Slashdot Mirror
Hacking Automotive Systems
alphadogg writes "University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results. In a paper set to be presented at a security conference in Oakland, California, next week, the researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car. The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems. Other experts describe the real-world risk of any of the described attacks as low." Here is the researchers' site, and an image that could stand as a summary of the work.
Or just get one of the few modern cars still left that doesn't come with all these unnecessary automated sales gimmicks like the Ariel Atom
The auto industry ALREADY encrypts the daylights out of most of their code! Which makes modifying it for performance reasons a PITA. I have to pay some guy a pile of cash to "flash" my current ECU because only a few guys have managed to figure out the code for it unlike with other cars. Duh, it's a computer and it controls things so yes it can be messed with.But the auto industry already encrypts it and makes this difficult. So long as the auto dealers are able to modify things like speedometers and other things this will always be a "threat" so stop running around like Chicken Little. Sheesh! What they should turn off the OBD-II standard codes so no one but a dealer can diagnose and make minor changes to cars? See how SEMA will like that and all of the independent garages and shade tree mechanics. then they will bitch that it's too locked down. Make up your minds and stop being so short sighted...
Build it, Drive it, Improve it! Hybridz.org
Wrong method, it leaves obvious evidence. Clip some vicegrips on the flex hoses going to the front wheel cylinders. You've just eliminated 60% of the cars braking power. The pedal feels normal, or even a bit firmer than usual. Do it right and the vicegrips will come off when the car hits whatever it hits when the brakes (mostly) fail.
You'd have to reflash the PCM (ECU is an OBD-I term; this kind of stuff is only possible with OBD-II, which actually mandates the term "PCM" — if you want to be accurate, stop calling it an ECU in this context) entirely. I imagine that this sort of functionality is available on all modern cars; possibly not all OBD-II cars, but probably anything new enough to have CAN. Most OBD-II cars on the road do not use CAN anywhere, though today a car might have three or four CAN buses; PCM to OBD-II DLC (diagnostic link connector), PCM to transmission computer, PCM to BCM (body control module) and possibly even BCM to stereo. And other models exist but I personally think buying a car with a CAN bus shared between more than two components is asking for a foot in your ass.
I happen to like my mechanical diesels, which achieve efficiencies very near to modern systems. It's only too bad International-Navistar lacked the foresight to implement the engine as a full-mechanical design, as Mercedes did; your battery can explode and the engine keeps running until you shut it off, because the shutoff is a vacuum switch on the back of the ignition lock. I've had my alternator fail completely and my battery down to about 4V in my 300SD, still made it to work. Nobody will be tampering with my DLC :D
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
After I wrote that I found this web-site that explains how to use the device and what's going on. I still think that the dealer has some codes that are not OBDII certified that they use though. Incidentally, according to that web-site I linked to, the code machine is $200, but in this thread the person says the dealer is charging them $100 just to read the codes. Wow, expensive.
Gentlemen! You can't fight in here, this is the war room!
Sorry, but I think we'd all much rather have a car where the ABS (or, indeed, the brake-pedal) can't be disabled entirely, where brakes can't be activate entirely by software, where you can't play with mileometer just by sticking a box on the OBD port, or where the car cannot lock everybody inside if it crashes (the software, not the car!).
It's not a question of software freedom - it's a question of not having that capability automated in the first damn place. In every car I've ever owned, when I press the brake the wheels are slowed by huge hydraulic pressure whether or not the ECU / ABS is working. Sure, I wouldn't do without the ABS either but if it stops working, I can still bring the car safely to a halt. What we're discussing here are cars with computers that *DO* have control over what the brake pedal does - from nothing no matter how hard you press it, to full brakes no matter how you release it - and not the driver.
Some of the other things mentioned on the researcher's FAQ include the bonnet(hood)-latch behind software controlled. One software crash = one real crash. That's a sort of DRM you *don't* want anyway - where your entire ability to use the product is under the control of a computer that could crash at any minute, with serious consequences. Especially not when you're doing 70 mph.
It's the design that's stupid, not OBD, ECU's or being able to tune your car using it if you really want to. They are separate issues. Why, why, why on earth would anyone *EVER* want to legitimately activate a mode on their car where the brake function no longer corresponds to the brake pedal position?
I've been "HACKING" car computers for a decade now. and a lot of other people have as well. Most hot-rodders from import tuners to vette performance guys have been hacking ECM's. Many of the honda hackers even go as far as opening up the ECM and desoldering chips to hack them. Changing the ignition timing table, fuel tables, Disable the Rev limiter, Disable Passkey for engine swaps (I do this with the GM 3800sc and it's ecm from the Buicks) add features, change a Standard ECM program to a program that understand boost for a turbo install... etc.....
Heck a friend of mine is hacking the computer that controls the new power steering system in cars so we can retrofit power steering to vehicles that dont have it.
I guess us car ECM hackers are the new "EVIL DOERS"
Do not look at laser with remaining good eye.
The only problem is that the mechanical diesels don't achieve emissions very near to modern systems.
Of course, I have the same attitude you do (that the older cars are better), except I complain about failure-prone and biodiesel-incompatible diesel particulate filters while praising my rotary-injection TDI.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
As a car modder, who has been doing this kind of stuff (not malicious) since the early 1990s, wow welcome to the future guys.
Just an example: When my throttle position is above 90% depressed, my A/C compressor disengages(or rather the A/C Clutch engages), giving me that little bit of horsepower and theoretically saving my compressor from 7500 RPM (engine speed, not compressor speed) redline. I did this in an afternoon using only software.
The ECU has a lot of control over the car, especially in drive by wire cars... My car happens to have a cable accelerator, and I vastly prefer that because of throttle response time (a physical link is better most of the time than a software one, assuming both are properly maintained).
If they were really trying to be malicious without being deadly, you could change the air/fuel ratio to be really lean and burn up the valve train the first time they hit the gas pedal, there is no physical override for that, not like brake pedals (which if you turn it off it merely removes the power assist and only prevents you from stopping the car if you aren't strong enough to push the pedal down.)
OBD II is all well and good for basic emissions/driveability/MIL diagnostics, but adding security to the other functions, such as the door locks, windows, etc. could basically kill the aftermarket alarm/remote start business.
On many (if not most) cars these days, many of the basic functions such as door locks are controlled via a CAN bus (a 2-wire twisted pair network) and more and more functions are migrating to network control rather than having dedicated wiring. In my car, everything other than the lights and the radio is run over CAN (even the seat adjustments and the rear window defogger).
Take, for example, installing an aftermarket stereo: Many new cars don't have a wire that supplies 12V when you turn the key on to turn on the radio, the radio is always powered and listens to the CAN bus for the command from the car's BCM (body control module) to turn itself on. On these cars, a separate aftermarket module has to be installed to turn the radio on (or the installer has to dig around in the car to find something else that only turns on with the key, like a power outlet). There are also aftermarket modules that can translate the CAN bus commands from the car's factory steering wheel controls to control an aftermarket stereo.
Adding a layer of security (presumably encryption or authentication) could cripple these abilities with aftermarket equipment.
Don't believe me, well take the example of remote start on my current car a 1999 (yes, 12 model years old now) Mercedes Benz. I have installed 3 remote start systems on various cars (a Subaru, a Honda, and a Mazda) which were what I'd call conventionally-wired cars, having accessible wires to turn the ignition and engine computer on and start the car. Easy. Cost, under $100 for all the parts including extra relays to turn on accessories and such.
On my '99 M-B, the engine computer will not allow the engine to run unless it can maintain a constant 2-way conversation over a separate CAN bus between itself and the EIS. What's the EIS? It's the Electronic Ignition Switch. Here's where things get complicated. M-B cars don't use conventional keys any more, the use a "SmartKey", which is an electronic key fob thing that inserts like a key, but has an infrared emitter-receiver in the end. The EIS supplies power to the SmartKey via an inductive coil around the key opening. The EIS and the SmartKey then engage via infrared in a continuous encrypted conversation which authorized the EIS to tell the engine computer to let the engine run. Because you need to have the SmartKey in place, it has been impossible to install a remote start system.
Recently, a remote start system became available for my car (sold new 12 model years ago, remember), which will simulate the EIS' conversation with the SmartKey and allow the factory remote's Panic alarm button to be repurposed to start the car (the SmartKey is also the remote, but don't worry about that, it's actually two devices in one package). Cost: $1000. That's over ten times the cost of a remote start system for a regular car. And it took 12 years to develop.
All because of a single encrypted function. Admittedly, a really well designed one that makes the car impossible to hotwire, but you can see what problems might face the aftermarket if things like door lock controls became encrypted.
All in all, this research exercise is just stupid. Of course you can make a complicated system do silly things if you have physical access to it. I don't see the point of adding encryption to it when the aftermarket will have to figure out how to bypass it eventually anyway.
Off topic, but in case anyone's interested, you can have up to 24 SmartKeys issued for an M-B vehicle, but I think only eight can be active at one time. The service information talks about having three ranks of eight keys. Once you need to replace the key for the 24th time, you need to replace the EIS, the engine computer and a couple of other items. SmartKeys can only be ordered at a dealer and you h
Putting moderation advice in your
Swing axle was not dangerous mister Nader. Asshats who can't drive or think a stock swing axle volkswagen is a slalom car don't belong in the driver's seat of one. My '68 based (yes, swing axle) speedster, on the other hand, handles better than most modern vehicles but it's got 4wheel disc brakes, suspension limiters, modern shocks, and 50 series tires. No wheel tuck, low center of gravity - purpose built car. Purpose of a vw beetle- cheap, reliable, slow transportation. Just use the original traction control system- your hands, feet, brain, and seat of the pants. Worked for many years. People these days don't drive cars, they just ride in them. Also, just fyi: '68 swing axle is a one off in axle length/track. i.e. all earlier ones were also swing axle but in different lengths.
In this case they are talking about the OBD-II port, a physical port inside the vehicle (often in the driver's foot well). You can get a OBD-II connectors that are bluetooth (thought that would be short range) and wifi connectors (such as the OT-2). So as far as you can connect via wifi you could send commands onto the shared command bus.
This "hack" really isn't surprising at all. There are plenty of vehicles you can flash or change settings via the OBD port (such as Subarus). Scan tools only use read commands on the port, but the port itself doesn't stop you from issuing other commands on it and even if there were some chip checking what commands were issued you'd just have to tap into the shared bus elsewhere.
"If you are going through hell, keep going." - Winston Churchill
Just wait for the car makers to decide that climbing into a car to attach to a wired diagnostic port is old school and add wireless access. This feature will be great, because when you drive onto the dealer's lot they can already start diagnosing your car!
BTW, don't the OnStar type systems connect to the ECU?
http://www.carpartslights.com/elm327-bluetooth-obdii-obd2-scanner-vagcom-can-elm-327-p-28.html
(Now you know what to look for at least, when checking to see what the crazy ex-g/f might have put in there....)
Actually, a whole bunch of us REALLY wish one of you experts at ECM hacking would figure out the Delphi branded ECU found in the Hyundai Genesis Coupe 3.8 V6!
It's a great little sports car at a reasonable price-point, but so far, it seems like its engine is held back from its full potential because the ECU can't be directly reprogrammed. ... but here in the USA, we can't seem to get our hands on any of that info. I suspect part of it is purposeful on their part. I think the Korean tuning community rather enjoys keeping a lead over people in the USA for as long as possible, so they can keep taunting us with YouTube videos of their accomplishments, etc.)
(Apparently, some folks in Korea have already cracked its ECU and done some custom tuning so they could add things like superchargers or turbos
A company called Road Race Motorsports released a couple different "piggyback" boxes that claimed to add as much as 20HP or so by plugging-in between the ECU connector and one of the sensors on the car -- but everyone on the car forums testing them out has seen negligible results, and sometimes dyno tests show power LOSSES with these things. As best as we can determine, the boxes are functioning like they're supposed to, but modifying the data coming from just one sensor (such as the mass airflow sensor) isn't enough to really trick the ECU into advancing timing or changing air/fuel ratios. Apparently, it sees unchanged readings from other sensors on the car and assumes the input is flawed, and starts disregarding it or acting on it in unexpected ways.
A lot of us car nuts have been hacking our car computers for years. There's systems that go light years beyond the factory systems. 10 years ago, I was able to use my Palm Pilot II to modify my fuel trims while driving, monitor horsepower and adjust an electronically controlled boost controller for my turbo. That was all on a 1990 Talon AWD so it didn't even had ODBII yet. My new model actually fully replaced the EEPROM chips in the ECU and has bluetooth capabilities to be controlled from my smartphone, controls the doorlocks, radio, moonroof etc. In theory, it would be a trival bluetooth hack to not only cause the engine to stop but to detonate the engine (destroy - not actually cause an explosion) by pulling the fuel trims too lean. The bluetooth module was a snap on vampire chip with a tiny lead to a receiver. The whole system looked 100% factory and was tiny. It would be a trival system to integrate a remote kill and unless they were specifically looking for a technology related problem, investigators would likely never realize that it had been installed.
You haven't worked on a late model car before. You can turn systems on an off to troubleshoot them. Before, you could do this mechanically. Now, you have to use a computer. Setting the speedometer is pretty common when a tire size is changed. Setting the odometer can usually only be done once each time you replace the instrument cluster. All I know, as someone that still likes to turn their own wrenches, is that I don't want more security on the only way I can still work on my own car. If they lock me out of the diagnostics port, I won't buy the car.
ODB-II (And I to a lesser extent before it was superceded) exists for that exact reason.
Every manufacture used to do their own random proprietary crap. Governments who wanted to access the computer for emmisions controls started requiring them to standardize so they didn't have to buy new crap and codes every time the manfucature decided to change things just to make it so you have to buy stuff from them.
The government basically stepped in and stopped the DRM up front, which is why these ports are actually useful in the first place.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
My Jetta's VCDS software and port (as well as the printed Bentley shop manual) come with big fat user warnings about taking precautions against accidentally setting off the airbags. In fact, with multi-stage systems, if you're sitting in the front-seat, not buckled, maybe with a laptop on your lap, maybe scooted forward a tad, not resting back, you could probably end up with some serious ow-age.
(I know this, because my controller module has failed; and I'm debating whether to just remove it and live without airbags, or if I should have it re-flashed and deal with the risk of accidental discharge in the reinstallation process.)
These are my friends, See how they glisten. See this one shine, how he smiles in the light.