A teenager not even old enough to drive a car was able to wirelessly connect to a vehicle’s internal computer network and control various functions.
The 14-year-old built an electronic remote auto communications device with $15 worth of Radio Shack parts that were assembled in less than a night.
Auto executives at a conference this week sponsored by the Center for Automotive Research revealed how stunned they were by the feat, which actually happened last summer, noting it shed light on the need for greater security as vehicles gain more wireless capabilities.
The boy, whose name is not being released, was among 30 other students ranging in age from high school to college undergraduates to PhD students who participated in the third annual Battelle CyberAuto Challenge. The year, make and models of the cars experimented on during the challenge were not disclosed.
While the CyberAuto Challenge was held last July, a recent report by U.S. Sen. Edward Markey (D-Mass.) and comments from auto executives at this week’s conference brought it back into the spotlight.
Markey’s office issued a report on vehicle security and privacy earlier this month, noting that automakers are developing fleets with fully adopted wireless technologies like Bluetooth and wireless Internet access, but aren’t addressing “the real possibilities of hacker infiltration into vehicle systems.
“Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” Markey, a member of the Commerce, Science and Transportation Committee, said in a statement. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st century American drivers.”
Held in Troy, Mich., the CyberAuto Challenge is a five-day gathering of auto industry engineers, academic researchers and members of the white-hat hacker community who assist the students with knowledge of their various vehicles.
Also in attendance at the CyberAuto Challenge were White House staff members and lawmakers.
After the students were educated on vehicle hardware, internal bus systems and wireless communication protocols, they divided into teams and attacked their assigned automobiles.
With just a little soldering and assembly, the 14-year-old built a device to wirelessly communicate with a vehicle’s controller area network (CAN) and remotely control non-safety related equipment such as headlights, window wipers and the horn. He was also able to unlock the car and engage the vehicle’s remote start feature.
Andrew Brown Jr., chief technologist at Delphi Automotive, was on hand for the challenge and was quoted as saying there is no way the boy should have been able to do what he did.
According to some security experts, infiltrating a vehicle’s CAN should be an arduous process that requires in-depth planning. But, the kid even declined help from the technical experts on hand.
“It was mind-blowing,” Brown said.
Anuja Sonalker, lead scientist for Battelle’s cyber auto group, said that — just like the computer industry — automakers are rolling out technology first and security second.
“Malware surfaced a lot later than computer technology,” Sonalker said. “We’ve built security as an after thought in all industries.”
The Battelle CyberAuto Challenge is meant to keep the auto industry “on its toes,” she said.
Sonalker also noted that critical vehicle systems, those that control braking or acceleration, could not be accessed remotely because there are physical firewalls built into CANs. “Automakers have done a good job with safety,” she said.
Far from being upset, those from the industry who were in attendance at the academic challenge were pleased to learn of the security issues.
“The findings…were handed over to automakers so they can take it back to their engineers, and they’ve been happy with what was discovered,” Sonalker said.
“Hopefully, this is something the auto industry understands: This means people are watching and we have to do a great job with new technology in putting all the protections in from day one,” Sonalker said.
But Markey’s report, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” accused the auto industry of neglecting security and privacy gaps.
The report is based on responses from 16 major automakers to questions from the lawmaker about security and privacy vulnerabilities, and cited a 2013 Defense Advanced Research Projects Agency (DARPA) study. That study included two researchers who were able to connect a laptop to two different vehicles’ computer systems using a cable, send commands to different electronic control units (ECUs) through the vehicle CAN. That allowed them to control the engine, brakes, steering and other critical vehicle components.
“Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers,” the Markey report said.
In fact, most automobile manufacturers were unaware of or unable to report on past hacking incidents, according to the report.
Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, the report said, “and most say they rely on technologies that cannot be used for this purpose at all.”