Wait, Now I Need Security Software For My Car, Too?

from the trojan-brakes? dept

Remember a few months ago when a disgruntled ex-employee from a car dealer was able to login to the dealer's computer system and remotely disable over 100 cars? And, of course, there have been concerns over the ability to use systems like OnStar to remotely disable cars as well, with concerns about what would happen if malicious hackers were able to get their hands on the controls. Now, to add to those concerns, some researchers are reporting that modern day car computing is vulnerable to malicious hacks that could put drivers in danger.
The scientists say that they were able to remotely control braking and other functions, and that the car industry was running the risk of repeating the security mistakes of the PC industry....

The researchers, financed by the National Science Foundation, tested two versions of a late-model car in both laboratory and field settings. They did not identify the maker or the brand of the car, but said they believed they were representative of the computer network control systems that have proliferated in most cars today.

The researchers asked what could happen if a hacker could gain access to the network of a car, said Tadayoshi Kohno, a University of Washington computer scientist. He said the research teams were able to demonstrate their ability to circumvent a wide variety of systems critical to the safety of drivers and passengers.

They also demonstrated what they described as "composite attacks" that showed their ability to insert malicious software and then erase any evidence of tampering after a crash.

The researchers were able to activate dozens of functions and almost all of them while the car was in motion.
Happy driving, everyone...

To be fair, the researchers admit that they did not look at what kinds of "defense" the car might have to block such attacks, but they do point out that those developing car computing systems probably don't have as much experience or concern in the security realm. For the most part, this sounds like it's not a problem that anyone's going to face in the short-term. If anything, I'm guessing we'll have a lot more moral panic stories about what will happen before any reports of something bad actually happening. However, at some point, it seems likely that these sorts of stories will pass over from the hypothetical into the real world, and at that point, I'll be looking for a car that runs on open source software.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    MK, May 17th, 2010 @ 2:16am

    Custom patches or mod chips for cars?

    Instead of deliberate attacks, I wonder when someone will write a custom software or create a mod chip for a car. Instead of tinkering with the physical components, it might be possible to boost a car's performance by disabling some built-in safety limits. This kind of modification might also be difficult for police to notice in an otherwise normal looking car.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, May 17th, 2010 @ 2:25am

    The big question

    ... Why are cars wireless enabled in the first place? I can understand for emergency rescue signals, but it still should be separate from the mechanisms that control the car's movement.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    techflaws.org (profile), May 17th, 2010 @ 2:36am

    reminds me of this

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Win, May 17th, 2010 @ 3:25am

    Re: reminds me of this

    Win

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    ITrush, May 17th, 2010 @ 3:43am

    Hmm, I guess that's what you get in this fast changing tech world.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    out_of_the_blue, May 17th, 2010 @ 3:53am

    Large airplanes fly-by-wire.

    Wonder if they can be remote-controlled.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, May 17th, 2010 @ 3:58am

    If this story becomes big enough news and develops into an urban legend, I can imagine a scene in a "hacking" movie where the computer savvy supporting character is riding with the main character and has to hack into and move several cars while simultaneously controlling his own. The main character would now be in a position to save the day.

    I picture Shia Lebouf as the supporting actor, I think he does a great frustrated and misunderstood scene.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    MBraedley (profile), May 17th, 2010 @ 4:15am

    To be fair:

    Hackers (currently) must gain physical access to the car in order to perform these hacks. They need access to the diagnostics port. I only say this because it wasn't mentioned at all in the post.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    bob, May 17th, 2010 @ 4:24am

    Nope

    I'll go with an old Ford Falcon with a six banger.
    Or the 1971 Nova 6 I used to own.
    Now the 62 Nova II wagon I had was cool.
    None of those cars had any sort of software problem.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    abc gum, May 17th, 2010 @ 4:39am

    Re: Custom patches or mod chips for cars?

    I thought this was an existing, legal, market.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Headbhang, May 17th, 2010 @ 4:41am

    McAfee Antivirus: BMW Edition

    (incidentally, it also happens to reduce your max speed to 30 mph)

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    abc gum, May 17th, 2010 @ 4:49am

    Re: To be fair:

    "Hackers (currently) must gain physical access to the car in order to perform these hacks. They need access to the diagnostics port. I only say this because it wasn't mentioned at all in the post."

    The need for physical access to the car and to the network of a car was stated. The diagnostics port in particular was not. The team that demonstrated this used the diagnostics port, as is reported in other articles on the subject. I doubt that the diagnostics port is the only point of access which would allow such manipulations.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    BSOD, May 17th, 2010 @ 4:54am

    This revelation brings new meaning to the acronym BSOD.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, May 17th, 2010 @ 4:57am

    Re: Re: Custom patches or mod chips for cars?

    Existing - Yes.

    Legal - Sometimes.

    Per the Clean Air Act, its against Federal Law to tamper with the emission control devices in cars for a certain number of years. Your ECU is part of the emissions control system. Removing a speed limiter is probably a different story, however I don't believe I know of any of the plug-in tuners that carry the CARB or Federal OK #'s.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    mkam, May 17th, 2010 @ 5:21am

    Re: Re: To be fair:

    Just need to get access to the CAN bus on the car, which the ODB port provides. All you have to know is what wires you are looking for under the car and tap in to the High Low wires for the bus. If you start looking at how much modern cars are sending around on this bus (get a CAN-->USB device for a laptop) you would definitely be surprised.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    P3T3R5ON (profile), May 17th, 2010 @ 5:46am

    Re: Re: Re: Custom patches or mod chips for cars?

    Despite all the aftermarket add-ons for cars these days saying 'not for street use' 'not carb legal' etc.... If your vechicle passes emissions then you're ok. Except you still have to have some safety standards mandated by state law... (exterior lights, dB level, etc)

    'Chipping' a car simply changes a few strings of engine timing code to apply a performance based map for air to fuel ratio in the car... most easily chipped cars are ones that are already running a forced induction application.

    As far as 'hacking' a cars ECU, it's not like taking out a computer on the internet, you need physical access to the vehicle... except OnStar type vehicles.... for now. Once cellphone connectivity comes standard with cars then the ECU will be able to be remotely attacked.

    (insert sarcasm) I'm so glad the the auto industry is finally realizing that this potential threat could soon become a very real issue and much sooner then they think.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Chuck Norris' Enemy (deceased) (profile), May 17th, 2010 @ 6:07am

    Aha!

    So that's how Government Motors (attempted) to destroy the name of Toyota.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    NullOp, May 17th, 2010 @ 6:08am

    Security

    Are you allowing people to plug into your car's computer on a random basis? If you are, you're a dumbass. Typical misreported newz.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Matt, May 17th, 2010 @ 6:15am

    Re: Custom patches or mod chips for cars?

    I guess you don't you dont know much about cars. We have been writing mod chips since the beginning of the ECM. WOW.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Boost, May 17th, 2010 @ 6:40am

    Re: The big question

    Cheap field data for the factory engineers would be my guess.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Boost, May 17th, 2010 @ 6:45am

    Re: Aha!

    Guess they (GM) underestimated people's devotion to an over rated car company (Toyota) that continues to produce cars inferior to their competition.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    geedwrench, May 17th, 2010 @ 6:55am

    Re: Custom patches or mod chips for cars?

    Thats exactly what "performance upgrades" have done for the past 10 or so years

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    geekwrench, May 17th, 2010 @ 6:58am

    Re: Nope

    No, they just have every other possible problem. Ever hear of "rotating spark plugs?"

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Rick, May 17th, 2010 @ 7:01am

    Re: The big question

    Actually, it's rather handy to have OnStar slow down and shut the engine of your car off, if it's been stolen. They like to do this just as the police officer who was led to the stolen car pulls up behind the thief in your car.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    geekwrench, May 17th, 2010 @ 7:02am

    Re: Re: reminds me of this

    Ironically, BMW is one of those cars that runs on a version of windows. The cars can even be opened tirelessly by parroting the key remote, and then OBD2 access is a snap. Some cars have actualy been stolen this way.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Hephaestus (profile), May 17th, 2010 @ 7:09am

    Re: Large airplanes fly-by-wire.

    The story says that if the car has the ability to auto park steering could taken over. The next Darpa challenge should be alot easier, just grab up an existing autoparking car and put in a CUDA-Nvidia based mini super, and some terrain scanning hardware.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Rob, May 17th, 2010 @ 7:23am

    Re: Security

    But that is not the only access to the computer. Others have already mentioned OnStar. There are also cars with blue tooth and I think, one of the points made was concerning the future as cars get more wireless/bluetooth capability.

    Also, if you ever allow anyone else to drive your car (mechanic, valet, or even a 'friend'), you have just allowed someone to connect to your cars computer...but you didn't know it, so does that also make you a dumbass?

    Come on, be nice. If the car makers do not take steps to protect consumers NOW, as the software develops the protection will be more difficult to program in later and that is the point I took from the article.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Hephaestus (profile), May 17th, 2010 @ 7:25am

    hmmmm .....

    Here is a scenario for you. Every year you go to get your car smogged as part of the inspection. That includes them hooking up to the diagnostics port to check the emissions. Hack the machine that does the emissions test to insert nefarious code to do what you want at the time you want.

    It would be funny to have every car in a state start blowing their horns, flash their lights, turn on the windsheild wipers at the same time, randomly unlock and lock the doors, and pop the trunk. Or in the case of cars with user based self adjusting seats ... squish!!!

    yeah I know improbable because of the different OS's and versions used on the CPU's. It would be funny though.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    lavi d (profile), May 17th, 2010 @ 7:27am

    Possible Bright Side

    Is there any way to hack into a car and disable the stereo?

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Dan (profile), May 17th, 2010 @ 7:38am

    This reminds me of....

    "If GM made cars like Microsoft...". Here's the link.

    http://www.snopes.com/humor/jokes/autos.asp

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Dan (profile), May 17th, 2010 @ 7:44am

    Re: This reminds me of....

    Now that I'm looking at this Snopes list again, items 7 and 13 are now true.... LOL!

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Bill Xates, May 17th, 2010 @ 9:22am

    Re:

    I don't need no stinkin' AV for my Linux Lexis...

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Matt, May 17th, 2010 @ 9:45am

    Re: Custom patches or mod chips for cars?

    People have been doing that for a long time. Some states limit the HP of engines for emissions, this can be gotten around with mod chips. Mod chips can significantly increase performance of cars adding a noticable ammount of horsepower hitting the road. A lot of cars don't perform as POWERFULLY as they can at the manufacturer's implemented handicap in order to keep mileage or weardown (for warranties) within certain limits.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Rattled Windows, May 17th, 2010 @ 1:09pm

    Re: Possible Bright Side

    ThisThisThis!

    Seriously, I've been wishing for such capabilities for years. Instead I've been faking it by standing on the lawn pointing a hairdryer at booming shitboxes on wheels, but that just makes them slow down. :(

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, May 17th, 2010 @ 2:59pm

    Re: Possible Bright Side

    If I could do this I'd rather make the car accelerate directly into the nearest manure truck. Disabling the stereo is too good for the asshole that parks outside my window at 4 AM every night with his windows down and stays there for an hour, blasting mexi-pop and mariachi music at ear-splitting decibel levels.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, May 17th, 2010 @ 5:47pm

    "Wait, Now I Need Security Software For My Car, Too?"

    I think you should just format your engine and re - install the operating system on it. Make sure you do all the patch updates afterwords.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This