Researchers at the University of California, San Diego, and the University of Washington have spent the past two years combing through the myriad computer systems in late-model cars, looking for security flaws and developing ways to misuse them. In a new paper, they say they’ve identified a handful of ways a hacker could break into a car, including attacks over the car’s Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops.
But their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe. “It’s hard to think of something more innocuous than a song,” said Stefan Savage, a professor at the University of California.
Last year Savage and his fellow researchers described the inner workings of the networks of components found in today’s cars, and they described a 2009 experiment in which they were able to kill the engine, lock the doors, turn off the brakes and falsify speedometer readings on a late-model car.
In that experiment, they had to plug a laptop into the car’s internal diagnostic system in order to install their malicious code. In this latest paper, the objective was to find a way to break into the car remotely. “This paper is really about how challenging is it to gain that access from the outside,” Savage said.
They found lots of ways to break in. In fact, attacks over Bluetooth, the cellular network, malicious music files and via the diagnostic tools used in dealerships were all possible, if difficult to pull off, Savage said. “The easiest way remains what we did in our first paper: Plug into the car and do it,” he said.
But the research shows how completely new types of automotive attacks could be on the horizon. For example, thieves could instruct cars to unlock their doors and report their GPS coordinates and Vehicle Identification Numbers to a central server. “An enterprising thief might stop stealing cars himself, and instead sell his capabilities as a service to other thieves,” Savage said. A thief looking for certain kinds of cars in a given area could ask to have them identified and unlocked, he said.
In their report, the researchers don’t name the make of the 2009 model car they hacked.
Savage and the other researchers presented their work to the National Academy of Sciences Committee on Electronic Vehicle Controls and Unintended Acceleration, which is studying the safety of electronic automotive systems in the wake of last year’s massive Toyota recall. That recall was prompted by reports of unintended acceleration in Toyota vehicles, a problem that was once thought to have been connected to electronic systems but ultimately was blamed on floor mats, sticky gas pedals and driver error.
With the high technical barrier to entry, the researchers believe that hacker attacks on cars will be very difficult to pull off, but they say they want to make the auto industry aware of potential problems before they become pervasive.
Car hacking is “unlikely to happen in the future,” said Tadayoshi Kohno, an assistant professor with the University of Washington who worked on the project. “But I think the average customer will want to know whether the car they buy in five years … will have these issues mitigated.”
Another problem for would-be car thieves is the fact that there are significant differences among the electronic control units in cars. Even though an attack might work on one year and model of vehicle, it’s unlikely to work on another. “If you’re going to hack into one of them, you have to spend a lot of time, money and resources to get into one software version,” said Brian Herron, vice president of Drew Technologies, an Ann Arbor, Michigan, company that builds tools for automotive computer systems. “It’s not like hacking Windows, where you find a vulnerability and go after it.”
So far, carmakers have been very receptive to the university researchers’ work and appear to be taking the security issues they’ve raised very seriously, Savage and Kohno said.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com