Tuesday, June 15, 2010
How Thieves Are Planning On Hacking Into Your Car
Securing your vehicle used to consist of making sure all the doors were locked, keeping valuable items hidden out of sight and parking it in a safe, preferably off-street location.
But a new generation of cars includes more tech wizardry than a jumbo jet, raising consumer concerns that vehicles are more vulnerable than ever to light-fingered criminals. In these times, however, those light fingers are more likely to be twiddling on a laptop or remote-entry system than sticking a wire clothes hanger through a cracked window.
A new study proves that the movement away from pure mechanization to digitization is exposing us to new opportunities for vulnerability. It's becoming increasingly easier to access all vehicles controls from one central location. The car's ECU, or electronic control unit, is the brain of your grocery getter. A team of researchers from The University of Washington in Seattle and The University of California San Diego recently took on the task of seeing if they could control a car's systems through its ECU.
The two lead researchers for the project tested two identical 2009 model year vehicles (they did not reveal the name of the car), plugging their laptops into the controls for the ECU and running a software system. Their findings show that there are two main hacking threats to you car:
- Physical Access: "Someone -- such as a mechanic, a valet, a person who rents a car, an ex-friend, a disgruntled family member, or the car owner -- can, with even momentary access to the vehicle, insert a malicious component into a car’s internal network via the ubiquitous OBD-II port (typically under the dash). The attacker may leave the malicious component permanently attached to the car’s internal network or, as we show in this paper, they may use a brief period of connectivity to embed the malware within the car’s existing components and then disconnect."
- Wireless interfaces: "In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance. While outside the scope of this paper, we wish to be clear that vulnerabilities in such services are not purely theoretical. We have developed the ability to remotely compromise key ECUs in our car via externally-facing vulnerabilities, amplify the impact of these remote compromises using the results in this paper, and ultimately monitor and control our car remotely over the Internet."
After running tests using software with their laptops plugged in, the researchers were able to disable braking systems, control main vehicle functions and even turn off the engine, all while the test vehicle was traveling at speed.
Security In Today's Cars
Cars' vital functions, including steering, brakes and startup largely run on a system of interconnected electronic control units that form the car's central nervous system. These units run on millions of lines of computer code. It's estimated that the average premium new car runs on about 100 million lines of computer code, while Boeing's new 787 Dreamliner requires just 6.5 million code to function.
Representatives from the Big Three told us, not surprisingly, that they are working hard to make sure security and privacy are paramount. All the while, consumer demand is creating something of a supercomputer in every vehicle.
Ford, GM and Chrysler all have introduced wireless internet systems that allow consumers to surf the internet while in or around the vehicle and download music and road-trip directions to an in-car computer. Most in-car wireless systems work in much the same way as a home-internet wireless connection and require a password to gain entry to the network, said Chrysler's Nick Cappa. This basic step, he says, prevents almost all security breaches of the car's wireless system.
Cappa says that the system offered by Mopar as an option on certain Chrysler, Dodge and Jeep models is independent of, and not integrated with, a car's central electronics systems, including its hard drive and the media library.
"Think of its as a picnic table you can use in the vehicle but you can also detach and use outside the vehicle," he said.
Similarly, when a new user wishes to log-in to Ford's wireless internet system the driver must give their permission for a connection to be established, which prevents "piggybacking," according to company spokespeople. A music-encryption system also prevents anybody from removing or copying tunes from the car's on-board library by wireless connection or by plugging the hardware into another car. Its route finder information can be locked from prying eyes by a four-digit PIN code (similar to an ATM card's) when needed. Ford also says the SecuriLock engine-start system only works with a designated key that sends a unique signal code to a transponder in the engine amid some 72-million-billion code configurations (which would severely challenge the most dexterous of hackers).
While your ride seems to be safe at the moment, the threat looms ahead. All the while, it never hurts to park your car off-street and tuck away your valuables, either.