To be fair, the researchers admit that they did not look at what kinds of "defense" the car might have to block such attacks, but they do point out that those developing car computing systems probably don't have as much experience or concern in the security realm. For the most part, this sounds like it's not a problem that anyone's going to face in the short-term. If anything, I'm guessing we'll have a lot more moral panic stories about what will happen before any reports of something bad actually happening. However, at some point, it seems likely that these sorts of stories will pass over from the hypothetical into the real world, and at that point, I'll be looking for a car that runs on open source software.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cars, hacking, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    MK, 17 May 2010 @ 2:16am

    Custom patches or mod chips for cars?

    Instead of deliberate attacks, I wonder when someone will write a custom software or create a mod chip for a car. Instead of tinkering with the physical components, it might be possible to boost a car's performance by disabling some built-in safety limits. This kind of modification might also be difficult for police to notice in an otherwise normal looking car.

    link to this | view in chronology ]

    • identicon
      abc gum, 17 May 2010 @ 4:39am

      Re: Custom patches or mod chips for cars?

      I thought this was an existing, legal, market.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 May 2010 @ 4:57am

        Re: Re: Custom patches or mod chips for cars?

        Existing - Yes.

        Legal - Sometimes.

        Per the Clean Air Act, its against Federal Law to tamper with the emission control devices in cars for a certain number of years. Your ECU is part of the emissions control system. Removing a speed limiter is probably a different story, however I don't believe I know of any of the plug-in tuners that carry the CARB or Federal OK #'s.

        link to this | view in chronology ]

        • icon
          P3T3R5ON (profile), 17 May 2010 @ 5:46am

          Re: Re: Re: Custom patches or mod chips for cars?

          Despite all the aftermarket add-ons for cars these days saying 'not for street use' 'not carb legal' etc.... If your vechicle passes emissions then you're ok. Except you still have to have some safety standards mandated by state law... (exterior lights, dB level, etc)

          'Chipping' a car simply changes a few strings of engine timing code to apply a performance based map for air to fuel ratio in the car... most easily chipped cars are ones that are already running a forced induction application.

          As far as 'hacking' a cars ECU, it's not like taking out a computer on the internet, you need physical access to the vehicle... except OnStar type vehicles.... for now. Once cellphone connectivity comes standard with cars then the ECU will be able to be remotely attacked.

          (insert sarcasm) I'm so glad the the auto industry is finally realizing that this potential threat could soon become a very real issue and much sooner then they think.

          link to this | view in chronology ]

    • identicon
      Matt, 17 May 2010 @ 6:15am

      Re: Custom patches or mod chips for cars?

      I guess you don't you dont know much about cars. We have been writing mod chips since the beginning of the ECM. WOW.

      link to this | view in chronology ]

    • identicon
      geedwrench, 17 May 2010 @ 6:55am

      Re: Custom patches or mod chips for cars?

      Thats exactly what "performance upgrades" have done for the past 10 or so years

      link to this | view in chronology ]

    • identicon
      Matt, 17 May 2010 @ 9:45am

      Re: Custom patches or mod chips for cars?

      People have been doing that for a long time. Some states limit the HP of engines for emissions, this can be gotten around with mod chips. Mod chips can significantly increase performance of cars adding a noticable ammount of horsepower hitting the road. A lot of cars don't perform as POWERFULLY as they can at the manufacturer's implemented handicap in order to keep mileage or weardown (for warranties) within certain limits.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2010 @ 2:25am

    The big question

    ... Why are cars wireless enabled in the first place? I can understand for emergency rescue signals, but it still should be separate from the mechanisms that control the car's movement.

    link to this | view in chronology ]

    • identicon
      Boost, 17 May 2010 @ 6:40am

      Re: The big question

      Cheap field data for the factory engineers would be my guess.

      link to this | view in chronology ]

    • identicon
      Rick, 17 May 2010 @ 7:01am

      Re: The big question

      Actually, it's rather handy to have OnStar slow down and shut the engine of your car off, if it's been stolen. They like to do this just as the police officer who was led to the stolen car pulls up behind the thief in your car.

      link to this | view in chronology ]

  • icon
    techflaws.org (profile), 17 May 2010 @ 2:36am

    reminds me of this

    link to this | view in chronology ]

    • identicon
      Win, 17 May 2010 @ 3:25am

      Re: reminds me of this

      Win

      link to this | view in chronology ]

      • identicon
        geekwrench, 17 May 2010 @ 7:02am

        Re: Re: reminds me of this

        Ironically, BMW is one of those cars that runs on a version of windows. The cars can even be opened tirelessly by parroting the key remote, and then OBD2 access is a snap. Some cars have actualy been stolen this way.

        link to this | view in chronology ]

  • identicon
    ITrush, 17 May 2010 @ 3:43am

    Hmm, I guess that's what you get in this fast changing tech world.

    link to this | view in chronology ]

  • identicon
    out_of_the_blue, 17 May 2010 @ 3:53am

    Large airplanes fly-by-wire.

    Wonder if they can be remote-controlled.

    link to this | view in chronology ]

    • icon
      Hephaestus (profile), 17 May 2010 @ 7:09am

      Re: Large airplanes fly-by-wire.

      The story says that if the car has the ability to auto park steering could taken over. The next Darpa challenge should be alot easier, just grab up an existing autoparking car and put in a CUDA-Nvidia based mini super, and some terrain scanning hardware.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2010 @ 3:58am

    If this story becomes big enough news and develops into an urban legend, I can imagine a scene in a "hacking" movie where the computer savvy supporting character is riding with the main character and has to hack into and move several cars while simultaneously controlling his own. The main character would now be in a position to save the day.

    I picture Shia Lebouf as the supporting actor, I think he does a great frustrated and misunderstood scene.

    link to this | view in chronology ]

  • icon
    MBraedley (profile), 17 May 2010 @ 4:15am

    To be fair:

    Hackers (currently) must gain physical access to the car in order to perform these hacks. They need access to the diagnostics port. I only say this because it wasn't mentioned at all in the post.

    link to this | view in chronology ]

    • identicon
      abc gum, 17 May 2010 @ 4:49am

      Re: To be fair:

      "Hackers (currently) must gain physical access to the car in order to perform these hacks. They need access to the diagnostics port. I only say this because it wasn't mentioned at all in the post."

      The need for physical access to the car and to the network of a car was stated. The diagnostics port in particular was not. The team that demonstrated this used the diagnostics port, as is reported in other articles on the subject. I doubt that the diagnostics port is the only point of access which would allow such manipulations.

      link to this | view in chronology ]

      • identicon
        mkam, 17 May 2010 @ 5:21am

        Re: Re: To be fair:

        Just need to get access to the CAN bus on the car, which the ODB port provides. All you have to know is what wires you are looking for under the car and tap in to the High Low wires for the bus. If you start looking at how much modern cars are sending around on this bus (get a CAN-->USB device for a laptop) you would definitely be surprised.

        link to this | view in chronology ]

  • identicon
    bob, 17 May 2010 @ 4:24am

    Nope

    I'll go with an old Ford Falcon with a six banger.
    Or the 1971 Nova 6 I used to own.
    Now the 62 Nova II wagon I had was cool.
    None of those cars had any sort of software problem.

    link to this | view in chronology ]

  • identicon
    Headbhang, 17 May 2010 @ 4:41am

    McAfee Antivirus: BMW Edition

    (incidentally, it also happens to reduce your max speed to 30 mph)

    link to this | view in chronology ]

  • identicon
    BSOD, 17 May 2010 @ 4:54am

    This revelation brings new meaning to the acronym BSOD.

    link to this | view in chronology ]

  • icon
    Chuck Norris' Enemy (deceased) (profile), 17 May 2010 @ 6:07am

    Aha!

    So that's how Government Motors (attempted) to destroy the name of Toyota.

    link to this | view in chronology ]

    • identicon
      Boost, 17 May 2010 @ 6:45am

      Re: Aha!

      Guess they (GM) underestimated people's devotion to an over rated car company (Toyota) that continues to produce cars inferior to their competition.

      link to this | view in chronology ]

  • identicon
    NullOp, 17 May 2010 @ 6:08am

    Security

    Are you allowing people to plug into your car's computer on a random basis? If you are, you're a dumbass. Typical misreported newz.

    link to this | view in chronology ]

    • identicon
      Rob, 17 May 2010 @ 7:23am

      Re: Security

      But that is not the only access to the computer. Others have already mentioned OnStar. There are also cars with blue tooth and I think, one of the points made was concerning the future as cars get more wireless/bluetooth capability.

      Also, if you ever allow anyone else to drive your car (mechanic, valet, or even a 'friend'), you have just allowed someone to connect to your cars computer...but you didn't know it, so does that also make you a dumbass?

      Come on, be nice. If the car makers do not take steps to protect consumers NOW, as the software develops the protection will be more difficult to program in later and that is the point I took from the article.

      link to this | view in chronology ]

  • icon
    Hephaestus (profile), 17 May 2010 @ 7:25am

    hmmmm .....

    Here is a scenario for you. Every year you go to get your car smogged as part of the inspection. That includes them hooking up to the diagnostics port to check the emissions. Hack the machine that does the emissions test to insert nefarious code to do what you want at the time you want.

    It would be funny to have every car in a state start blowing their horns, flash their lights, turn on the windsheild wipers at the same time, randomly unlock and lock the doors, and pop the trunk. Or in the case of cars with user based self adjusting seats ... squish!!!

    yeah I know improbable because of the different OS's and versions used on the CPU's. It would be funny though.

    link to this | view in chronology ]

  • icon
    lavi d (profile), 17 May 2010 @ 7:27am

    Possible Bright Side

    Is there any way to hack into a car and disable the stereo?

    link to this | view in chronology ]

    • identicon
      Rattled Windows, 17 May 2010 @ 1:09pm

      Re: Possible Bright Side

      ThisThisThis!

      Seriously, I've been wishing for such capabilities for years. Instead I've been faking it by standing on the lawn pointing a hairdryer at booming shitboxes on wheels, but that just makes them slow down. :(

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 May 2010 @ 2:59pm

      Re: Possible Bright Side

      If I could do this I'd rather make the car accelerate directly into the nearest manure truck. Disabling the stereo is too good for the asshole that parks outside my window at 4 AM every night with his windows down and stays there for an hour, blasting mexi-pop and mariachi music at ear-splitting decibel levels.

      link to this | view in chronology ]

  • icon
    Dan (profile), 17 May 2010 @ 7:38am

    This reminds me of....

    "If GM made cars like Microsoft...". Here's the link.

    http://www.snopes.com/humor/jokes/autos.asp

    link to this | view in chronology ]

    • icon
      Dan (profile), 17 May 2010 @ 7:44am

      Re: This reminds me of....

      Now that I'm looking at this Snopes list again, items 7 and 13 are now true.... LOL!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2010 @ 5:47pm

    "Wait, Now I Need Security Software For My Car, Too?"

    I think you should just format your engine and re - install the operating system on it. Make sure you do all the patch updates afterwords.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.