A comprehensive presentation on car hacking research by Stephen Checkoway of UC San Diego.
Shortly after Rolling Stone contributing editor Michael Hastings died in a fiery auto crash in Los Angeles, conspiracy theories began to pop up online. The mysterious circumstances practically begged for a new brand of '70s-era Nixonian paranoia. Hastings had regularly pushed buttons in DC. The accident occurred at around 4:00 AM. Only hours earlier, Hastings had been at the sold-out premiere of friend Jeremy Scahill's Dirty Wars documentary. And, most notably, Hastings spoke to a WikiLeaks lawyer Jennifer Robinson hours before his death, then sent a panicky email to BuzzFeed staff, stating he was "onto a big story" and going off the grid for a bit.
The conspiracy theory suggesting Hastings' Mercedes C250 was hacked is both extremely unlikely and near impossible to prove. That said, is such a hack even possible? Yes. Various researchers have proven that cars can be hacked. This article, however, is chiefly concerned with what types of car hacking are possible.
In 2010 and 2011, researchers from the University of Washington and UC San Diego published two studies concerning vulnerabilities of car computers. The first, "Experimental Security Analysis of a Modern Automobile," focused on what could be done once a hacker gained access to a vehicle's internal network. The second, "Comprehensive Experimental Analyses of Automotive Attack Surfaces," demonstrated how a hacker could compromise a car's internal network without having any direct physical access to the car itself.
At Def Con 21 in August, Charlie Miller, a Twitter security engineer, and Chris Valasek, director of security intelligence at IOActive, will deliver a talk titled "Adventures in Automotive Networks and Control Units." Miller and Valasek will address security flaws with automobile software, with particular emphasis on braking and steering. Miller told me he was unable to provide more details on his Def Con talk, but suffice it to say that they wouldn't be giving the talk if cars can't be hacked. For now, we'll take a look at what we do know.
According to the UW and UCSD study, "there are over 250 million registered passenger automobiles in the United States," and the "vast majority of these are computer controlled to a significant degree and virtually all new cars are now pervasively computerized." As with everything technological, this computerization will only accelerate, for better or worse.
In the first study, researchers, led by UW professor Tadayoshi Kohno and UCSD professor Stefan Savage, were able to hack just about everything electronic in a car. They demonstrated the ability to mess with the car's radio and instrument panel cluster (to falsify fuel level and speedometer readings), jam locks, pop the trunk, honk the horn, enable/disable windshield wipers, control the A/C environment. Most importantly, they were able to disable the engine, disable or enable brakes, and create a general denial of service while the car's wheels were doing 40 mph.
Older cars like this station wagon can't be hacked, but they can be attacked by banana peels.
That was all done in a stationary testing setup. The researchers noted that road testing was "the 'gold standard' for our attacks as they represent realistic conditions (unlike our controlled stationary environment)."
Again, they were able to manipulate speedometer readings, but they also exploited the system to turn interior and exterior lights, including headlights, off. This hack's real world implication was particularly frightening.
"One can imagine this attack to be extremely dangerous in a situation where a victim is driving at high speeds at night in a dark environment," wrote the researchers. "[T]he driver would not be able to see the the road ahead, nor the speedometer, and people in other cars would not be able to see the victim car’s brake lights."
The terror of this scenario was only surpassed when the researchers described how malicious code could be erased, leaving no trace of who had done it. As they wrote (emphasis mine):
Hosting our own code within a car’s ECU enables yet another extension to our attacks: complicating detection and forensic evaluations following any malicious action. For example, the attack code on the telematics unit could perform some action (such as locking the brakes after detecting a speed of over 80 MPH). The attack code could then erase any evidence of its existence on the device... If the attack code was implanted within the telematics environment itself, then more sophisticated techniques may be necessary to erase evidence of the attack code’s existence. In either case, such an attack could complicate (or even prevent) a forensic investigation of a crash scene. We have experimentally veriﬁed the efﬁcacy of a safe version of this attack while driving on a runway...
The researchers used their CarShark software to listen in on the test cars' Controller Area Network (CAN) system, then exploited it with their very own network packets.
"Occam's Razor suggests that this is perhaps the least likely way that your car might ever crash."—Professor Stefan Savage
They acknowledged the skepticism, such as a statement made by independent security expert Ken Tindell to The Register, in which he stated: "Until I sold my company to Bosch in 2003, I was heavily involved in this area of computing, so I can say with some confidence that this 'discovery' is sheer foolishness. The only risk they encountered was a theoretical one (viz. that a telematics system connected to the in-vehicle networking could hack the car). It's highly theoretical because the challenges of hacking a car are vastly more than hacking a banking system. I just can't see anyone bothering."
Trend Micro security analyst Rik Fergson, while not skeptical, noted that a car's internet connectivity is a key issue. "Cars benefit from the fact that they are (hopefully) not connected to the internet (yet) and currently are not able to be remotely accessed," Fergson told BBC News. "So in order to carry out a successful attack you would already need to have physical access to the vehicle, as a break-in or as a mechanic, seem the two most likely scenarios."
The UW and UCSD researchers took the criticism to heart, and published a follow-up paper in 2011. Specifically, they set out to prove that physical access was unnecessary.
In this paper, the researchers found that indirect physical access to the car's computer system could be undertaken via the OBD-II port, which is a federally-mandated access point. In this scenario, a hacker would need access to the car at a dealership, or, theoretically, via an electric car's external charging cable. They also found that that CDs, USBs and iPods could possibly be used to deliver malicious code.
Now, this might seem difficult if the car is turned off and locked, but the researchers demonstrated that a hacker could gain access to the car via "Bluetooth, Remote Keyless Entry, RFIDs, Tire Pressure Monitoring Systems, WiFi, and Dedicated ShortRange Communications." To do this, the hacker would have to be within 5 to 300 meters from the car's receiver. On the high end, that's 984 feet of distance from hacker to hacked car. Point being, the hacker need not actually be in the car to deliver the malicious code.
UW and UCSD researchers also demonstrated that long-range (greater than 1km) wireless access to a car's computer system is possible. How? Well, this will make you soil your drillies: through GPS, satellite radio, digital radio, radio data systems (digital information embedded in FM broadcats), and traffic message channels.
"To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s systems," wrote the researchers. Complete control.
To see if anything had changed since 2011, I emailed several of the UW and UCSD researchers. Savage promptly replied with his thoughts on car hacking in light of the Hastings conspiracy theory.
"I think Occam's Razor suggests that this is perhaps the least likely way that your car might ever crash," said Savage. "It's both really hard and the amount of effort is particularly enormous when compared with the goal of injuring one individual."
Look, just because car hacking is theoretically possible doesn't mean Hastings's car was hacked. It's extremely unlikely.
"I think we're fairly confident that we could have controlled acceleration as well, but we never demonstrated that," added Savage.
Steering, according to Savage, is not "electronically-intermediated" on most cars, even new ones. "On some newer cars there is a mechanical turning assist (e.g., for auto-park), but typically via a slip clutch such that a driver could overcome it if they turned hard enough," he said, "There are some new drive-by-wire cars being developed now, but I don't think there are any popular vehicles like this today." (Remember, Charlie Miller will address the issue of steering hacks at Def Con 21.)
Savage emphasizes that none of this is easy to do. "We spent a huge amount of effort to do this for one vehicle platform and making it really reliable is even harder," he said. "Moreover, the OEM's [original equipment manufacturers] are now putting in some serious effort to harden things, so I believe it is only getting harder over time.
"If I was trying to get rid of someone, this is way on the bottom of the list of options I'd consider."
Savage also noted that "real-time time and processing power is likely negligible excepting access control mechanisms that require brute forcing."
In other words, hacking a moving car in real time is incredibly difficult. But in the right scenario, it's not impossible.