Shopping? Check out our latest product comparisons

Automobile computer systems successfully hacked

By

May 20, 2010

Researchers have managed to hack into vehicle computer systems and remotely take control o...

Researchers have managed to hack into vehicle computer systems and remotely take control of a car on the move

Image Gallery (3 images)

The alarming number of safety recalls appearing in headlines of late is worrying enough. Now researchers have shown that it's possible to take away driver control of a moving vehicle by remotely hacking into relatively insecure computer systems common in modern automobiles. The team managed to break into key vehicle systems to kill the engine, apply or disable the brakes and even send cheeky messages to radio or dashboard displays.

Many of the safety, efficiency and performance improvements seen in today's automobiles have been achieved with the help of the numerous computerized systems monitoring and controlling various aspects of what makes up a modern car. According to an article in IEEE Spectrum last year, an "S-class Mercedes-Benz requires over 20 million lines of code alone" and "contains nearly as many ECUs as the new Airbus A380 (excluding the plane’s in-flight entertainment system)." The author notes that cars will soon "require 200 million to 300 million lines of software code."

The search for security holes

With the vast majority of registered cars in the U.S. having key components controlled by computer technology and completely autonomous vehicles currently in development, a couple of research teams from the Computer Science and Engineering departments of the University of Washington and the University of California San Diego decided to fill a gap in automotive security research and look at whether such systems were vulnerable to the kind of attacks which have plagued Internet-connected computers for years.

Coming together as the Center for Automotive Embedded Systems Security, the Washington team led by Professor Tadayoshi Kohno and the San Diego team led by Professor Stefan Savage first bought a couple of 2009 test cars containing "a large number of electronically-controlled components and a sophisticated telematics system."

Direct access to internal systems was achieved by connecting a laptop to the on-board diagnostics port, which is now mandatory in the United States and "provides direct and standard access to internal automotive networks." Attached to these networks are all sorts of sensors, diagnostics and wireless systems - many of which can be directly upgraded by a user - which could be used to attack or control automotive subsystems.

The research team then developed Controller Area Network (CAN) protocol sniffing software to locate, observe, monitor and subsequently take advantage of security weaknesses to bypass rudimentary protection within the car and take over aspects of control from the driver. Perhaps more worryingly, they also managed to plant malicious code which would completely erase its tracks after any crash.

The specially developed CarShark CAN sniffer sofftware

Systems failure

For the actual experiments, components were stripped out and bench tested under laboratory conditions, in a stationary vehicle and with live road tests on a closed track. The team managed to bring a wide range of systems under external control, from the engine to brakes to locks to the instrument panel to (the first to fall) the radio and its display. The attackers posted messages, initiated annoying sounds and even left the driver powerless to control radio volume.

The Instrument Panel Cluster/Driver Information Center faired no better, as well as cheeky messages, the team altered the fuel gauge and speedometer readings, adjusted panel illumination and in one experiment, a 60-second countdown clock was displayed on the dashboard. When time ran out, the engine died and the door locks engaged. Subsequent hacks took over the Engine Control Module which lead to uncontrollable engine revving, readout errors and complete disabling of the engine.

Taking control of key systems whilst on the move

As if the spirit of John Carpenter's "Christine" was alive and well, the team was also able to "lock and unlock the doors; jam the door locks by continually activating the lock relay; pop the trunk; adjust interior and exterior lighting levels; honk the horn (indefinitely and at varying frequencies); disable and enable the window relays; disable and enable the windshield wipers; continuously shoot windshield fluid; and disable the key lock relay to lock the key in the ignition."

Even the Electronic Brake Control Module was no match for the onslaught, with both individual and sets of brakes locked up at a whim. Equally worrying, the researchers were also able to completely disengage the brakes "even with car’s wheels spinning at 40 MPH while on jack stands" in the lab and then out on the test track (a de-commissioned airport runway) "forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly." The track test car had a laptop connected to the CAN bus via the OBD-II port which allowed a chase vehicle's laptop to wirelessly control in-car systems.

Open to attack

The research team concluded by saying that they "have endeavored to comprehensively assess how much resilience a conventional automobile has against a digital attack mounted against its internal components. Our findings suggest that, unfortunately, the answer is 'little'."

The team had "expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability. However, we found existing automotive systems - at least those we tested - to be tremendously fragile. Indeed, our simple fuzzing infrastructure was very effective and to our surprise, a large fraction of the random packets we sent resulted in changes to the state of our car."

As more manufacturers announce intentions to open up vehicle-to-vehicle and vehicle-to-infrastructure communications networks to third party development, the potential attack window could open even further. It is hoped that after the research paper, entitled "Experimental Security Analysis of a Modern Automobile", is presented at the IEEE Symposium on Security and Privacy in Oakland that manufacturers will take measures to tighten automotive system security.

About the Author
Paul Ridden While Paul is loath to reveal his age, he will admit to cutting his IT teeth on a TRS-80 (although he won't say which version). An obsessive fascination with computer technology blossomed from hobby into career before the desire for sunnier climes saw him wave a fond farewell to his native Blighty in favor of Bordeaux, France. He's now a dedicated newshound pursuing the latest bleeding edge tech for Gizmag.   All articles by Paul Ridden
16 Comments

This is one of the main reasons a computer controlled car is a BAD idea, imagine having total control of your car taken away from you because somone has hacked into the systems...the results could be catastrophic...

marshall91t
20th May, 2010 @ 03:56 am PDT

This is a scare story for the technically uninitiated. In order to "Hack" an automotive system you have to have physical access. That means you have to be in the car with your computer hooked up to the diagnostic port. While some prankster could break into your car and wreck the ecu programming, it isn't going to happen as you are driving down the street as many would assume from the headline. The first key to computer security is controlling physical access. No system, regardless of how it is configured is safe if the hacker can gain physical access to the computer.

So don't worry, your Honda is safe.

r4990
20th May, 2010 @ 05:31 am PDT

I'm confused. The lead paragraph suggests that they can control a car remotely, implying they can do that to any car at will.

The article states they modified the car to accomplish this. "The track test car had a laptop connected to the CAN bus via the OBD-II port which allowed a chase vehicle's laptop to wirelessly control in-car systems."

Sort of like breaking into a house, rewiring the security system, then claiming you can control any house's security system. Or network.

cwolf88
20th May, 2010 @ 08:11 am PDT

This looks like a traffic cop's dream. Also how long before the government is able to track everybody's movements?

windykites1
20th May, 2010 @ 02:37 pm PDT

John Carpenter's "Christine"

Uh, it was Stephen King's, Christine!

This is most telling:

"a large fraction of the random packets we sent resulted in changes to the state of our car."

Makes you say Hmmmmm.

Ed
20th May, 2010 @ 04:46 pm PDT

There already are small diagnostic devices that plug onto the OBD-II connector in a car and wirelessly transmit data by Bluetooth radio.

Not such a leap from there for hackers to build a similar device able to receive commands and take control of various functions of today's over-computerized cars.

Physical access to the interior of the vehicle would be required to install the device, which would only take a few seconds. The connector is supposed to be located within a foot of the center of the dash, on the driver's side. Some cars (mostly Chryslers) ignore the location rule and put the connector out next to the door.

In any case the connector is often tucked underneath the bottom of the dash, often with a removable panel to conceal it. Those wireless diagnostic devices are small enough to for most of the cover panels to be installed over them.

A driver would have to know where the OBD II connector is located then get down low and look for it to see if there's anything plugged in. Not something you could notice just getting in a car normally, especially on newer models. Some earlier ones, where adherence to the plug location rules was less lax, the connector could be seen peeking out at the bottom edge of the dash.

So if you're paranoid and drive a car with lots of computer controlled functions, find out where the diagnostic plug is and check to make sure nothing is plugged into it.

'Course the really determined assassins will hide their remote control hack by splicing into the wires behind the diagnostic plug... ;) But the simple "plug and hax0r" module would be easy to remove undetected at the scene of a crash where a hard wired version would be rather obvious to any investigator looking for such.

But in any case what is NOT possible (yet) is remote control of all functions as seen in movies like "After the Sunset", because the two way wireless communication and other required hardware is not built into any production vehicle.

Facebook User
20th May, 2010 @ 05:38 pm PDT

@r4990: Oh, I don't know. A hacker gaining access to a computer with a 512-bit encrypted Raid 0 1 array seems like it would still be very secure without the decryption algorithm if it was to say, be stored on a USB drive.

Facebook User
20th May, 2010 @ 11:57 pm PDT

this hacking not fully true. obdii protocols very changes car by car. can bus systems only listeening solution and car configuration not simply.

ömer Koman
21st May, 2010 @ 05:00 am PDT

We are OWN ur systems! Now I wonder if Toyota was sabotaged for profit? OK, here goes another conspiracy theory!

Will, the tink
21st May, 2010 @ 11:21 pm PDT

Hey r4990! You don't have to have physical access. Ever heard of "Onstar"??

Will, the tink
21st May, 2010 @ 11:25 pm PDT

Not much different than what things were like back before computers in cars, as long as you had physical access to the car: one could cut brake lines, put in explosives, puncture tires for a slow leak, drain fuel.

I don't see what the big deal is.

THE SKY IS FALLING, THE SKY IS FALLING!!!

matthew.rings
23rd May, 2010 @ 10:54 pm PDT

"John Carpenter's "Christine"

Uh, it was Stephen King's, Christine!"

Just so you know: Steven King did write the Book but John Carpenter directed the Movie.

Mr Nice Guy
26th May, 2010 @ 09:01 am PDT

this is real and being done on the street too! i've got a motorcycle and they keep shutting off the ecm as well as blowing the wind and screwing with my gas milage. im supposed to get about 60 mpg but with the hackers i only get about 35-40. the wind dampener system that comes standard in all autos when the wind blows the computer automatically adjust the suspensiion to lessen the blow..they can knock the bike over with it. the abs system cause the tire to sweep the pavement, they reprogram that to be part of the traction control and bump assist when i hit a bump the computer thinks its the break slipping and starts turning the wheel fastly side to side...the fast power drain on the battery for electrical fires, kills the battery so even after a long ride the battery is dead and the alternator has been working overtime trying to charge it.

who's gonna secure this for me...i'm so sick of the wind blowing everytime i drive past one of those self appointed cops from mexico or china. nobody else does this...i guess its just the dog coming from nowhere and notghing to all thuis freedom!

A_Nony_mouse
28th May, 2010 @ 10:14 am PDT

Never mind the fact someone needs access to your car physically. With GPS technology and our Governments world wide hell bent on controling everyone and everything, most definately in years to come you'll enter your local major road and your car will automatically be "engaged" into the road network and everyone will be doing the same speed. Don't believe me? trials have been going on in Sydney for a couple of years now mapping the streets just like google. Once all older vehicles that don't have fly by wire throttle, steering, etc. are phased out completely, then it will take effect. Only have to look at all the vehicles that are coming out are coming out with said technology. Even motorbikes and trucks as well as cars. Don't say you wern't warned. I say hang on to as much of the old stuff as we can.

turbowarrior
2nd June, 2010 @ 05:17 pm PDT

I am a fully licensed mechanic from Quebec, I have worked for dealerships and this is a very real thing. On Star from GM for example can correct certain parameters that are in laymans terms called "limp in mode" to keep an engine running to the nearest garage in some cases of sensor failure. Example, if a cam sensor is going out, the engine will be put into limp in mode and on-star will direct driver to nearest dealer to their location. On Star will set the parameters to take over the fine tuning the cam sensor inputs for multi sequencial injection. Engine will not respond as before but will be drivable. Now I'm not saying your airbag will deploy at 30mph or that the gas tank will explode. I'm just saying that if some of this software was to fall into some pimply faced kids hand with some malicous intent, he might just be able to repeat what these engineers did. As for what was written in an earlier post about self driving cars, this technology is already at nissan's disposal, and yes tests are already in final stages. Just waiting to weed out older cars non-compliant to safety regulations. I even imagine that we are closer to this then we think as the gov' will probably allocate certain roads to non-compliant cars. Other systems Nissan has developed is engine disable if driver is under the influence by reading three inputs to allow engine start-up. 1= Will read eye retinal response. 2=sensors in steering wheel to sense alcohol content in sweat from palms. 3=Seat pads will read same. Merecedes has now also done away with spark plugs altogether by way of a head gasket with high intensity circuit integrated in it. So all this needs some form of extensive programing and the engineers have simply not integrated any form of protection to wi-fi products in todays vehicals as they did not feel the NEED to! Le mecano du nord.

Classe a mecano
9th August, 2010 @ 11:32 pm PDT

my question is this.... How much control can be taken away from the computer ? One of the issues I'm curious about is the engine control. I have come up with a way to generate hydrogen on the fly (30 year old technology,btw) and the various sensors make it difficult to get around the puters control ( as I'm sure that is the ONLY reason for the computers in the 1st place). The cars today are NOT more efficient than the 60's cars. The cars today are lighter , more streamlined, set lower and they are geared for the highway ( mega overdrive) and not for the drag strip as were the muscle cars I can take a 1968 Z28., lower it, strip 1000 lb's, add a 6 speed tranny ( approx 2100 RPM's at 65mph in high gear) and slap a catalytic converter on it and presto....Bumble Bee would have his hands full...lol. While hydrogen is a good choice for fuel, converting a car manufactured after about 1977 or so, mite not be an easy task. If you could remove engine control from the computer without messin something else up that the puter is controlling, it would be worth converting.......Peace

Jaybee Jbee
18th October, 2012 @ 01:43 pm PDT
Post a Comment

Login with your gizmag account:

Or Login with Facebook:


Related Articles
Looking for something? Search our 27,833 articles