How Modern Cars Can Be Hacked

by Matthew Braga
Meet the invisible hand behind the wheel.

The phrase "car hacking" probably conjures up all sorts of terrible stereotypes and long-running Hollywood tropes – the spectre of a trenchcoated stockphoto figure taking control of your SUV using nothing more than a laptop and some cellular connectivity, perhaps, or a bird's nest of perfectly benign, wasn't-there-before cabling snaking from beneath the driver's seat, listening in on your every word.

But let's sort fact from fiction. While most modern vehicles certainly can be hacked – and that's a problem in and of itself – the chances of it happening to you, and your particular model of car, are actually still quite slim.

The $26 CAN Hacking Tool, via Forbes.

The best research we have for this sort of thing comes courtesy the Center For Automotive Embedded Systems Security, or CAESS, a joint program between academics from the University of California, San Diego and the University of Washington. The team's first paper, 2010's "Experimental Security Analysis of a Modern Automobile," detailed just how fragile the underlying systems of a modern vehicle can be. Access to a car's internal network "can circumvent all computer control systems, including safety critical elements such as the brakes and engine."

But, perhaps of greater concern, is the team's oft-cited 2011 followup, "Comprehensive Experimental Analyses of Automotive Attack Surfaces." The paper detailed how a car could potentially succumb to such attacks, not only through direct physical access, but via short and long-range wireless as well.

In other words, it's possible for an attacker to take control of your beloved Toyota and its various features and functions without ever having hands-on access to the car. Let’s dive into how that might happen.

One Connected System

To understand how an attack might take place, let's start with a car's Electronic Control Units, or ECUs. These are small, discrete computers that control almost every major and minor system in a modern car. Very primitive versions of these units first appeared in the 1970s – initially for improving fuel efficiency – but have since grown to encompass all sorts of wide-ranging tasks. Now, there are ECUs for a car's power windows, brakes, airbags, lights and entertainment system – and more recently, ECUs that can even take over steering functions for parallel parking or backing in. According to researchers there are now as many as 70 ECUs in the average car.

A car is a mini network with no real security implemented.

Of course, ECUs don't exist in isolation, but rather, are connected or coupled to one another via Controller Area Network, or CAN, a requirement on U.S. cars since 2008. Think of it as a router for all the things in your car, mediating which ECUs can communicate with and control one another. It's how the throttle can tell the entertainment system to raise the volume of your favorite song when a car speeds up, or how OnStar can remotely unlock a car's doors.

However, this connectivity can go the other way too. If an attacker exploits your entertainment system or Bluetooth radio, he or she can access other systems that are connected to it as well. An attacker could even use your hands-free system to make connections with other, crucial ECUs that it wasn't connected to in the first place, taking complete control of a car’s electronics.

“A car is a mini network,” security researcher Garcia Illera, who has studied embedded automobile computer systems, told Forbes earlier this year. “And right now there’s no security implemented.”

But how does an attacker actually get “in”? And what can they do once they're inside?

Points of Entry Everywhere

There are a few ways an attacker might breach a car's internal network. The most obvious is through access to a car's on-board diagnostics port, or OBD. This is a federally mandated port in the U.S., meant primarily for use by dealerships and service centers. But it can be exploited, and it is a popular target, because it has complete access to the CAN and all the ECUs in a car.

The problem for hackers is that the OBD port is typically inside the car, and this direct access requirement makes it an unlikely target for a completely random, unknown attacker. More likely, "Someone – such as a mechanic, a valet, a person who rents a car, an ex-friend, a disgruntled family member, or the car owner — can, with even momentary access to the vehicle, insert a malicious component into a car’s internal network via the ubiquitous OBD-II port (typically under the dash)," according to CAESS' 2010 paper.

So let's say exploiting the OBD port is too obvious. After all, it sits just beneath the dash, often near a car's floor pedals, and anyone paying enough attention might notice a device sticking out. How about exploiting a car's entertainment system instead?

The researchers found that, on their test vehicle, the in-car entertainment system could be compromised with nothing more than a specially burned CD – one that played just fine on a PC, but when inserted into a target car, sent malicious commands across the CAN. Another CD, this time containing a maliciously modified version of the entertainment system's software, could completely overwrite the player's ECU.

There is, of course, still the question of how an attacker might deliver a CD or device that can be played in the first place. It may be an indirect physical attack, but it's a physical attack nonetheless.

This is where Bluetooth comes in. It's a short-range wireless protocol that doesn't require direct physical access to the vehicle. An attacker could either compromise a previously paired Bluetooth device, such as an Android phone, and then use that phone to deliver a payload to the car. Or, with enough time and effort, researchers detail another method in which, over the span of multiple hours, an attacker could guess the PIN required to pair with a car using brute force methods – perhaps, say, while a vehicle is sitting in its garage overnight.

But perhaps the most interesting and terrifying vector of attack comes via a car's telematics systems, like OnStar.

But perhaps the most interesting and terrifying vector of attack comes via a car's telematics systems – in other words, a 3G capable, in-car navigation or assistance service, such as OnStar. Because these systems communicate over long-range cellular networks, they are ideal for remote exploitation.

In this case, the researchers found a flaw in a piece of software common to most telematics systems, allowing an attacker to deliver an exploit *over-the-air* by repeatedly calling the navigation and assistance system of a test car (approximately 128 times, to be precise) – completely unbeknownst to the user.

Oh, and, in case it wasn't clear, for each of these vectors of attack – indirect access via OBD or CD PLayer, short-range wireless via Bluetooth, and long-range attacks via 3G – researchers were able to obtain "complete control" over the test vehicle’s systems, brakes, airbags, steering and more.

Remote Control, Realistically

Once an attacker has access to a vehicle's CAN and ECUs, they can do a whole lot.

Once an attacker has access to a vehicle's CAN and ECUs, they can do a whole lot.

Charlie Miller and Chris Valasek, two security researchers who tore apart both a Toyota Prius and Ford Escape last year, demonstrated how they could read information such as location, speed, and in-car settings from a vehicle's OBD port – but also directly control elements of the car, going so far as to disable the brakes of the Escape while in motion.

Another pair of security researchers Alberto Garcia Illera and Javier Vazquez Vidal, went one step further, presenting a small, $26 device at the Black Hat Asia security conference in Singapore last month that could perform remote, wireless CAN attacks.

Oh, and as for our researchers from 2011? They proved it was possible to gain access to a vehicle remotely via 3G – but they could also leverage that 3G connection for further, malicious post-compromise acts. One exploit forced two test vehicles to listen for remote commands in an online chat room, allowing the researchers to interact with both vehicles at the same time. Imagine, a botnet of compromised cars!

"To make this concrete," the researchers later wrote, "we modified our attack code for two demonstrations: one that periodically 'tweets' the GPS location of our vehicle and another that records cabin audio conversations and sends the recorded data to our servers over the Internet."

There is, however, one giant caveat to all of this – namely, that there isn't one particular attack or exploit that's been proven to work definitively on all cars. Vidal and Illera's tricks ranged from "mere mischief like switching off headlights, setting off alarms, and rolling windows up and down to accessing anti-lock brake or emergency brake systems that could potentially cause a sudden stop in traffic," according to an interview with Forbes. But what, exactly, their tool can do depends on the make and model of the vehicle.

In the 2011 CAESS study, each ECU that researchers wished to compromise had to be reverse engineered first – a lengthy and complicated process that can vary from car to car. And there's no guarantee that a bug or flaw that exists in one would exist in another. It's perhaps part of the reason why real-world attacks using these methods aren't widely reported or known.

"Its hard work, it requires domain knowledge that is rare (or takes time to acquire) and its expensive (you need to buy cars)," wrote Stefan Savage, a computer science professor at the University of California, San Diego, and one of the co-author's of CAESS' two studies, in an email. It's part of the reason why, even now, the work of Savage and his team in 2011 is still the best we have.

To their credit, people like Miller and Valasek are trying to change that. Building on CAESS' work, they want to reduce the cost of car hacking research by standardizing and simplifying investigation techniques – to the point where interested researchers won't even need an actual car. The pair released a blueprint of sorts earlier this month on how, with aftermarket parts, to construct a makeshift CAN with real ECUs, no-car-required on a work bench. It's not intended to be an instructional for would-be hackers, of course, but an educational resource for Autosec investigators – Valasek's term – to hopefully do more.

"The fact that a risk of attack exists but there is not a way for researchers to monitor or interact with the system is distressing," the pair wrote – and "the most significant limiting factor isn’t knowledge, or the tools/data to start car hacking, but rather researchers do not typically have a car at their disposal to hack on."

Luckily for you, that means most attackers don't either. So, rest easy, worried drivers – your car can most certainly be hacked, but that doesn't necessarily mean it will be. At least, not for now.