By Pierluigi Paganini, Editor-in-Chief, CDM
Jun 27, 2013, 11:30 am EST
Car hacking is one of the effect of the massive introduction of technology in our vehicles, a hacker that gain access to our transport is an event that we have seen only in movies.
Put a car and one of most popular hackers, Charlie Miller and you can obtain an explosive mix, it’s a pity that the presentation on car hacking has been excluded from the next Black Hat security conference.
Miller (@0xcharlie), one of most appreciated security experts and today in force at Twitter company, demonstrated his capabilities proposing various exploits to the security community such as the hacks for both the iPhone and the G1 Android phone, he has also won four times the CanSecWest Pwn2Own competition.
Charlie Miller and Chris Valasek, director of security intelligence at IOActive will present a speech titled “Adventures in Automotive Networks and Control Units” at next Defcon 21 in August.
The two researchers promise to approach car hacking under a new perspective, providing details and release tools to break into car control systems.
Following the abstract related to the presentation that will explore security issues related to car network systems and the possibility to direct interaction with principal components of a vehicle including braking and steering.
“Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality.
This presentation will examine some controls in two modern automobiles from a security researcher’s point of view. We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus.
Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering.Finally, we’ll discuss aspects of reading and modifying the firmware of ECUs installed in today’s modern automobile..”
Today the vehicles are equipped with connected computers that could be exploited by an attacker for various purposes, to prevent similar offensive US auto-safety regulator decided to start a new office focusing on these categories of cyber threats.
David Strickland, head of the National Highway Traffic Safety Administration declared:
“These interconnected electronics systems are creating opportunities to improve vehicle safety and reliability, but are also creating new and different safety and cyber security risks,”
Today car hacking could be conducted to exploit new generation vehicles that are even more connected to the Internet, with each other and to wireless networks. Controllers that equip today’s cars are very sophisticated, to give you an idea of this complexity consider that today’s a luxury car has more than 100 million lines of computer code, while software and electronics account for 40% of the cost of the car.
How could be possible the car hacking?
Following some of most accredited methods of attacks:
- Exploit of Telematics System – a hacker could exploit system installed on the car to remotely arrest a stolen vehicle. Gaining the access to a vehicle the attackers could also interact with every component on the vehicle through CAN bus.
- Malware exploits – A malware could be inoculated through USB devices into MP3 reader or via wireless technology (WiFi or Bluetooth)
- Unauthorized Applications – Executing or downloading malicious unauthorized app from third party, let’s think to the update to a build in navigation system.
- OBD – specifically written software could exploit the OBD-II (On-board diagnostics) port for their installation, once accessed to the connector via the CAN bus it is possible to monitor every component connected to it.
- DOOR LOCKS and KeyFob – an attacker could emulate the presence of access code which regulates the operation of these two systems, in this way he could control locks and start/stop for car engines.
Has never been intentionally caused an accident?
It’s not clear in reality, recently the tragic death of journalist Michael Hastings was considered by some journalist very suspicious … accidental incident or car hacking, this is the doubt.
Former U.S. National Coordinator for Security, Infrastructure Protection, and Counterterrorism Richard Clarke has shared with The Huffington Post his perplexities with the mysterious death.
He revealed that the crash and burn of Hastings’ car are compatible with a cyber attack against the vehicle, but that it’s impossible to tell whether it really happened that way due to the fire that enveloped the car after the crash in a tree. All traces are gone!
“What has been revealed as a result of some research at universities is that it’s relatively easy to hack your way into the control system of a car, and to do such things as cause acceleration when the driver doesn’t want acceleration, to throw on the brakes when the driver doesn’t want the brakes on, to launch an air bag,”
“I think you’d probably need the very best of the U.S. Government intelligence or law enforcement officials to discover it. So if there were a cyber attack on the car – and I’m not saying there was – I think whoever it would probably get away with it,” he added.
In two to 5 years, security will be considered a primary requirement for new generations of vehicles … have you updated the firewall on your car?
(Source: CDM & Security Affairs – Car hacking)