Researchers at the University of Washington and University of California-San Diego have examined the multitudinous computer systems that run modern cars, discovering that they’re easily broken into with alarming results. Hackers can disable the brakes of moving vehicles, lock the key in the ignition to prevent the engine from being turned off, jam all the door locks, and make the engine run faster. Less dangerously, they can control the radio, heating, and air conditioning, or just endlessly honk the horn.

Their attacks used physical access to the federally mandated On-Board Diagnostics (OBD-II) port, typically located under the dashboard. This provided access to another piece of federally mandated equipment, the Controller Area Network (CAN) bus. With this access, they could control the various Electronic Control Units (ECUs) located throughout the vehicle, with scant few restrictions.

Found by Micah Phillips who adds: “I can just picture the future: The government giving a ‘terrorist’s’ plug-in hybrid a virus, driving their cars into oncoming traffic, then wiping away any digital fingerprints.”




  1. 2000andfun says:

    Hal, open the driver side door. Hal! Hal!!!

  2. Lowfreq says:

    Quote -‘Their attacks used physical access to the federally mandated On-Board Diagnostics (OBD-II) port, typically located under the dashboard.’

    Ahh…So someone is gonna steal your keys, open in your car\truck, reprogram it, and leave? Really? Valets gone rogue?

    Just another ‘state of fear’ attempt to get OB-III on new cars so we can tracked and controlled.

  3. The0ne says:

    Vehicles are not secure. Who here thinks they are? Seriously. It doesn’t take grants, probably from tax payers, to have studies done on this to say so. That is why there’s a whole slew of modding out there on vehicles, even from reprogramming your ECU on the fly.

    To be surprise by this is like being surprise a fly could fly.

  4. Mextli says:

    #2 “Ahh…So someone is gonna steal your keys, open in your car\truck, reprogram it, and leave?”

    The pdf linked to the article was interesting.
    It discusses interfaces to these systems such as OnStar that are able to control more of the system every year. No encryption I bet.

    http://autosec.org/pubs/cars-oakland2010.pdf

  5. Pikachu says:

    When you give over control to someone else’s software, you accept all their (bad) choices implicitly, which will not be explained to you usually, so you accept unknown risks.

    Example:
    http://absurd.tk/

  6. sargasso says:

    OBD-II is entirely unauthenticated and CAN is an open peer network. Access can be had either via the ODB-II port in the car with a laptop, or telematically with a suitable antenna.

  7. sashley616 says:

    Perhaps I will keep my 2000 model a bit longer; it has a throttle connected to the petal w/ a cable and a brake petal that actually pushes fluid to the brakes. These type of things are possible on drive by wire systems.

  8. soundwash says:

    -hence… i always agreed with mark perkel’s first assessment of the Toyota fiasco, -that it was a software issue.

    taking it further. -i firmly believe that the toyota issue was “programmed in” either at the factory..or hacked via satellite.

    -In part, because over the last year plus, their has been a renewed effort by some in the japanese parliamnet to once again get us (as in U.S. military) off of Okinawa..the story was upfront for a few days/weeks in google prior to, or almost concurrent with the initial gas pedal reports, then suddenly got pushed way back in the search engines..

    /conspiracy 102…

    also..if you think cash for clinkers was just about stimulating the economy, well your more naive than most..

    best vehicle to own at *this point in time* is a diesel with a mechanical fuel pump. (with an dual purpose auxiliary PTO to start it with an external motor..should the starter fail)

    would be just about the only thing that would still run if hit with either natural or artificial EMP pulse..

    remember, a well designed and cared for diesel motor can easily run for 1 million miles without a major rebuild, as the entire engine is bathed in oil.

    as for hybrids..the current trend is a complete farce of overcomplexity and yet again, another waste of precious metals and rare-earth magnets(which china controls some 93% of the market)

    The best, most reliable hybrid-design has been in service for decades, right in front of our faces: Look at most any diesel-electric locomotive train for an example. Today’s hybrids are *anything BUT “green” (memo: the green movement was hijacked and has nothing to do with “saving the planet”)

    anyone who thinks otherwise is historically, politically, mechanically and electronically naive.

    -but i digress…

    -s

  9. Lowfreq says:

    Mextli – ‘The pdf linked to the article was interesting.
    It discusses interfaces to these systems such as OnStar that are able to control more of the system every year. No encryption I bet.’

    I did read the PDF. Like you, I doubt OnStar is encrypted, but considering that there are so very few cars on the road with OnStar, would it be worth hacking? I can’t think of one model car that does not have mechanical\hydraulic brakes either. Might be easier to obtain a prototype of the latest Apple product than bother hacking a few cars.

  10. ECA says:

    Very interesting to integrate the Onboard computer system, with a WIRELESS NETWORK..

    Anyone want to have some FUN??

  11. the haunted sheep says:

    Another good reason to drive my old as hell dodge truck.

  12. Skeptic of the Anthropogenic Orgasm Between Consenting Climate Scientists says:

    re: “Ahh…So someone is gonna steal your keys, open in your car\truck, reprogram it, and leave? Really? Valets gone rogue?”

    Actually, it’s a setup for the perfect murder.

  13. noname says:

    Perfect opportunity for 3rd party chips, reprogramming or replacement.

    What’s the fuss?

    Do I hear the cash register going “cha-ching”??

  14. Floyd says:

    Noname: Do you really trust 3rd party control chips to actually do what the maker says they will do? Think about it.

  15. noname says:

    # 14 Floyd,

    I guess it’s all relative, as to who do you trust: your car company, government (NSA, CIA, FBI, DoD, …) or do you trust a disinterested 3rd party.

    I guess you might be able to copy the code and re-program itself. Blind trust is just as bad as blind mistrust. You can’t sustain good decision making with out truth.

  16. ECA says:

    IN RUSSIA..
    You dont drive car..
    CAR drives you..

  17. Buzz says:

    Discuss the liabilities that arise from Toyota’s implementation of these government-mandated standards in the software of their vehicles without being given complete debugging procedures, thus leading to random bugs showing up as vehicles are subjected to non-laboratory emf signals from highway sensors and other stray electrical signals.

    In other words; not Toyota’s fault (CAN standard 1996-2004 start in US), but a whole rat’s nest they were handed from outside the company.

    From the report, “CAN packets contain no authenticator fields — or even any source identifier fields — meaning that any component can indistinguishably send a packet to any other component. This means that any single compromised component can be used to control all of the other components on that bus, provided those components themselves do not implement defenses…”

    So when I roll over a traffic light sensor, my ever so slightly defective tire pressure sensor in the front right issues a “No Brakes Today” command at the hairy edge of s/n into my Controller Area Network. One that the car will ignore 9999 out of 10,000 times. Meaning, most of the time I don’t die.

  18. Glenn E. says:

    Ah, cars, the government’s secret assassination tool. Sort of reminds me of that 70s movie “Capricorn One”. Where the news reporter’s car was rigged (within minutes) to speed out of control, without brakes, to try and kill him or put him in the hospital. One wonders if these flaws on cars’ computer chips aren’t also “federally mandated”, for some sinister purpose?


0

Bad Behavior has blocked 5386 access attempts in the last 7 days.