Slashdot Mirror
Hacking Automotive Systems
alphadogg writes "University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results. In a paper set to be presented at a security conference in Oakland, California, next week, the researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car. The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems. Other experts describe the real-world risk of any of the described attacks as low." Here is the researchers' site, and an image that could stand as a summary of the work.
Someone with access to your unlocked car can cause it to malfunction by messing with its systems, story at 11!
Computer or no computer, if I climbed under your car in the parking lot, I could cut the brake lines.
...no matter how insecure they are, until hackers find a way to wirelessly connect to my car that doesn't have a wireless connection, I'm not going to worry.
Now if you'll excuse me, I have to make sure some crazy ex-girlfriend doesn't have something stuffed in my OBDII port. "Your mom's OBDII port is stuffed!" Dammit! Almost made it without the mom joke...
Living With a Nerd
We all know that once someone has physical access to your system it's theirs. But can they do this via OnStar or other remote access systems?
Best Slashdot Co
It would seem to me we have a lot more to lose by auto manufacturers implement software security than to gain. Its hard enough as it is for repair shops to work on engines and electronics without adding security, which would make repairs even more proprietary and expensive. With almost nothing to gain, if someone wants to disable your brakes they can (gasp) damage your brake line without even opening your car door! Mess with your tires, exhaust, gas, etc. There are many more ways to mess with your car externally than via the software port. And yet somehow the earth keeps rotating.
I'd rather leave my port accessible- someday I may want to write some software. If someone has physically broken into my car and put something on my port, then that's my problem. Don't force DRM on us.
I love how we as geeks sometimes want it both ways. "Keep it secure! Add encryption". "Wait wait! That's DRM, I want it gone!"
I want to be able to connect diagnostic equipment to my car so that I know what's going on. I don't trust a mechanic to tell me what's wrong and how much it will cost. I like being able to do most of the work myself when possible.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Why not provide manual overrides for things like door locks and windows. Even CD drives have that little pinhole reset so you can manually pop the sucker open. It just seems ridiculous to automate everything in a device that is always going to be mechanical in nature.
http://www.beanleafpress.com
blast hot air out of the radio? That's one wicked hack!
Que up those "in soviet Russia..." jokes
Is if any of these attacks are persistent/capable of lurking onboard waiting for some predefined trigger, without a device remaining connected to the diagnostics port.
While corporatist DRM apologists might disagree, the ability to do all sorts of crazy stuff by connecting to your local diagnostics port is what we call a "feature". If anything, we don't have enough control here, and much of the control we do have is inadequately documented "Oh, sure, it's ODBC, in that it is more or less electrically compatible. Good luck with those proprietary codes, and please see your dealer for regularly scheduled service!"
On the other hand, something that allows anybody with 30 seconds of physical access to flash crash_at_60.haxxx permanently into the ECU is what we would call a "major design flaw".
>>blasting hot air or music on the radio Music, I can see, but hot air blasting out of the radio??
People say my sig is the best thing about me.
I want to know how they made the radio blow hot air.
The bad guy thought he'd committed the perfect crime, little did he know that someone on the CSI team would have hunch to check the firmware in the car and find the nefarious code snippet.
.... so pissed when he reads this.
...my decision to make my next vehicle a 1968 VW Beetle.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
The auto industry ALREADY encrypts the daylights out of most of their code! Which makes modifying it for performance reasons a PITA. I have to pay some guy a pile of cash to "flash" my current ECU because only a few guys have managed to figure out the code for it unlike with other cars. Duh, it's a computer and it controls things so yes it can be messed with.But the auto industry already encrypts it and makes this difficult. So long as the auto dealers are able to modify things like speedometers and other things this will always be a "threat" so stop running around like Chicken Little. Sheesh! What they should turn off the OBD-II standard codes so no one but a dealer can diagnose and make minor changes to cars? See how SEMA will like that and all of the independent garages and shade tree mechanics. then they will bitch that it's too locked down. Make up your minds and stop being so short sighted...
Build it, Drive it, Improve it! Hybridz.org
Being an owner, driver, maintainer, and repairer of two classic (pre-1975) non-computerized cars, I'm really getting a kick out of this thread.
I find this very hard to believe. Disable the ABS system maybe, but the brake system is designed to work above all else - if a computer can disable the brakes that suggests a malfunction can too.
Appearing in a celebrity traffic trial near you in 3... 2...
If you were blocking sigs, you wouldn't have to read this.
I want to be able to access the computer that I OWN in the CAR THAT I OWN to be able to modify it, reprogram the fuel maps, so forth. Its hard enough right now to be able to access modern engine control systems, just what I need, a bunch of chicken little, fscking "security experts" claiming that cars are "insecure", raising all kinds of alarm, then the car makers react, start putting all kinds of deliberate DRM on the computer systems, and it becomes absolutely fscking impossible to modify your own car.
If I want to modify the computer on MY CAR, THAT IS MY RIGHT, NOT A SECURITY ISSUE!!!!!
From TFA:
"Another discovery: although industry standards say that onboard systems are supposed to be protected against unauthorized firmware updates, the researchers found that they could change the firmware on some systems without any sort of authentication."
1. some onboard systems are not compliant to standards, in what they are vulnerable to firmware tampering.
2. tampering with the firmware could be a more complex but very insidious form of sabotage (and it would not require to leave something connected to the ODBII port).
Now excuse me, I am going to find where the ODBII port on my car is located. Just to be on the safe side. ;-)
In the long run we are all dead. - John Maynard Keynes (1883 - 1946)
... is the clock. I already know that doesn't work.
I did have a problem with the throttle sticking, but that was because the little spring that pulls it shut had stretched and fallen off.
Please to be shutting the fuck up and panicing people.
I WANT my car to allow me to do those things. Thats why I have an ODB-II dongle hooked up between my car and the PC thats in it ... so I can control my cars features the way I want.
Being that the ODB port is generally directly under the drivers side dash, its rather hard for someone to plug into it without it being noticed. If they've plugged into it, they've got physical access to your car, which means they can do a lot more damage than fucking up your heater and blasting you with hot air.
You said you didn't want to spread fear and panic, and you're lying, thats exactly your goal, and to use that to get attention for yourself.
This isn't anything new, its been this way for at least 10 years if not longer (I haven't tried anything on older models) maybe all the way back into the ODB-I days and probably well before that when some cars had interfaces of their own standard.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Lets keep the alarmist talk down to a minimum here. As a few people have pointed out, the auto industry response will simply be to DRM you out of your own car. I'd expect that the government would want a part of the action, so expect a DMCA for autos too... They'll push you right into the loving arms of the factory service shops who will now be the only "authorized" repair option.
I've been "HACKING" car computers for a decade now. and a lot of other people have as well. Most hot-rodders from import tuners to vette performance guys have been hacking ECM's. Many of the honda hackers even go as far as opening up the ECM and desoldering chips to hack them. Changing the ignition timing table, fuel tables, Disable the Rev limiter, Disable Passkey for engine swaps (I do this with the GM 3800sc and it's ecm from the Buicks) add features, change a Standard ECM program to a program that understand boost for a turbo install... etc.....
Heck a friend of mine is hacking the computer that controls the new power steering system in cars so we can retrofit power steering to vehicles that dont have it.
I guess us car ECM hackers are the new "EVIL DOERS"
Do not look at laser with remaining good eye.
...has been around since OBD-1 days, as far back as 1984. OBD-2 programming systems are available for anything from 1994 through 2010. There are even scanners that allow you to enter the PIDs of your choice (obtained from monitoring the data line while performing operations with a scantool).
Since newer vehicles control nearly everything via CANbus, it's no surprise that someone has taken the time to monitor the bus and inject various commands. This sort of hacking has been around for over 20 years (despite auto manufacturers' attempts to protect their hardware with security keys and seeds). I don't see them "solving" this "problem" anytime soon...unless they come up with a way to make a "secure" bus (perhaps using fiber optics).
How long until we see a major thriller use this as more technobable? And of course, they will use wireless technology by hacking into the cellphone the victim has foolishly left plugged in, allowing access to the car's operating system via the 12-volt power supply. The horror!
These sorts of security "flaws" also allow people to change the fuel injection mappings to increase horsepower, or enable extra electrical features not included from the factory, or do any number of other neat things. I want my car's computer to be more accessible, not less!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
As a VW owner, I can attest to the benefits of "hacking". How about adding 50 HP (and lots of torque) with a software upgrade.
Conservative, mod down for violating
Now imagine that a car is shipped with a virus in the firmware. And at the same moment of time millions of cars on highways suddenly become unmanageable.
This article reminds again that computers more and more run our civilization. We are to begin to regard an unlawful interference into computer systems as a very serious life-threatening crime.
A certain shift in mentality is required. We shall not be amused by "black hat", "white hat", or other "hacking" subculture phenomena, but view malicious code writers as what they are, - vicious, or even murderous criminals.
Future police officers and judges should be trained at schools to understand ideas and intents in the programming code.
I can imagine a judge, specializing, say, in C++ domain, or PHP&MySQL domain, Java, etc. To lock up a criminal for good a police officer and judge are at least to understand the code which this criminal wrote. Otherwise they cannot be sure.
ABS warning light came on in my 2000 Nissan Frontier. They traced the fault to the ABS control module, and the replacement part is $1000!!! That's an appalling amount of money for a couple bucks worth of silicon!
I'm coming to the conclusion that there needs to be industrial or even government standards for computer security, and there ought to be an investigation on the price of (safety related) repair parts.
As a car modder, who has been doing this kind of stuff (not malicious) since the early 1990s, wow welcome to the future guys.
Just an example: When my throttle position is above 90% depressed, my A/C compressor disengages(or rather the A/C Clutch engages), giving me that little bit of horsepower and theoretically saving my compressor from 7500 RPM (engine speed, not compressor speed) redline. I did this in an afternoon using only software.
The ECU has a lot of control over the car, especially in drive by wire cars... My car happens to have a cable accelerator, and I vastly prefer that because of throttle response time (a physical link is better most of the time than a software one, assuming both are properly maintained).
If they were really trying to be malicious without being deadly, you could change the air/fuel ratio to be really lean and burn up the valve train the first time they hit the gas pedal, there is no physical override for that, not like brake pedals (which if you turn it off it merely removes the power assist and only prevents you from stopping the car if you aren't strong enough to push the pedal down.)
... hack the dashboard display to tell all the LLBs to get the f**k out of the left lane?
Have gnu, will travel.
I once had the occasion to rent a car and drive it around on a fine Sunday afternoon. The afternoon was so fine, so inspiring to my pedal-mashing sensibilities, that on a whim I decided to take the car as close to airborne as I could over a rather steep hill.
I ended up catching a little too much air, and bottomed-out the car pretty hard. Upon landing with a loud crunchy thud, all the dash lights went out, the power steering died, and I had to wrestle the car off the road in quite a hurry.
Sitting there, miles from home, on the day of the week when it would be hardest to get a tow and make other transportation arrangements, and worried about what I had done to the car (I was sure it was really messed up based on the noise and the behavior), I was a bit panicked for a second there. After a moment's reflection, I decided "what the hell" and turned the key in the ignition to see what would or wouldn't happen.
And the damn thing started right up, with nary a complaint or anomaly. I deduced that the shock of bottoming-out must have crashed the computer and killed all the electronics, and the good old "reboot and see what happens" actually worked!
Slashdot? Oh, I just read it for the articles.
Access to ALL functions of automotive computer systems facilitates support when factory support ends and aftermarket support takes over.
This should have been approached from a MECHANICS POV, not that of a frightened rabbit. Vehicle computer systems should be easy to access, instead of vendor-locked so others can't see (and potentially correct or improve) factory settings.
Pre-computer vehicles were easy to troubleshoot and maintain precisely because systems were simple to access/repair/modify. Newer systems have greater capability, but restricting access to dealers who won't be supporting the vehicle after it's about ten years old (and charge a shitload of money before that, because they can) is not helpful to the consumer.
Obligatory personal computer analogy:
How about all PCs be sold potted in fiber-reinforced epoxy so "saboteurs" can't monkey with them?
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I want to tune my Neon!
Rick B.
They will be purchased by idiots who want to save money by not paying the goons at the dealer to maintain the vehicle.
Any software design that does not factor in human nature is bound to cause terrible tragedy. It`s a wonder that it hasn`t happened sooner.
*** Don't be dull.***
Put the controller and its access in the dashboard and seal it. If you want to access it, you got to break the seal. If the seal is broken, then you know somebody accessed it. Make the seals identifiable and unique and you can track who did it and at least see if someone messed with it because the seal has changed.
This works good enough for the utility companies who use this method to make their meters tamper proof. No DRM needed, you can still access the hardware if you need to, just that everybody who needs to know, knows it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I demand to be able to run flash, its my creative right to install whatever software I want on a computer I OWN...!!!
with obd2 support lol. Next spyware will turn our dash into a billboard!
First line of security: not doing anything that would get someone so murderously angry at you that they'd CUT YOUR BRAKES.
OBD II is all well and good for basic emissions/driveability/MIL diagnostics, but adding security to the other functions, such as the door locks, windows, etc. could basically kill the aftermarket alarm/remote start business.
On many (if not most) cars these days, many of the basic functions such as door locks are controlled via a CAN bus (a 2-wire twisted pair network) and more and more functions are migrating to network control rather than having dedicated wiring. In my car, everything other than the lights and the radio is run over CAN (even the seat adjustments and the rear window defogger).
Take, for example, installing an aftermarket stereo: Many new cars don't have a wire that supplies 12V when you turn the key on to turn on the radio, the radio is always powered and listens to the CAN bus for the command from the car's BCM (body control module) to turn itself on. On these cars, a separate aftermarket module has to be installed to turn the radio on (or the installer has to dig around in the car to find something else that only turns on with the key, like a power outlet). There are also aftermarket modules that can translate the CAN bus commands from the car's factory steering wheel controls to control an aftermarket stereo.
Adding a layer of security (presumably encryption or authentication) could cripple these abilities with aftermarket equipment.
Don't believe me, well take the example of remote start on my current car a 1999 (yes, 12 model years old now) Mercedes Benz. I have installed 3 remote start systems on various cars (a Subaru, a Honda, and a Mazda) which were what I'd call conventionally-wired cars, having accessible wires to turn the ignition and engine computer on and start the car. Easy. Cost, under $100 for all the parts including extra relays to turn on accessories and such.
On my '99 M-B, the engine computer will not allow the engine to run unless it can maintain a constant 2-way conversation over a separate CAN bus between itself and the EIS. What's the EIS? It's the Electronic Ignition Switch. Here's where things get complicated. M-B cars don't use conventional keys any more, the use a "SmartKey", which is an electronic key fob thing that inserts like a key, but has an infrared emitter-receiver in the end. The EIS supplies power to the SmartKey via an inductive coil around the key opening. The EIS and the SmartKey then engage via infrared in a continuous encrypted conversation which authorized the EIS to tell the engine computer to let the engine run. Because you need to have the SmartKey in place, it has been impossible to install a remote start system.
Recently, a remote start system became available for my car (sold new 12 model years ago, remember), which will simulate the EIS' conversation with the SmartKey and allow the factory remote's Panic alarm button to be repurposed to start the car (the SmartKey is also the remote, but don't worry about that, it's actually two devices in one package). Cost: $1000. That's over ten times the cost of a remote start system for a regular car. And it took 12 years to develop.
All because of a single encrypted function. Admittedly, a really well designed one that makes the car impossible to hotwire, but you can see what problems might face the aftermarket if things like door lock controls became encrypted.
All in all, this research exercise is just stupid. Of course you can make a complicated system do silly things if you have physical access to it. I don't see the point of adding encryption to it when the aftermarket will have to figure out how to bypass it eventually anyway.
Off topic, but in case anyone's interested, you can have up to 24 SmartKeys issued for an M-B vehicle, but I think only eight can be active at one time. The service information talks about having three ranks of eight keys. Once you need to replace the key for the 24th time, you need to replace the EIS, the engine computer and a couple of other items. SmartKeys can only be ordered at a dealer and you h
Putting moderation advice in your
Oh noes, does this mean that we all have to start believing that the movie 'The Net' was credible?
Nah!!!!! ;)
Life takes interesting turns, but the most interest is when you're off the beaten path.
Didn't we just blast Toyota for having a completely closed system, that only 1 laptop in the US could access.... but now we blast everyone else for having an open system because it can be hacked?
Given physical access to any system it can be hacked.
iRepairIT - iPhone, Mac, & PC Repair
The paper
That link really should have been in the summary....
The problem isn't accessibility; as complicated as cars are getting, we simply need access to our cars' systems. The problem here is that the controls for mission-critical functionality (such as brakes and locks) don't have fail-safe mechanical backups that we can access manually!
VW/Audi is already doing this to an extent, encrypting access to settings such as Lambda Values/ fuel air mixtures etc...to change these on the latest (2.0TSI) vdubs requires removing the ECU - not a task to be taken lightly...however on earlier models (VW GTI MKV and back, companies like APR were doing this directly through the OBDII port. Currently I have RO access to engine functions for graphing and diagnostics purposes and I can change the behaviour of most of my "convenience" electronics (DRL behaviour, Fog, Adaptable Xenons, Interior Lighting, Alarms, Service Interval warnings etc.)
I left the serious ECU tuning to APR as does VW for their special one offs and show cars...
The researcher's basic issue is that the network protocol for digital components in automobiles has few security features. Imagine a computer network in some safety critical environment - say, a manufacturing facility where servers provide monitoring and control functions. These servers are linked by a network switch that allows a single compromised device to sniff and spoof all traffic. Furthermore, imagine that there is no ssh, no login password etc. A single compromised server could be used to effectively do anything that is possible from any other server. Now, this is undoubtedly the way that many server rooms operate, but more security conscious sites will install firewalls between servers, filter command packets, have servers use encryption and authentication, so that serverA knows that it really is taking commands from serverB. That is essentially what the researchers are arguing - that as more and more microcontrollers are connected to the onboard diagnostics network, then it would be useful for that network to include some security features. How long will it be before there are wireless interfaces to the network? Do OnStar and similar systems just provide a link to the onboard diagnostic network? If so, then that could be exploited remotely. Is the OnStar protocol limited to cutting the engine? Or would it also allow you to accelerate and disable the brakes?
Another reason that the comparison with DRM may be invalid - your computer can't be used to kill you, no matter how hacked its software is. People are naturally more concerned when a hack of the device could result in casualties, regardless of whether the hack requires physical access. Would you trust any old PC technician to service your PC if the results could kill you?
Whether you would call a complete network of devices that encrypt and authenticate communications any two peers a "DRM" system is debatable. There is certainly a similarity to, say, printer manufacturers locking out foreign ink systems, but in this case the argument could certainly be made that a Toyota braking system should never be blindly accepting commands from anything other than a Toyota brake pedal, etc. Should the engine blindly accept acceleration commands from the gas tank sensors? Surely it makes sense to lock it down and not allow this?
Check out this website for obd2 connectors or obd2 cables to help you hack your car: http://www.carplugs.com/
Say again ?
Hey, reject. Yes, I'm talking to you. If you can't get your ignorant, pea-sized, fluff-ball of a brain to conceive of any potential for abuse for a potentially lethal (not just for the driver/passengers of the car, but anyone else in public) hijack and disablement of critical systems that leaves no immediately visible evidence (i.e. maybe it's a PDA stuffed in a spot beside the computer under the hood....and yes, someone can open your hood without pulling the lever inside the cabin). If someone cuts a brake line, as you so ingeniously fathomed, A) you'll likely see the pool of fluid, AND B) YOU'LL HAVE NO BRAKES IMMEDIATELY. Not rocket science to figure out.
This hack of the on-board computer can cause a selective/intermittent failure with NO EVIDENCE of tampering at all (if the hacking device can be recovered before investigators arrive).
God. Think about what you are going to say before you say it.
OK, since this is /., here's the obligatory car analogy. It's like if someone had complete physical access to your car, they could do anything to it. They could cut the brake line. They could install a small charge attached discreetly to the brake line that could be triggered when desired. They could make a hole in the brake line, insert a plug attached to a piece of wire, the other end of which was attached to the ground beneath the car, with enough wire for the car to make it outside. Or the other end of the wire could be attached to the axle/wheel, so it gradually wrapped round and round it. They could make a slow leak in the line, but that would be very unpredictable and they might not make it out of the lot. I'm sure a professional mechanic/hitman/spy could come up with more ideas, but as you can see, getting physical access to a car to tamper with the brakes is a lot like getting physical access to a car to tamper with the brakes, you can pretty much do anything you like.
http://www.carpartslights.com/elm327-bluetooth-obdii-obd2-scanner-vagcom-can-elm-327-p-28.html
(Now you know what to look for at least, when checking to see what the crazy ex-g/f might have put in there....)
Step 1. Collect underpants
Step 2. Play up a 1 in a million risk that the public does not understand. "You could die in a slow painful death in terrible crash and the terrorists will win! Think of the children We can save you for only 6 easy payments of $19.95"
Step 3. Profit!!
My ex-girlfriend's car kept losing the screws that held the speedometer movement in the instrument panel, and it was impossible to get in there and screw them back in because the whole panel was sealed to prevent people getting to the mechanical odometer. These days, with electronic odometers that display on LCD's, they've moved the security into software so they don't have to epoxy the whole system into a solid mass, which is nice.
Nostalgia's not what it used to be.
You'd have to reflash the PCM (ECU is an OBD-I term; this kind of stuff is only possible with OBD-II, which actually mandates the term "PCM" -- if you want to be accurate, stop calling it an ECU in this context) entirely.
People call it an ECU because PCM is taken. Can you cite a reliable source that OBD-II mandates "PCM"?
Nobody will be tampering with my DLC
Which is exactly how the video game publishers like it because DLC is taken too.
"blasting hot air or music on the radio" would be really great, I'm looking forward to a video of hot air coming out of the radio.
Actually, a whole bunch of us REALLY wish one of you experts at ECM hacking would figure out the Delphi branded ECU found in the Hyundai Genesis Coupe 3.8 V6!
It's a great little sports car at a reasonable price-point, but so far, it seems like its engine is held back from its full potential because the ECU can't be directly reprogrammed. ... but here in the USA, we can't seem to get our hands on any of that info. I suspect part of it is purposeful on their part. I think the Korean tuning community rather enjoys keeping a lead over people in the USA for as long as possible, so they can keep taunting us with YouTube videos of their accomplishments, etc.)
(Apparently, some folks in Korea have already cracked its ECU and done some custom tuning so they could add things like superchargers or turbos
A company called Road Race Motorsports released a couple different "piggyback" boxes that claimed to add as much as 20HP or so by plugging-in between the ECU connector and one of the sensors on the car -- but everyone on the car forums testing them out has seen negligible results, and sometimes dyno tests show power LOSSES with these things. As best as we can determine, the boxes are functioning like they're supposed to, but modifying the data coming from just one sensor (such as the mass airflow sensor) isn't enough to really trick the ECU into advancing timing or changing air/fuel ratios. Apparently, it sees unchanged readings from other sensors on the car and assumes the input is flawed, and starts disregarding it or acting on it in unexpected ways.
Keeping an old "clunker" in good running condition for continued use is greener than junking it, recycling it, and manufacturing a new hybrid.
Benefit: no buggy embedded systems to ruin your day or potentially kill you. And they are easier to work on.
The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls.
No? Really?
and discovered new ways to hack into them, sometimes with frightening results.
Riiight...
I think the US has a real problem with the scaremongering. You get FUD thrown around left and right. Everything is “oh teh horrorz!!!1one”. “Terrorists”, “hackers”, “catastrophes”, “glitches”, “conspiracies”, “threats” by the dozen a day... it doesn’t end.
I think the only real threat is forgotten on the way: People making you do what they want, by scaremongering you in the right way.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
A lot of us car nuts have been hacking our car computers for years. There's systems that go light years beyond the factory systems. 10 years ago, I was able to use my Palm Pilot II to modify my fuel trims while driving, monitor horsepower and adjust an electronically controlled boost controller for my turbo. That was all on a 1990 Talon AWD so it didn't even had ODBII yet. My new model actually fully replaced the EEPROM chips in the ECU and has bluetooth capabilities to be controlled from my smartphone, controls the doorlocks, radio, moonroof etc. In theory, it would be a trival bluetooth hack to not only cause the engine to stop but to detonate the engine (destroy - not actually cause an explosion) by pulling the fuel trims too lean. The bluetooth module was a snap on vampire chip with a tiny lead to a receiver. The whole system looked 100% factory and was tiny. It would be a trival system to integrate a remote kill and unless they were specifically looking for a technology related problem, investigators would likely never realize that it had been installed.
Why, no, occifer, but I think my kid was in here hacking the speedometer....
Depending on how radical you want to get, often the fix is to adapt a known / programmable computer to your car. There are many companies who sell kits to do this. "MegaSquirt" was one of the first I had heard of; now several sell for example a GM PCM with harness to fit your car, or sometimes a connector adapter if enough sensor signals are similar. I forget the company names, but a websearch will provide them. Not a solution but hopefully a different angle and fuel for thought...
Norton Security for OBDC II!!
My Jetta's VCDS software and port (as well as the printed Bentley shop manual) come with big fat user warnings about taking precautions against accidentally setting off the airbags. In fact, with multi-stage systems, if you're sitting in the front-seat, not buckled, maybe with a laptop on your lap, maybe scooted forward a tad, not resting back, you could probably end up with some serious ow-age.
(I know this, because my controller module has failed; and I'm debating whether to just remove it and live without airbags, or if I should have it re-flashed and deal with the risk of accidental discharge in the reinstallation process.)
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
But.... I have it on very good authority from many slashdot posters that breaks are hydrolic and no electronic issue could possibly affect them. Were they [gasp] WRONG?????
I'm going to call shenanigans on this post. There has never been a vehicle where you could remove the ECU and expect it to run.
A little history... The introduction of computers to vehicles has happened in many stages.
The first stage was the introduction of electronic ignition computers in the late 70s. These systems replaced the vacuum ignition advance on older cars. The signal from the distributor literally ran through the ignition computer. Removing the computer means that there is no connection between engine timing and plug coil. With the ignition computer removed, you have no spark, and the engine cannot start.
The next major step forward was the introduction of electronic fuel injection. This computer was responsible for controlling the fuel injectors. No ECU, means no fuel in the cylinders, which means no running vehicle. Power for the injectors literally comes via the ECU. Without the ECU, the injectors are literally unplugged.
Later vehicles used more computers in more components of the vehicle, to the point that a computer controls the brakes on my motorcycle.
But, there was no time where you could remove an ECU and expect the vehicle to still run.*
* Yes, it is possible to disconnect a lot of the sensors on an electronically fuel injected vehicle, and it will still run. But the ECU must still be in place.
Seriously Slashdot... You call yourself geeks, and you fall for this kind of stuff? Shame.
Frankly, I'd *like* a hackable car... something that I can tinker with and mod and adjust.
Can anyone tell based on the photos in the article what model it is? Looks like a Japanese sedan of some kind... not sure exactly what. Does anyone recognize the dashboard display?
My bicyles
At least the current "Black Boxes" require physical connections to interface with the system. I've heard that several government agencies (EPA, Police) have been trying to get a few less than pleasant capabilities put in the standards for the next version of these devices (OBD-III). The most pertinent is wireless access, the primary stated purpose of which is for random emissions testing. Emissions enforcement drives through a parking lot querying all the cars if they have had any error codes in regards to emissions and all the cars who say "Yes" get tickets sent to their owners. I've also heard one of the more invasive "Road Use Tax" implementations would have the car not only store its mileage but GPS records so the owner could be taxed not only by distance but which roads they were on, and of course knowing where your car had been every minute of every day would be a "Happy" side effect. The icing on the cake is I believe at least one police department has requested a kill switch be put into the standard where they can use an electronic "gun" fired at a vehicle to kill its engine, hopefully it has NO chance of actually being implemented but that they even suggested it is somewhat disturbing.
But this is one of the many reasons everything I drive has no computers. I'll stick to simple proven technology that just plain works.
A remarkable number of car manufacturers use pretty nasty obfuscation in their OBDII/CAN systems outside of the basic emissions checks. I have a Volvo from 1998, and even though you couldn't cut my brakes or shift my transmission electronically, I need an $8000 box and an $8000/year subscription service to actually toy with the full diagnostic system.
Breaking news! Hacking tools called "physical access," "time" and "effort" can be used together to bypass ALL forms of security on EVERYTHING IN EXISTENCE, leaving you vulnerable not only to cyber-criminals, but terrorists and pedophiles as well! WIll no-one close this gaping security hole!?!? Does the car industry have no regard for our safety!?!?
I mean seriously, a car's ECU is airgapped from the outside world and has decent physical security. This is not news, and the automotive industry should ignore it for the stupid fluff that it is.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Take, for example, installing an aftermarket stereo: Many new cars don't have a wire that supplies 12V when you turn the key on to turn on the radio, the radio is always powered and listens to the CAN bus for the command from the car's BCM (body control module) to turn itself on.
I think that this is not a big deal. The radio in my car is permanently connected to +12V and I can turn it on and listen to music with the engine off and the key in my pocket. As long as the car supplies power and the speakers are analog I think that this could be done to any car...
Reading the comments on 3 different sites, it seems no one actually read the paper. Hey, here's a footnote on page 4:
We believe the risks identified in this paper arise from the architecture of the modern automobile and not simply from design decisions made by any single manufacturer. For this reason, we have chosen not to identify the particular make and model used in our tests. We believe that other automobile manufacturers and models with similar features may have similar security properties.
I really shouldn't have to tell you this, since you're security researchers and all, but those photos of a 2006+ Chevy Impala with your test harness? The ones you put in the paper? Yeah, they kind of identify the particular make and model used in your tests. Congratulations, GM.
Perhaps block diagrams would've been more appropriate?
Is the Carshark Software available on the net?
I've been looking for a good CAN monitor.
Hmm.
Remote start on my E36 BMW just required a magic box (consisting literally of a relay, a coil, and a box) into which a spare key was placed. The remote starter activates the relay in this box, which switched the coil near the ignition switch out of circuit, and replaced it with the one wrapped around the spare key inside the box.
Worked like a champ. I think I only had $90 in the whole kit, including the remote start, the spare key, and the magic box. I kept the key whole and buried the magic box and extra key deep inside the dashboard for security, though I could've easily cut off the metal portion of the key so that only the RFID-ish bits was with the car.
Is there some reason why you couldn't have gotten a spare M-B key, and done the same thing with IR instead of RF?
Kid-proof tablet..
You should be able to install a remote starter on an EIS-equipped Benz by just hiding a spare EIS key somewhere inside the console and tweaking the wiring approrpriately, no? That's the solution used by a lot of ignition interlock systems.
Here's a neat factoid - CAN bus isn't just twisted-pair anyhow, Benz is rolling out fiber for the high-speed CAN bus these days.
I was pretty surprised the first time I bumped into CAN bus; I was at party talking to a couple of guys swapping network troubleshoot techniques. At first, I thought they were fellow nerds, turns out they worked down at the local mercedes dealership. Had some really interesting conversations with them and hit the books. CAN is almost as old as ethernet, it's an IEEE spec, originally developed by... Bosch, IIRC. It's a totally real un-routed packetized micro LAN. Neat stuff!
Do daemons dream of electric sleep()?
If I had to guess, it's because the the Mercedes system requires a constant communication to have the engine run. So there's no way to switch over to the real key without the engine stopping. I suppose he could just use the hidden key to drive around with, but that would defeat any kind of security the remote start has, so once the car has been remote started anyone could hop into it and drive off.
On more conventional cars (this is all relative, of course) the handshaking only takes place when the engine is started. Even if the car constantly checks for the key, you would still need another physical key to put into the ignition to defeat the steering wheel lock and the interlock on the gearshift (assuming the car is an auto). The remote start module can also sense this so it would then know to not kill the engine if the brake is pressed (another safety/security feature).
Hmm.
Remote start on my E36 BMW just required a magic box (consisting literally of a relay, a coil, and a box) into which a spare key was placed. The remote starter activates the relay in this box, which switched the coil near the ignition switch out of circuit, and replaced it with the one wrapped around the spare key inside the box.
Worked like a champ. I think I only had $90 in the whole kit, including the remote start, the spare key, and the magic box. I kept the key whole and buried the magic box and extra key deep inside the dashboard for security, though I could've easily cut off the metal portion of the key so that only the RFID-ish bits was with the car.
You should open that box back up and destroy the metal key blade. If your car is ever stolen, the presence of that intact key will allow your insurance company to get out of covering the loss. It's pretty well known amongst professional installers.
Is there some reason why you couldn't have gotten a spare M-B key, and done the same thing with IR instead of RF?
To do so with the M-B EIS, you'd need to hack the EIS, ie. physically open and alter it. Extremely risky, and a replacement EIS is at least $400 and has to be programmed by M-B to operate in the specific car (in Germany! There's a facility in New Jersey that programs SmartKeys for the US market, btw.).
It would be pretty complicated even if you had access to the insides of the EIS. The EIS detects the presence of the key immediately upon insertion (the steering column unlocks as soon as you put the key in, even if you don't turn it.) So, you'd have to deal with two levels of activation.
The other problem, as toddestan notes, is that once you've tricked the EIS into talking to the hidden spare key for the remote start, the car be can stolen much easier - the steering will be unlocked and there's nothing to stop anyone shifting out of park (I'd steal this type of car by winching it onto a flatbed tow truck, which you've made possibly by unlocking the shifter even if the brake pedal interlock shuts off the remote start), and since there's a real key present, insurance won't cover the loss if the car is recovered (according to my auto insurance claims adjuster friend the insurance companies tend to investigate into how high dollar cars were stolen if they're recovered).
I installed a bypass module in the Honda (a 2004 Civic) which had an RF transponder key, although this was a code-learning bus-based bypass that tapped into the data signal from the ignition lock key reader. It only needed to authenticate they transponder code when the ignition was initially turned on to get the engine to run; there was no ongoing authentication. I have one of the cheap key-in-a-box bypass modules that I bought by mistake, but it's so primitive that I couldn't bring myself to use it, especially since it actually costs more than the bus-type bypass because there's the additional cost of an extra transponder key.
I'd also note that the E36 BMW is an older model that went out of production right around the same time that M-B went from mechanical blade keys to SmartKeys. What's BMW using now for a key? I'm guessing it's a SmartKey with a different name?
Putting moderation advice in your
You should be able to install a remote starter on an EIS-equipped Benz by just hiding a spare EIS key somewhere inside the console and tweaking the wiring approrpriately, no? That's the solution used by a lot of ignition interlock systems.
Nope. See above post. They carefully designed the SmartKey system to prevent any kind of operation of the vehicle without an authorized key in the EIS.
Here's a neat factoid - CAN bus isn't just twisted-pair anyhow, Benz is rolling out fiber for the high-speed CAN bus these days.
That's odd, there are twisted pairs in the car. In particular I noticed a twisted pair going to the C connector on the factory stereo, and according to the WIS (M-B service database), those pins are used for CAN for the steering wheel controls and radio data to the instrument cluster. Even more oddly, those features were not available on my car that year, even though it's wired for them and they're in the wiring diagrams.
I thought they were just using fiber for MOST (and formerly D2B) - they're mainly entertainment system buses. It could eliminate some of the weird problems like when CAN wires get wet though. I probably won't get a newer M-B for a couple of years. I'm saving up for an S.
I have an ELM327 adapter for OBDII, supposedly it can talk and listen on the CAN bus to any of the car's modules (if connected to the correct bus). I'll probably not get around to messing with it though.
Putting moderation advice in your
I was employed at a German car manufacturer. I know they were taking the risk somewhat seriously. What is often forgotten is that you can flash the firmware of many chips in the car (their top model has about 90, afair) via CAN bus. That is the bus that you can access somewhat easily from the outside, for instance via hooking up to the tire pressure sensor or the outside mirrors.
Also, no communication on the different networks is encrypted; apparently you can flash unsigned firmware without problems. A faulty web browser can't cause the engine to shut off, but it can certainly blare volume at max and roll down the windows. Or recalibrate the temperature sensor, which in turn influences ESP.
So, fun stuff. One of the reasons we don't see many attacks is that everything seems to be highly proprietary.
I can't believe this was a study. Go ask any technition and they could have told you the same thing, and if you really want to have fun playing with jumper wires is a blast. Like wiring someones horn to thier turn signal or more sinister you could trigger the air bag sensors and then wire the airbag squib to the brake on/off switch (air bag go boom we step on brake)