X

Hacking a car (Q&A)

A group of researchers discover that, just like PCs, cars can be hacked. However, they say the risk is fairly low--for now.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
4 min read

The researchers were able to display their own message and a false speedometer reading on a car that was parked. "Experimental Security Analysis of a Modern Automobile"

In the near future, you may be more worried about a hacker attack on your car than on your PC.

A group of researchers from two universities tested their hacking skills on two cars and found that they could remotely lock the brakes, the engine, and windows on a car; turn on the radio, heat, and windshield wipers; honk the horn; and change the speedometer display.

They were able to do all of that in tests on two cars of unnamed make and model by connecting a laptop to the electronic control system and controlling that computer wirelessly using a second laptop in a separate car.

The paper (PDF) will be presented by researchers at the University of Washington and the University of California at San Diego at the IEEE Symposium on Security and Privacy in Oakland, Calif., on Wednesday.

"Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input," the paper says.

In an interview with CNET on Friday, two of the researchers--Stefan Savage of UCSD and Tadayoshi Kohno of the University of Washington--talked about the tests and what their findings mean for drivers today.

Q: I'd like to know more about what you did for the research. Did you have to have physical access to the car, or is there a way this could be done remotely?
Savage: In the paper we didn't focus on the different ways that one could do it. The paper focuses on the question of if someone were able to gain access to the car, how resilient would it be in our scenario? We connected our computer to the on-board diagnostics port--it's standard and is located under the dashboard on the driver's side.

Kohno: This paper is not focusing on the specific threats. We are focusing on understanding the evolution of cars in the hopes that the industry can protect against adverse things happening in the future.

Savage: If you look at PCs in the early 1990s, they had all kinds of latent software vulnerabilities. It didn't matter so much because PCs were at home and not connected to everything else. Then they were connected to the Internet and the latent vulnerabilities were exposed to outside attack. We see cars moving in much the same direction. There is a strong trend to provide pervasive connectivity in cars going forward. It would be good to start working on hardening these systems and providing defenses before it becomes a real problem.

Can you give me a scenario where a car would be compromised?
Savage: You could have an adversarial mechanic or a jealous boyfriend or girlfriend who temporarily has access to the car. They could connect to this component, download onto the car, disconnect, and the code could do their bidding. I think at this point these attacks are much more fantastical than a real thing people need to be concerned about today.

Kohno: Today everyone is focusing on Web security and botnets. We want to make sure that in 5 or 10 years we don't add cars to that list.

You have written a tool that enables this type of attack, called CarShark, right?
Kohno: The tool captures a lot of what we did. It's a software tool we wrote. It runs on a computer that plugs into the OBD-II (On-Board Diagnostics II) port and it can sniff (and inject) packets on the network.

Couldn't someone use that tool to compromise a car?
Savage: We're not releasing it.

But there are ways to do this remotely, right?
Savage: We're trying to find a balance in the research. We're not interested in taking an alarmist tone. We purposely are not focusing on that aspect here. Can I imagine it's doable? Yes. In the end it's all software, and software on your car is not fundamentally different from software on your PC.

Do you think anyone is actually doing anything like this, other than for legitimate research purposes?
Kohno: We have no reason to believe this is an issue today. One of our goals is to stay ahead of the bad guys before the threats really do manifest.

Have you talked to the car manufacturers about this?
Savage: We talked with the appropriate parties, which we can't name.

Did they take this seriously or dismiss it?
Savage: Everyone we've talked to has taken it seriously and been very positive.

Anything else you would like to add?
Kohno: It's a changing world of technology. Often when people hear the word "computer" they associate it with the meaning of laptop or desktop. And one of the things we'll see in the future is computer devices integrating themselves both literally and figuratively into our world. There will be computers integrated into cars, medical devices, homes, and the smart grid. And I think that we need to be proactively thinking about security issues, not just on the desktops with botnets and Web browsing, but think about where our computers will be in the future and what we can do today to protect them. This research on cars is part of that.