5 of the Most Noteworthy Car Hacks

Liz Slocum Jensen · February 27, 2015

5 of the Most Noteworthy Car Hacks Image

Car hacking is a hot topic that sparks discussion even though there has never been a confirmed case of a malicious attack. Fortunately, the most noteable car hacks have been research-motivated by some of the best security experts in the world and offer insights and suggestions into how carmakers can improve the vulnerabilities of their cars. I’ve read every research paper and watched every video presentation of the 5 most note-worthy research studies on car hacking. Below, I summarize the highlights of each study, including the major findings, their suggested actions, and my analysis.

TL;DR

These hacks show that with enough time, resources, and expertise, car hacking is possible at various points in the telematics system. The telematics systems vary from carmaker to carmaker and even among models and years of the same carmaker. This means that you can’t hack once and deploy that hack everywhere. A popular experiment across these studies was to show that if you flood the ECU with data packets, you can disable the ECU and the car is still driveable. These security experts offer suggestions on how to mitigate attacks. After that, the best anti-malware solution is you.

Comprehensive attack of mechanics tools, CD players, Bluetooth and cellular radio

This 2010 study conducted by Department of Computer Science and Engineering at UC San Diego and University of Washington demonstrated a wide variety of telematics vulnerabilities. While there were several previous studies that address the hypothetical telematic vulnerabilities, this is one of the first that provided experimental results of specific attacks.

Presentation at USENIX Security Symposium in August 2011

The full paper is here: Experimental Security Analysis of a Modern Automobile.

Major Research Findings

Researchers’ Suggested Actions

My Analysis

This study demonstrated some of the more astounding varieties of breaches into the car and the lack of authentication required to access the car systems. I agree with their conclusions that detection of anomalies – rather than prevention and total lock-down – in the systems are the more practical approaches to security management. Computer security is about mitigating risk.

Tire Pressure Monitor Systems

In 2010, researchers at the University of South Carolina and Rutgers University successfully hacked the tire-pressure-monitoring systems (TPMS), which consists of sensors inside a car’s tires that monitor pressure and a wireless antenna. Using low-end and openly available equipment, costing about $1500, the team was able to track a car’s movements and give false tire pressure readings to the dashboard.

Their presentation at USENIX Security Symposium in December 2010

The full paper is here: Experimental Security Analysis of a Modern Automobile.

Major Research Findings

Researchers’ Suggested Actions

My Analysis

This study was one of the first to prove that a remote attack is possible without first having physical access to the car. Still, this vulnerability is complex to access and manipulate. First, setting up to activate location tracking requires the vehicle to pass two checkpoints along the road. Second, the wireless tire sensors communicate infrequently - about once every 60 to 90 seconds. This makes manipulating the system difficult, especially if a vehicle is moving. At highway speeds, the research team could not maintain a warning light spoof beyond 6 seconds. While remote control of an ECU is possible, it is highly limited and does not affect the driveability of the car.

When I consider the practicality of a malicious attack, I’m skeptical. When your tire pressure gauge alerts you and you do not feel or hear the road in a way that indicates a flat, do you pull over immediately or do you drive to a safe place where you can assess and fix the problem? If you’re like me, I make a mental note to look at the tires later – sometimes much later.

The main actionable concern is that carmakers should use encryption since something as seemingly benign as a tire pressure gauge is a location-based unique identifier that consumers cannot deactivate and, therefore, does not have an opt-out option. After all, the UCSD/U of Washington study demonstrated that once the car is compromised, the entire system is compromised.

The DARPA-funded hack of a Toyota Prius and Ford Escape.

In 2012, Dr. Charlie Miller, a security engineer at Twitter, and Chris Valasek, the director of security intelligence at the Seattle consultancy IOActive received a grant from DARPA to find the vulnerabilities of cars. After a year of research, they were able to hack a 2010 Ford Escape and 2010 Toyota Prius by taking control of the horn, cutting the power steering, and spoofing the GPS, and any displays on the dashboard.

The full paper is here: Adventures in Automotive Networks and Control Units.

Major Research Findings

2014 Followup Research on Remote Attacks

In September 2014, Miller and Valasek published their paper, A Survey of Remote Automotive Attack Surfaces, in which they present system diagrams of 21 different cars and expose the biggest vulnerabilities. They analyzed all of the computer-based systems including Passive Anti-Theft System (PATS), Bluetooth, and the Lane Keep Assist systems. They assert that attack surfaces and vulnerabilities, while present, are small for most of these systems.

The full paper is here: A Survey of Remote Automotive Attack Surfaces.

Major Research Findings

Check out their chart of the most hackable cars Check out their chart of the most hackable cars:

Researchers’ Suggested Actions

My Analysis

In the most vulnerable attack points, the researchers required physical access to the car. In the first study, they had to rip open the dashboard and interior in order to take control. In the second study, the biggest and most likely attack point that they cited was via the Bluetooth infotainment system, but they could not find a way to covertly pair a device without user interaction from inside the car. Most likely, this would require some social engineering instead of technical prowess. Both studies illustrate that the systems vary from carmaker to carmaker and even among models and years of the same carmaker. This means that you can’t hack once and deploy that hack everywhere. One of the most valuable takeaways from the second study is that attacks are detectable.

The $27 car hack from DEF CON 2013

At DEF CON 21 in August 2013. Alberto Garcia Illera & Javier Vasquez Vidal presented how they hacked a car using a device that they built for $27.

Dude, WTF in my car?

Major Research Findings

My Analysis

This is for Do-It-Yourself engineers. You can spend many hours reverse engineering the codes or use an ELM #27 + Torque app for about the same money. If you have a larger budget, you can buy the codes from carmakers. However, the codes are not necessarily accurate and they change often; year to year, model to model. For the most part, the breaches and discoveries from this study are applicable to most after-market devices that plug into the OBD-II.

Conclusions: The Car is Hackable. Now What?

Now that researchers have sufficiently proved that the car is hackable, now what? Are we focused on the most realistic attacks? The most compelling hacks are motivated by money. I don’t think black hackers will be try take control of a car in order to crash it. Instead, it is plausible that someone could breach cars to access Apple, Google, Amazon account information; using the car platform as a starting point from which to steal credit cards numbers and identities. However, it takes a lot of work just to hack one make and model of a car. If you watch the videos, each presenter mentions how difficult their project was. This brings me to the recurring conclusion that if there is malicious intent, there are much easier ways to attack a car. Finally, I assert that the best anti-malware is yourself as a vigilant online user.

Photo by Unsplash. Creative Commons Zero

Thank You For Your Support!