Car electronics easily hacked says research

The many computer systems found within modern day cars are vulnerable to attack, according to a team of researchers from the University of California-San Diego and the University of Washington. Amongst other things, the researchers were able to turn a car's instrument panel into a 60 second countdown clock, which honked the horn as it reached zero before turning the engine off and locking the doors.

Led by Professor Stefan Savage from the University of California-San Diego, and Tadayoshi Kohno from the University of Washington, the researchers goal was to find out just how difficult it would be to take control of a modern car. Concentrating on the ECUs (electronic control units), of which there can be up to 70 containing over 100MB of code between them, the team soon found out just how easy it was to manipulate a cars behaviour.

Connecting to the car via the communication ports built-in as standard - so mechanics can gather data for servicing - the attackers then used a program they created called CarShark, which allowed them to first monitor what information the various ECUs sent, before sending their own data so as to manipulate the vehicle and see how much could be controlled.

The team soon found that there was little that couldn't be controlled. As reported by the BBC, the researchers were able to disable the brakes completely, engage them while in motion, turn off the engine, lock the doors and more. Almost every system, from the engine right through to the air condition, was vulnerable to attack. It was found that even sending malformed packets of data could result in a response from the vehicle.

Fortunately, in order to successfully take control of a car a hacker would still need to gain physical access to the communication ports. However, with many everyday objects hooking up to the Internet there is definitely room for a future risk from this kind of attack.

Talking about the researchers findings, Rik Fergson, a security analyst at Trend Micro said that, "As cars, and everything else in life up to and including even pacemakers or fridges, become steadily more connected and externally accessible, research such as this should be taken increasingly seriously by manufacturers." He added, "This represents an opportunity to head off a problem before it starts, in the not-too-distant future it may represent a real risk to life."

The research team will be presenting their findings at the IEEE Symposium on Security and Privacy in California on May 19th.

Report a problem with article
Previous Story

HTC Mondrian specs leak; Windows Phone 7, 1.3 GHz processor?

Next Story

Nintendo Wii receives the American Heart Association's seal of approval

32 Comments

Commenting is disabled on this article.

sweet.

so I just put my netbook in the car with bluetooth & data SIM and it connects to the ecu and starts up telnet server? then I download internet R/C from iTunes app store and put on my iPhone..

then I can take control of car and drive? wonder if theres option to switch from tilt to button pressing... hmm.

Awesome.. Everyone have an R/C car! have to install front webcam. reverse likely have backup cam arleady we can use

Be awesome. Im'a get me a ford, cuz the TV advertisements sold me. Then drive it with my iPhone 4G so I can see in front and back

The thing that interests me is being able to get access to the odometer and being able to roll it back. I swear Dodge is screwing me out of my warranty with it. I hardly drive my van and the Km's are piling up.

Think hacking car is bad? Think again...

The part that scares me is the Medical devices. From the IV controller used in the hospital to Pace maker, and/or Insulin pumps. A lot of them have legit need to be on wireless/wire network. And most of them are not secured. Don't tell me those script kiddies are smart enough not to hack them or are ethical enough to leave those devices alone.

Oh no! Hackers can lift the bonnet of my car plug in a laptop and disable my brakes?!

Basically the same thing you can do with a hammer or a wrench? Lol

During a recent service visit it took the mechanics an hour to tell my car about a new keyless entry key via a ToughBook with a PCMCIA adaptor to the cars data port.

It's more likely that Sync with it's Bluetooth and USB will be hacked first. There have been rumors of bluetooth viruses in the pas, but as I recall they were debunked: http://www.securityfocus.com/news/11129

Whats worse is people are already using said usb connection to turn down the mileometer in the car when selling 2nd hand theres been a good bit about this on TV recently.

So yeh why wouldnt the next step be to "hack" a car.

How is this news *today*? Check out mp3car people have been able to build their own custom CarPC that controls everything over the CAN Bus and implements features that even the manufacturer didn't bother.
I plan to do the same with my car once I buy a canusb adapter...

This is nothing new and is completely obvious. They essentially just replaced the ecu. I'd be surprised if it didn't control the car. Instead of man in the middle, its more like kicking the other man out and wearing a disguise.

Funny this article was mentioned. I was in my Kia the other day thinking to myself..."hmm..I wonder if the sourcecode for this car is written in Korean or another language." It would be cool to see what kinds of things can be done with it in a non-malicious way. I know there are probably kits to do it, but why not make your own?

For the article though - what is to prevent say a mechanic with nefarious reasons wanted to trigger an event in the car say about 3 weeks down the road to bring the car back in? This would in my opinion be good enough to want to try to harden the systems a bit.

Medfordite said,
Funny this article was mentioned. I was in my Kia the other day thinking to myself..."hmm..I wonder if the sourcecode for this car is written in Korean or another language."

You need to get out more. You should be thinking more about how hot that blonde stacked mum was that you just passed coming out of Mothercare

hacking isn't limited to online only.

this type of attack could be used in a variety of ways in the real world from various motivations.

and people who expect this kind of attack while they're actually inside the car and operating it are lol. unless your car is in a locked garage there's very little stopping someone from carrying out this kind of attack while you're asleep, in the mall or otherwise not in your vehicle and not paying attention to it.

treemonster said,
hacking isn't limited to online only.

this type of attack could be used in a variety of ways in the real world from various motivations.

and people who expect this kind of attack while they're actually inside the car and operating it are lol. unless your car is in a locked garage there's very little stopping someone from carrying out this kind of attack while you're asleep, in the mall or otherwise not in your vehicle and not paying attention to it.

They could always just *ahem* hack through your brake lines, does that count as an offline hack?

Fortunately, in order to successfully take control of a car a hacker would still need to gain physical access to the communication ports. However, with many everyday objects hooking up to the Internet there is definitely room for a future risk from this kind of attack.

And here, we have your answer. Just a scare.

Brandon said,

And here, we have your answer. Just a scare.

Yeah, I don't see anyone implementing a TCP/IP stack under my bonnet anytime soon!

njlouch said,

Yeah, I don't see anyone implementing a TCP/IP stack under my bonnet anytime soon!

Yup unless they start implement more wireless functions into the cars we should ok for now.

Brandon said,
And here, we have your answer. Just a scare.

Who's to say someone couldn't develop a wireless device to plug into the maintenance port that would allow said hacker to control the vehicle remotely? That would only require a few seconds of access to the vehicle to connect the device, rather than a constant connection. Seems plausible to me...

Biglo said,

Yup unless they start implement more wireless functions into the cars we should ok for now.


Dodge Caravan now has a WIFI antennas. They have a paid for service where your van becomes a WIFI hotspot and can receive MobiTV and use the internet while on the road...

chisss said,

Dodge Caravan now has a WIFI antennas. They have a paid for service where your van becomes a WIFI hotspot and can receive MobiTV and use the internet while on the road...

No, you can't think that they'd have hooked it up to the EPU, that'd just have been really stupid and careless of dodge saving them money when building them....

chisss said,

Dodge Caravan now has a WIFI antennas. They have a paid for service where your van becomes a WIFI hotspot and can receive MobiTV and use the internet while on the road...

Fair enough, but is the on-board computer connected to that WiFi service? I'd think not as there really wouldn't be much of a reason to do so. Problem solved due to the fact the problem didn't exist in the first place.