With computers firmly in control of our cars and connectivity on the rise, car hacking could be the next big security issue. We speak with two researchers behind a paper on automobile and computer security.
A group of researchers from two universities tested their hacking skills on two cars and found that they could remotely lock the brakes, the engine and windows on a car; turn on the radio, heat and windshield wipers; honk the horn; and change the speedometer display.
They were able to do all of that in tests on two cars of unnamed make and model — a Chevrolet Impala is pictured in the paper — by connecting a laptop to the electronic control system and controlling that computer wirelessly using a second laptop in a separate car.
The paper will be presented by researchers at the University of Washington and the University of California at San Diego (USCD) at the IEEE Symposium on Security and Privacy being held in Oakland, California, on Wednesday.
"Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input," the paper says.
We interviewed two of the researchers — Stefan Savage of UCSD and Tadayoshi Kohno of the University of Washington — and talked with them about the tests and what their findings mean for drivers today.
CNET: We'd like to know more about what you did for the research. Did you need to have physical access to the car, or is there a way this could be done remotely?
Stefan Savage: In the paper we didn't focus on the different ways that one could do it. The paper focuses on the question of if someone were able to gain access to the car, how resilient would it be in our scenario? We connected our computer to the on-board diagnostics port — it's standard and is located under the dashboard on the driver's side.
Tadayoshi Kohno: This paper is not focusing on the specific threats. We are focusing on understanding the evolution of cars in the hopes that the industry can protect against adverse things happening in the future.
Savage: If you look at PCs in the early 1990's, they had all kinds of latent software vulnerabilities. It didn't matter so much because PCs were at home and not connected to everything else. Then they were connected to the internet and the latent vulnerabilities were exposed to outside attack. We see cars moving in much the same direction. There is a strong trend to provide pervasive connectivity in cars going forward. It would be good to start working on hardening these systems and providing defences before it becomes a real problem.
Can you give me a scenario where a car would be compromised?
Savage: You could have an adversarial mechanic, or a jealous boyfriend or girlfriend who temporarily has access to the car. They could connect to this component, download onto the car, disconnect and the code could do their bidding. I think at this point these attacks are much more fantastic than a real thing people need to be concerned about today.
Kohno: Today everyone is focusing on web security and botnets. We want to make sure that in five or 10 years we don't add cars to that list.
You have written a tool that enables this type of attack, called CarShark, right?
Kohno: The tool captures a lot of what we did. It's a software tool we wrote. It runs on a computer that plugs into the OBD-II (On-Board Diagnostics II) port and it can sniff (and inject) packets on the network.
Couldn't someone use that tool to compromise a car?
Savage: We're not releasing it.
But there are ways to do this remotely, right?
Savage: We're trying to find a balance in the research. We're not interested in taking an alarmist tone. We purposely are not focusing on that aspect here. Can I imagine it's doable? Yes. In the end it's all software, and software on your car is not fundamentally different from software on your PC.
Do you think anyone is actually doing anything like this, other than for legitimate research purposes?
Kohno: We have no reason to believe this is an issue today. One of our goals is to stay ahead of the bad guys before the threats really do manifest.
A Chevy Impala is jacked up, ready for some electronic control unit (ECU) hacking.
(Credit: Experimental Security Analysis of a Modern Automobile)
Have you talked to the car manufacturers about this?
Savage: We talked with the appropriate parties, which we can't name.
Did they take this seriously or dismiss it?
Savage: Everyone we've talked to has taken it seriously and been very positive.
Anything else you would like to add?
Kohno: It's a changing world of technology. Often when people hear the word "computer" they associate it with the meaning of laptop or desktop. And one of the things we'll see in the future is computer devices integrating themselves both literally and figuratively into our world. There will be computers integrated into cars, medical devices, homes and the smart grid. And I think that we need to be proactively thinking about security issues, not just on the desktops with botnets and web browsing, but think about where our computers will be in the future and what we can do today to protect them. This research on cars is part of that.
Via CNET News.com