Car-hacking: Bluetooth and other security issues
- 06 August, 2012 11:28
A disgruntled former employee of Texas Auto Center chose a creative way to get back at the Austin-based dealership: He hacked into the company's computers and remotely activated the vehicle-immobilization system, which triggered the horn and disabled the ignition system in more than 100 of the vehicles. The dealership had installed the system in their cars as a way to deal with customers who fell behind on their payments.
Police arrested the man and charged him with breach of computer security. His legal status was unclear as of our deadline for this story.
Out-of-control honking horns may be annoying, but other types of hacking, such as cutting the engine of unsuspecting drivers, could have deadly consequences. Although most experts agree there isn't an immediate risk, vehicle hacking is something that bears watching.
With the increasing computerization of vehicles of all types, observers have longer-term concerns over the vulnerabilities of trucks, delivery vans, rental cars and consumer autos. A malicious hacker could, in theory, disable the vehicles, re-route GPS signals or otherwise put employees, customers and the company as a whole in danger.
Consumers are getting worried about the safety and privacy risks that come with today's connected cars, according to a Harris Interactive poll released last week. For their part, auto makers and industry association spokesmen responded that they are adding electronic features carefully and based on market research.
Modern vehicle engines bear little resemblance to the engines of the past. Engines originally consisted of various mechanical devices assembled around a combustion engine. Within the past 20 years, cars have evolved to contain a complex network of as many as 50 to 70 independent computers, electronic control units (ECUs) with up to 100MB of binary code. Automotive ECUs originally entered production in the U.S. largely in response to California's automotive-emissions reduction law, first passed in 1961, and then the subsequent federal Clean Air Act, passed originally in 1963, strengthened considerably in 1970 and updated since then.
ECUs measure the oxygen present in exhaust fumes and adjust the fuel/oxygen mixture before combustion, which improves efficiency and reduces pollutants. Over time these systems have become integrated into nearly every aspect of a car's functioning, including air bag deployment, steering, braking and other real-time systems.
In the mid-1990s car manufacturers began integrating more powerful ECUs with peripherals such as GM's OnStar system, which is a combination GPS, emergency response unit and vehicle recovery system. An OnStar-equipped car can analyze its on-board diagnostics as the car is being driven, detecting problems and alerting the driver to any issues that require a visit to the repair shop.
These ECUs connect to one another and to the Internet, making car computers as vulnerable to the same digital dangers widely known among PCs and other networked devices: viruses, Trojans, denial-of-service attacks and more.
"The Austin case is a fairly particular case in that they had an add-on system that specifically gave them the ability to wirelessly immobilize the cars," says Stefan Savage, professor in the department of computer science and engineering at the University of California, San Diego. "It's not a standard feature on most automobiles."
AT&T exhibitors show off the new Ford Focus Electric car at the CTIA Conference in New Orleans in May 2012. The MyFord Mobile system will connect through the AT&T wireless network, which allows car users to remotely access the car using standard wireless technology, according to Ford. Some security experts wonder if standard wireless hacking techniques will become a problem. REUTERS/Sean Gardner
Generally speaking, these types of systems are there to disable the vehicle in the event of theft and enable their eventual recovery, says Savage. "This was not a case of hacking into a system or creating new functionality that didn't exist before," he explains. But that's not to say it can't be done. "In our research we demonstrated taking over a car through a software vulnerability and creating a completely new piece of functionality that did not exist before," he says.
GM's OnStar service, which also helps recover stolen vehicles, is currently the only vendor advertising that capability as a standard feature, says Savage. "However, the set of cars for which a clever adversary could create a new capability to shut down the car is likely quite a bit larger."
Motive behind the madness
One of the saving graces is there are relatively few motivations to stealing vehicles via a sophisticated hack, Savage adds, because of the complexity involved and the need to spend some serious cash to be able to pull it off. "There is a theft motivation. But while we've been able to demonstrate a computer attack and steal cars, frankly it's still easier to use a Slim Jim," he says, referring to the classic lock pick.
"The Austin scenario could not happen to a system that is not networked," says Dan Bedore, director of product communications at Nissan North America. "Our vehicle control modules are discrete systems and are not networked. So any scenario that involves hacking a car would be limited to a single unit."
If a fleet of, say, 100 units were immobilized, "the hack would likely be into some added hardware or software installed by the fleet operator," such as what occurred in Austin, says Bedore.
Nonetheless, a fair number of vulnerabilities in car computer systems currently exist, says Savage, although he feels it will be a while before computerized attacks are preferable to physical ones. "The most likely scenario where you have to worry are disgruntled attacks, where people are trying to sow havoc," he says.
Inside threat
There are two main ways an attacker could theoretically gain access to a car's internal network. The first is by physical access, such as a mechanic, a valet, a person who rents a car, an ex-friend or car owner, someone with momentary access to the vehicle. The attacker could insert a malicious component into a car's internal network via the OBD-II port, typically located under the dashboard. A brief period of connectivity embeds the malware within the car's components.
Similarly, counterfeit or malicious components may enter the vehicle before it is sent to the dealer or with a car owner's purchase of an after-market component such as a radio or alarm.
"One of the attacks we staged took advantage of vulnerability in the diagnostic tools used at dealerships," says Savage. "We built a virus that could get into a dealership and then could affect the diagnostic tools. So whenever a car was brought into the dealership and the diagnostic tool was connected to the car it would infect the car."
Savage and his team built a package that, upon taking over the car, would then contact his team's servers via the Internet and request further instructions. "At that point we could download just about any functionality we wanted -- disable the car, listen to conversations in the car, turn on the brakes, etc."
Access may also happen via numerous wireless interfaces. "Cars are not only becoming more computerized internally, but that they are becoming increasingly connected to the outside world," says Franziska Roesner, a student and researcher in the security and privacy research lab at the University of Washington. She calls this interconnectedness a "concerning" trend.
Today's cars are connected to the cell phone network and to the Internet via systems including OnStar, Ford Sync and others, Roesner explains. They have Bluetooth connectivity, short-range wireless access for key fobs and tire pressure sensors, they support satellite radio and they also have inputs for CDs, iPods, USB devices and others, he says.
BMWs hacked via diagnostic port
Thefts of BMWs in the U.K. recently spiked as thieves discovered they could bypass the car's alarm system and immobilizers. Using devices that plug into the car's OBD port, thieves programmed blank key fobs and drove the stolen cars away.
Reports indicate that such thefts appear to work similarly: After gaining access to the vehicle, either by breaking a window or via a nearby RF jammer -- which blocks the fob lock signal from reaching the car, thus preventing the car owners from properly securing their own vehicle even if they think they have -- thieves gain access to the car's OBD-II connector. This allows the thief to gain access to the car's unique key fob digital ID, enabling him to program a blank key fob on the spot, insert the key and steal the car.
In a statement by BMWs U.K. media relations manager, Gavin Ward, the company noted it is aware of and investigating the security loophole. The loophole affects all BMW series models, from the 1 to the X6.
"We liken this increase in connectivity to the desktop computing world before the Internet: Security vulnerabilities on disconnected machines suddenly became very important when computers were networked together," says Roesner. "There's even talk among auto manufacturers about creating app stores for cars. We're at the same point in the evolution of computerized automobiles."
Roesner works with other researchers to identify these issues with the goal of addressing them before they become major problems.
Studies conducted by Roesner and her colleagues show the OBD-II port as the most significant automotive interface for hacking purposes. This port provides access to the vehicle's key controller area network buses and can provide sufficient access to affect the full range of a vehicle's systems.
Alternatively, hackers may deliver malicious input by encoding it into a CD or a song file, which may "live" on an iPod or other MP3 player, or by installing software that attacks the car's media system when it connects to the Internet.
Currently, the Internet is only a hypothetical vulnerability, however, says Roesner. "In the case of the car that we examined, we used the malicious file on a CD to exploit a vulnerability in the radio."
"In our research, we showed that attackers with access to the car's network can completely control most of the car's computerized components," she says. This could allow an attacker to sabotage an automobile -- disable the brakes or lights, for instance. "But we also showed that attackers could use such exploits to perform espionage," Roesner explains. Examples include the ability to extract potentially sensitive GPS data from a system and send it outside of the vehicle to an attacker. Also, a car could be stolen if the hacker can override the car's computerized theft detection/prevention system.
Automobiles most at risk include those with more components under computer control and without manual overrides, and those that are more connected to the outside world via the Internet or wirelessly, says Roesner.
Law enforcement fleet concerns
A security attack on a law enforcement fleet, in particular, may risk the lives of police officers as well as the general public. This issue raises concern at the Arizona Department of Public Safety, which in June fell victim to hackers who downloaded and released hundreds of law enforcement files on the Internet to protest a newly passed law they perceived as racist.
Hackers infiltrated accounts of Arizona law enforcement personnel and email accounts of the Arizona Legislature in a separate attack, posting items such as credit card information, photos, emails and documents including a master list of passwords and names and addresses of other police officers throughout the state of Arizona, according to Stacey Dillon, president of Public Safety Authority Media.
Extrapolating from there, she says, "If the hackers had accessed our fleets by, say hijacking our GPS system, it could present a lot of officer safety issues." In that scenario, police couldn't send backup units to the correct location if the GPS were compromised.
One safety check already in place: If a patrol car is idle or is stopped for 45 minutes to an hour, "an automatic signal is sent to our dispatchers and they're told to check on it," says Dillon.
An Apple iPad is seen integrated into the Jaguar XJ Ultimate, the most luxurious Jaguar sedan ever made ($515,000), as shown in a Hong Kong showroom in May 2012. Some observers wonder if all that computer horsepower opens autos to malicious hacking. REUTERS/Bobby Yip
Rick Perine, vice president of the Mesa (Ariz.) Police Association, agrees that a hacker could stop police in their tracks. "We use a GPS map in our vehicles that's constantly updated," he explains. Among other things, "it relays to our dispatch where our patrol unit is, Hacking into our GPS could put me in the wrong part of town and another officer dispatched to a different part of town, which puts me in danger."
The use of an after-market product is the most likely way for a hacker to take over a vehicle fleet, says Andr Weimerskirch, CEO of Escrypt Inc., a provider of embedded security systems based in Ann Arbor, Mich. "If you own a business and you use after-market products to equip your fleet with GPS, for example, it's important to look at the details in terms of security."
After-market products work similarly to remote-control car engine starters marketed to consumers through retail stores, says Weimerskirch. "Remote control starters work by undermining the theft protection mechanism in the car. This opens the door for anyone to steal your car."
A clear, but not yet present, danger
"We can remotely stop the brakes on a car from 1,000 miles away, but it's not a clear and present danger today," Savage explains.
Doing this kind of a hack requires a large investment of time and money. "You need to buy the kind of car you want to hack," says Savage. "You have to be really motivated to do this; it's not something someone will do as a hobby. Because of the time and money involved, I don't think it's an imminent problem."
We liken this increase in connectivity to the desktop computing world before the Internet: Security vulnerabilities on disconnected machines suddenly became very important when computers were networked together. Franziska Roesner, Researcher, University of Washington
Although hacking into fleets may not present an immediate danger, manufacturers are taking this research seriously, says Savage. "Every manufacturer we are aware of is putting substantially more research into security than they have in the past. The challenge is they've never had to think about this before at all."
The good news is that car manufacturers can ramp up very quickly by adapting the same techniques as those used with PCs, such as finding latent security vulnerabilities, implementing data execution prevention and other measures, says Savage. "Some things will [require] standardization to make them economically feasible," he says.
The Society for Automotive Engineers (SAE), the industry's premier standardization group, is in the process of trying to set security baselines "based on our work," says Savage. "But it will take a while because there's so many different components involved."
Next steps
Roesner's research pointed to diagnostic tools used by service personnel as a potential source of attacks, she says. "These tools can be used to exploit vulnerabilities in automobiles," so owners need to be careful about who is permitted to access the OBD-II diagnostic ports of their cars, Roesner says.
Beyond individual auto companies, the U.S. Department of Transportation has "shown interest," she explains. The United States Council for Automotive Research (USCAR) and the SAE have both created tasks forces focused on computer security for automobiles.
Now is a good time to look at this and start thinking of possible solutions, when automakers and fleet owners are not in panic mode, says Savage. "We're working with the car industry to get ahead of it. In five to 10 years, it may be more of an issue."
See related stories:
Linda Melone is a freelance writer based in Orange County, Calif. She specializes in consumer topics ranging from health and technology to business. Contact her at Linda@LindaMelone.com.
Read more about security in Computerworld's Security Topic Center.