Forget Car-Jacking: Car-Hacking Is the Crime of the Future
Sticking accelerator pedals were just the beginning. Soon you might lose control of your car not because of a technical failure, but because someone hacked into it from afar.
Tomorrow at a security conference in California, Stefan Savage and his team will present their research showing how they used the computer systems that oversee different systems in a car to break in and take control—braking and accelerating against the driver’s will.
The researchers concentrated their attacks on the electronic control units (ECUs) scattered throughout modern vehicles which oversee the workings of many car components. It is thought that modern vehicles have about 100 megabytes of binary code spread across up to 70 ECUs [BBC News].
The software Savage’s team created, called CarShark, took advantage of the fact that ECUs must communicate between different systems. Electronic Stability Control, for instance, must talk to the brakes, accelerators, and wheels; Active Cruise Control and systems that parallel park the car for you also rely on communication across many systems. The team inserted fake packets of data into the lines of communication to seize control of a car, Savage says.
He and co-researcher Tadayoshi Kohno of the University of Washington, describe the real-world risk of any of the attacks they’ve worked out as extremely low. An attacker would have to have sophisticated programming abilities and also be able to physically mount some sort of computer on the victim’s car to gain access to the embedded systems. But as they look at all of the wireless and Internet-enabled systems the auto industry is dreaming up for tomorrow’s cars, they see some serious areas for concern [BusinessWeek].
Savage said he and his team wanted to get a head start on the problem of car-hacking, which is sure to arise when hackers get the chance, especially with more wireless access. In small ways it has already started: A couple of months ago an Austin, Texas, man who was fired by a car dealership broke into the remote system that the dealer used to torment people who were delinquent on their payments by honking the horn or otherwise annoying them. About 100 people found their cars inoperable, or honking like mad, after his hack.
The researchers said they did not address the question of the defenses the cars might have against remote access, but said the experience of the PC industry, which did not have extensive security problems until computers became networked, was worth remembering. “To be fair, you should expect that various entry points in the automotive environment are no more secure in the automotive environment than they are in your PC,” Mr. Savage said [The New York Times].
Car companies should probably address this issue before they offer us the networked “road trains” of the future.
Image: Savage et. al.