The alarming number of safety recalls appearing in headlines of late is worrying enough. Now researchers have shown that it's possible to take away driver control of a moving vehicle by remotely hacking into relatively insecure computer systems common in modern automobiles. The team managed to break into key vehicle systems to kill the engine, apply or disable the brakes and even send cheeky messages to radio or dashboard displays.
Many of the safety, efficiency and performance improvements seen in today's automobiles have been achieved with the help of the numerous computerized systems monitoring and controlling various aspects of what makes up a modern car. According to an article in IEEE Spectrum last year, an "S-class Mercedes-Benz requires over 20 million lines of code alone" and "contains nearly as many ECUs as the new Airbus A380 (excluding the plane’s in-flight entertainment system)." The author notes that cars will soon "require 200 million to 300 million lines of software code."
The search for security holes
With the vast majority of registered cars in the U.S. having key components controlled by computer technology and completely autonomous vehicles currently in development, a couple of research teams from the Computer Science and Engineering departments of the University of Washington and the University of California San Diego decided to fill a gap in automotive security research and look at whether such systems were vulnerable to the kind of attacks which have plagued Internet-connected computers for years.
Coming together as the Center for Automotive Embedded Systems Security, the Washington team led by Professor Tadayoshi Kohno and the San Diego team led by Professor Stefan Savage first bought a couple of 2009 test cars containing "a large number of electronically-controlled components and a sophisticated telematics system."
Direct access to internal systems was achieved by connecting a laptop to the on-board diagnostics port, which is now mandatory in the United States and "provides direct and standard access to internal automotive networks." Attached to these networks are all sorts of sensors, diagnostics and wireless systems - many of which can be directly upgraded by a user - which could be used to attack or control automotive subsystems.
The research team then developed Controller Area Network (CAN) protocol sniffing software to locate, observe, monitor and subsequently take advantage of security weaknesses to bypass rudimentary protection within the car and take over aspects of control from the driver. Perhaps more worryingly, they also managed to plant malicious code which would completely erase its tracks after any crash.
For the actual experiments, components were stripped out and bench tested under laboratory conditions, in a stationary vehicle and with live road tests on a closed track. The team managed to bring a wide range of systems under external control, from the engine to brakes to locks to the instrument panel to (the first to fall) the radio and its display. The attackers posted messages, initiated annoying sounds and even left the driver powerless to control radio volume.
The Instrument Panel Cluster/Driver Information Center faired no better, as well as cheeky messages, the team altered the fuel gauge and speedometer readings, adjusted panel illumination and in one experiment, a 60-second countdown clock was displayed on the dashboard. When time ran out, the engine died and the door locks engaged. Subsequent hacks took over the Engine Control Module which lead to uncontrollable engine revving, readout errors and complete disabling of the engine.
As if the spirit of John Carpenter's "Christine" was alive and well, the team was also able to "lock and unlock the doors; jam the door locks by continually activating the lock relay; pop the trunk; adjust interior and exterior lighting levels; honk the horn (indefinitely and at varying frequencies); disable and enable the window relays; disable and enable the windshield wipers; continuously shoot windshield fluid; and disable the key lock relay to lock the key in the ignition."
Even the Electronic Brake Control Module was no match for the onslaught, with both individual and sets of brakes locked up at a whim. Equally worrying, the researchers were also able to completely disengage the brakes "even with car’s wheels spinning at 40 MPH while on jack stands" in the lab and then out on the test track (a de-commissioned airport runway) "forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly." The track test car had a laptop connected to the CAN bus via the OBD-II port which allowed a chase vehicle's laptop to wirelessly control in-car systems.
Open to attack
The research team concluded by saying that they "have endeavored to comprehensively assess how much resilience a conventional automobile has against a digital attack mounted against its internal components. Our findings suggest that, unfortunately, the answer is 'little'."
The team had "expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability. However, we found existing automotive systems - at least those we tested - to be tremendously fragile. Indeed, our simple fuzzing infrastructure was very effective and to our surprise, a large fraction of the random packets we sent resulted in changes to the state of our car."
As more manufacturers announce intentions to open up vehicle-to-vehicle and vehicle-to-infrastructure communications networks to third party development, the potential attack window could open even further. It is hoped that after the research paper, entitled "Experimental Security Analysis of a Modern Automobile", is presented at the IEEE Symposium on Security and Privacy in Oakland that manufacturers will take measures to tighten automotive system security.