Hacking Automotive Systems

alphadogg writes "University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results. In a paper set to be presented at a security conference in Oakland, California, next week, the researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car. The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems. Other experts describe the real-world risk of any of the described attacks as low." Here is the researchers' site, and an image that could stand as a summary of the work.

Cccess to unlocked car = can damage it, duh

[noidentity]

Someone with access to your unlocked car can cause it to malfunction by messing with its systems, story at 11!

Re:Cccess to unlocked car = can damage it, duh

[clone53421]

Then it’s a good thing that they’ve already thought of that, I guess.

He and co-researcher Tadayoshi Kohno of the University of Washington, describe the real-world risk of any of the attacks they've worked out as extremely low. An attacker would have to have sophisticated programming abilities and also be able to physically mount some sort of computer on the victim's car to gain access to the embedded systems. But as they look at all of the wireless and Internet-enabled systems the auto industry is dreaming up for tomorrow's cars, they see some serious areas for concern.

Re:Cccess to unlocked car = can damage it, duh

[hesiod]

I would guess it's related to the Anti-lock Brake System, which needs to calculate how much force should be applied and how rapidly.

Re:Cccess to unlocked car = can damage it, duh

[DriedClexler]

An attacker would have to ... be able to physically mount some sort of computer on the victim's car

Yeah, and if I could physically mount your wife, I could inject her with all sorts of viruses, maybe even spawn a child process!

So, is "security hole" the next euphemism for vagina?

Re:Cccess to unlocked car = can damage it, duh

[fractoid]

If it's your car, then it's easy enough to install the required hardware. I like the idea of installing a remote GPRS throttle switch. "Steal my car, will ya? Well FUCK YOU! EAT CONCRETE WALL!" *hits 'accelerate forever' button*

So what?

[franz]

Computer or no computer, if I climbed under your car in the parking lot, I could cut the brake lines.

Re:So what?

[thijsh]

There are some real-world scenario's where this can be used... A cut break-line will be detected by professionals, just like explosives, and every car is inspected prior to leaving with a VIP. So cutting the break line on the presidents limo probably won't get an attacker anywhere. But if the attacker could load software that stalls the engine or cuts the brakes at a predefined time (and place) the attackers can kidnap or kill the VIP without any advance indication that the car has been compromised.

FTA: "In one attack that the researchers call 'Self-destruct' they launch a 60 second countdown on the driver's dashboard that's accompanied by a clicking noise, and then finally warning honks in the final seconds. As the time hits zero, the car's engine is killed and the doors are locked. This attack takes less than 200 lines of code -- most of it devoted to keeping time during the countdown."

Remove the clicking and countdown and no-one will know the car is sabotaged until it's too late. When I would be in charge of securing the president or other VIPs during transport I would want to be able to know if the vehicle has undetectable security flaws like this... The problem is that you don't even know if the software might have been compromised in the months/years that the car has been in service.

Re:So what?

[germansausage]

Wrong method, it leaves obvious evidence. Clip some vicegrips on the flex hoses going to the front wheel cylinders. You've just eliminated 60% of the cars braking power. The pedal feels normal, or even a bit firmer than usual. Do it right and the vicegrips will come off when the car hits whatever it hits when the brakes (mostly) fail.

Re:So what?

[fl!ptop]

if I climbed under your car in the parking lot, I could cut the brake lines

This is true, however your target would notice their brakes didn't work before pulling out of the parking space, when they pressed them to put the car into gear. Even if the car had a standard transmission, your target wouldn't get far in the parking lot before realizing something was wrong.

Getting the brakes to fail at any time after the car is in motion would be impressive.

Re:So what?

[geekoid]

Fine, A tine explosive the sets after the vehicle hits 55 mph.

Re:So what?

[thijsh]

Getting the brakes to fail at any time after the car is in motion would be impressive.

Using this hack an attacker could probably let the brakes fail the moment you go over 100mph, as well as disabling steering-assist and traction control, and maybe even floor the gas pedal...
This is the ultimate 'digital brake line cut' turning the vehicle into a crippled metal cage of death hurling to whatever is in front of it with (most likely) lethal consequence.

Re:So what?

[Mister+Whirly]

If the security people can find cut break lines, what make you think they would miss the computer plugged into the diagnostic port? The one sending and reviving radio waves all over the place that are very detectable? Something tells me that VIPs already knew about the possibility of this vector of atttack and either check the diagnostics port already as part of their security sweep of the car, or have the diagnostic port armored or even removed to prevent tampering. The point being made was that physical access - to a car or computer - quickly can be game over. But with a car they physical evidence would probably be easier to detect.

Re:So what?

[jackbird]

Think 'open hood,' 'attach doohickey,' 'wait 30 sec. while it flashes the new firmware,' 'remove doohickey'. Bonus points if you can compromise the motor pool's code reader while the VIP limo is nowhere nearby, and the trustworthy mechanic is the one inadvertently doing the flashing during routine scheduled maintenance.

Re:So what?

[thijsh]

That's exactly how it's done, and coincidentally also the plot for the upcoming Hollywood movie "Hacking to Kill" where Steven Seagal jumps onto the moving out-of-control-VIP-car and rips the computer (with engine and all) out of the car with his teeth... It's the only way to be sure. :)

Re:So what?

[thijsh]

When they know how to use the hardware it should be trivial to flash the internal software... But there are enough posts describing this already.

Re:So what?

[dkleinsc]

Because it makes this scenario much more likely?

Re:So what?

[Sethumme]

I saw the early release. Not very good. Seagal movies are only believable when he's a cook.

Re:So what?

[JWSmythe]

    Good point.

    Everyone says "cut the brakes", but that's too easy, and detectable.

    A pound of C4 in the gas tank, with a remote detonator would cause more damage, and it would be completely undetectable. Of course, the time required to slide a boxcutter across the brake line is significantly less than it would take to remove and reinstall the fuel pump (the only place to access the inside of the fuel tank).

    It's not actually necessary to cut a brake line. You can just loosen the bleeder and it will have the same effect.

    I had this effectively happen on my car, but with the clutch. I had the clutch master go, so I replaced it and had to bleed the whole system. Apparently at 11pm by flashlight, I didn't tighten the bleeder as tight as it should have been. 4 months later, while I was driving to a friends place the clutch became squishy. When I turned around to go home, I made it about a mile before the clutch had failed completely. It's not always fun to bleed the clutch in an parts store parking lot, but it can be done. :)

    A cut brake line is pretty obvious, when the brakes don't work right. That can usually be felt before the car is ever put into drive. The front and rear brakes are usually segregated, so cutting just say the front lines will still allow the vehicle to stop. The emergency/hand brake is usually a physical connection, as opposed to the hydraulic brake system for the normal driving brakes. To disable a vehicle from stopping, you'd have to damage all three systems.

    I once fixed a car for someone, who's brakes didn't work "quite right". It turned out the car was flood damaged before they bought it. By the time they brought it to me, three of the brake calipers were frozen and wouldn't engage the brakes at all. The fourth was working, but the pads had worn out since they were the only thing stopping the car. The full repair was replacing all three calipers, pads on all four wheels, flushing the brake system, and 6 wheel lugs (they were rusted in place and broke when I was taking it apart). Their response was "oh, it stops better now."

    Most of the viable damage you can do to a car from under it will render it nonoperational, rather than dangerous.

    Having the source code to the computer really isn't necessary. Without a selective trigger, the odds of malicious code doing damage to the correct target are very slim. VIP vehicles do a lot of driving, frequently without the VIP inside.

Re:So what?

[JWSmythe]

    Actually, that's frequently done for lower class circle track racing. You simply crimp the right side brakes, and no, you don't leave the vice grips on. Once the steel lines are crimped, they stay that way.

    Circle track drivers adjust their cars significantly to turn left. They use larger tires on the right side, lower the suspension on the left, and significantly adjust the alignment. Everything is done so it handles better on left hand turns. It's funny watching them drive through the pits, trying to drive in a straight line. They don't do that very well at all. :)

    When racing, the front and rear straightaways aren't taken straight, they're taken as a long curve so they are way outside and dive in to the apex and then back out. When you tap the brakes for the turns, you want it to pull left.

 

Yeah...

[Pojut]

...no matter how insecure they are, until hackers find a way to wirelessly connect to my car that doesn't have a wireless connection, I'm not going to worry.

Now if you'll excuse me, I have to make sure some crazy ex-girlfriend doesn't have something stuffed in my OBDII port. "Your mom's OBDII port is stuffed!" Dammit! Almost made it without the mom joke...

Re:Yeah...

[gardyloo]

Almost made it without the mom joke...

      That's what she said.

I'm not worried about those hacks

[wiredog]

We all know that once someone has physical access to your system it's theirs. But can they do this via OnStar or other remote access systems?

Re:I'm not worried about those hacks

[BarryJacobsen]

We all know that once someone has physical access to your system it's theirs. But can they do this via OnStar or other remote access systems?

If they can, I'm rushing out to get OnStar - that'd be a lawsuit waiting to happen!

Re:I'm not worried about those hacks

[zmaragdus]

OnStar themselves can do several things like disable your engine, track your car, open the doors, etc. I would expect that it's theoretically possible (though unlikely) that a person could hack into your car via that method. It would certainly be quite a feat of hacking, but I believe it is possible.

Re:I'm not worried about those hacks

[ledow]

People have physical access to the outside of my car, it doesn't mean they can change my speedo, mileometer, fuel mixture, etc. quickly and without me realising that something has happened. They certainly can't do it just by plugging a box into the port even if they *do* break into my car... because my car is mechanical and doesn't run with this sort of shit (Note: I can and have removed the entire ECU box from a car in the past - it runs, but slowly and less efficiently and may not pass an emissions test, but it still works in a driveable condition - very modern cars literally do not work without them so they are "essential" and thus should work as bloody advertised).

All of these things were done over an ODB cable to a standardised port on every car. On every decent model of car, they should be read-only information about the car's engine. The port is standardised, commonplace, accessible from the driver's seat (by law in the EU), hidden, and (with these models) accepts almost any device / commands without question. It's standard practice to connect an OBD box to modern cars if they have an indicator light up (in fact, it's usually the ONLY way to clear such a light). My car has one. I'm pretty damn sure that you can't modify my mileage or speedo via that route, though, or my fuel mixture, or stop my brakes working. About the worst you might be able to do is clear a warning light. This is because the OBD is designed properly, doesn't allow things it doesn't and it helped by the fact that my speedo is a needle connected to a magnetic induction coil produce by a spinning cable spun at a ratio of the speed of the wheels, and my mileometer is a tick-over-style mechanical one. The Prius-scare should have shown people what happens when you take away control of a vehicle from a driver and put it in the hand of a computer - it was discussed that virtual-ignition-systems, virtual-gearing-systems, etc. are just dangerous and provide no advantage to anyone.

Nobody is saying these things are not do-able on any car with physical work, we're asking why the hell they are modifiable over such a cable in such a "simple" way that someone could literally sell a box on eBay that, when connected to a car, can fraudulently adjust mileage, turn on hot air vents, TURN OFF THE BRAKES (FFS!), and basically cause it to crash and explode whenever you want. That's *NOT* what the OBD standard is for - it's for diagnostics and diagnostic indicators. Why the hell can I adjust the hot air vent through that cable?

The problem is that there is absolutely no NEED for the speedo to be "writable" over a diagnostics cable, or anything else for that matter. The only "writable" things should be to clear diagnostic lights, which will inevitably pop up again if the problem is "real". So you can't just switch off the ABS light on a car and then sell it as having working ABS... OBD logs and records such actions in the car itself and will redisplay those indicators if there is a real problem still.

Why the hell would you *ever* want to be able to modify information like that? Why should a mechanic ever be able to adjust the mileage on the car? It's stupid, not-thought-through and terrible design. Next up is being able to open the doors of any car that has Bluetooth OBD, or changing the VIN numbers or whatever. It's just ridiculous. Even if the car is computer controlled, there are some places where access control of sorts should prevent certain actions.

Re:I'm not worried about those hacks

[Pojut]

or changing the VIN numbers or whatever

NOOO!!!! You were doing so well, with such an awesome post...and you had to pull the ol' Vehicle Identification Number Number bit, didn't you? DIDN'T YOU?!?!?!?!

p.s. Cars only have one VIN. It isn't just in the ECU, it's also stamped on the original engine, the transmission, the frame, and on a plate on the dashboard (at least in the US)

Re:I'm not worried about those hacks

The problem is that there is absolutely no NEED for the speedo to be "writable" over a diagnostics cable

What if you change your tire size?

Re:I'm not worried about those hacks

[dubbreak]

In this case they are talking about the OBD-II port, a physical port inside the vehicle (often in the driver's foot well). You can get a OBD-II connectors that are bluetooth (thought that would be short range) and wifi connectors (such as the OT-2). So as far as you can connect via wifi you could send commands onto the shared command bus.

This "hack" really isn't surprising at all. There are plenty of vehicles you can flash or change settings via the OBD port (such as Subarus). Scan tools only use read commands on the port, but the port itself doesn't stop you from issuing other commands on it and even if there were some chip checking what commands were issued you'd just have to tap into the shared bus elsewhere.

Re:I'm not worried about those hacks

[phantomcircuit]

It's a pretty safe bet that OnStar is vulnerable to some kind of attack.

More to lose than to gain

[llZENll]

It would seem to me we have a lot more to lose by auto manufacturers implement software security than to gain. Its hard enough as it is for repair shops to work on engines and electronics without adding security, which would make repairs even more proprietary and expensive. With almost nothing to gain, if someone wants to disable your brakes they can (gasp) damage your brake line without even opening your car door! Mess with your tires, exhaust, gas, etc. There are many more ways to mess with your car externally than via the software port. And yet somehow the earth keeps rotating.

Re:More to lose than to gain

[Pojut]

Its hard enough as it is for repair shops to work on engines and electronics without adding security, which would make repairs even more proprietary and expensive.

No offense intended, so please don't take this as such. Mods, please mod offtopic:

You haven't worked in a shop before, have you? Whether you have a cheap OBDII scanner or a full-blown diagnostic tool, so long as the car uses OBDII, you can pull codes from it and subsequently replace the fouled O2 sensor, know which cylinder had a misfire, etc. The full-blown diagnostic tools are useful for crazy-hard problems to solve, but your average scanner bought at Autozone is sufficient enough for the vast majority of code-related problems you would encounter.

Also, I got news for you: electrical problems have been a bitch to deal with for literally decades. There isn't really anything that could make them more frustrating to deal with...they are already at that point due to the nature of electricity and the amount of wiring in a car.

If you take your vehicle in because your check engine light is on and you need the diagnostic code pulled, and the shop tells you it's difficult...take your car to another shop. Sure, there are some brands (BMW, for example) that have propriety connectors, but for most of the cars out on the road, their ECU can be accessed using the same tool.

Re:More to lose than to gain

[Pojut]

www.obd-codes.com is your friend.

Re:More to lose than to gain

[couchslug]

IAAM (I Am A Mechanic) too.

Current OBD systems aren't guaranteed to be the future standard, and if the makers can use the excuse of "security" to restrict access to an increasing number of functions (including "functions yet unborn" they can ensure a revenue stream.

Trusting auto makers to ensure easy system access is like trusting Sony to look after your PlayStation.

Re:More to lose than to gain

First off, my apologies to labeling you as never worked in a shop. I stand corrected.

Unless something huge has changed in the five years since I stopped working in a shop, we were able to pull codes from European cars with no problem.

Yes, you can buy the tools. But how do you justify buying a $30,000 TestBook system (yes, that is how much it cost, and that is what it was called) that, for the most part, is only useful for resetting EAS Fault codes? That didn't happen over the last 5 years, it happened in late 1995. But this is just for the Land Rover line. Say you need to deal with BMW? Or M-B? You need more units. Even if a small independent repair shop bought all these tools (easily adding up to over $100,000 in addition to all the standard tools necessary to do repairs), they would need to recoup the costs. Land Rover authorized dealers only need to deal with ONE analyzer, so they can afford it. That's the whole point. For BMW and M-B, third party analyzers are available, but not upon the debut of the new model. And with every new model released almost these days, you either need to update the analyzer, or get a new one.

So... you were lucky that you never needed to reset a code to get something working again. That is not the norm. The whole point is to make sure that it is almost unattainable for most mechanics, while marginally avoiding regulators that would want to pound the manufacturers into obedience.

So they're asking for DRM?

I'd rather leave my port accessible- someday I may want to write some software. If someone has physically broken into my car and put something on my port, then that's my problem. Don't force DRM on us.

I love how we as geeks sometimes want it both ways. "Keep it secure! Add encryption". "Wait wait! That's DRM, I want it gone!"

This isn't a bad thing

[acoustix]

I want to be able to connect diagnostic equipment to my car so that I know what's going on. I don't trust a mechanic to tell me what's wrong and how much it will cost. I like being able to do most of the work myself when possible.

Re:This isn't a bad thing

[je+ne+sais+quoi]

After I wrote that I found this web-site that explains how to use the device and what's going on. I still think that the dealer has some codes that are not OBDII certified that they use though. Incidentally, according to that web-site I linked to, the code machine is $200, but in this thread the person says the dealer is charging them $100 just to read the codes. Wow, expensive.

Manual Override

[happy_place]

Why not provide manual overrides for things like door locks and windows. Even CD drives have that little pinhole reset so you can manually pop the sucker open. It just seems ridiculous to automate everything in a device that is always going to be mechanical in nature.

Re:Manual Override

[ickleberry]

Or just get one of the few modern cars still left that doesn't come with all these unnecessary automated sales gimmicks like the Ariel Atom

Re:Manual Override

[ushering05401]

Far superior to a hammer: http://www.copsplus.com/prodnum4497.php

Also, more handy if you catch someone tampering with your onboard computer... base of the skull punch-through carries more fatality points than hammer to temple.

Re:Manual Override

[Thelasko]

Why not provide manual overrides for things like door locks and windows.

Jaguar has such an override for their electronic transmission.

Re:They were able to

[gardyloo]

Ah. Rush Limbaugh. That would be the parsimonious explanation.

radio

[dxkelly]

I want to know how they made the radio blow hot air.

Re:radio

[andrewbaldwin]

I want to know how they made the radio blow hot air.

Simple!

Just tune it to the local talk radio channel covering politics/religion/sport**...

** select / delete according to your views

This just reaffirms...

[DarkKnightRadick]

...my decision to make my next vehicle a 1968 VW Beetle.

Re:This just reaffirms...

[netsavior]

68 was an ok year, but I would go with a 69, unless you can find a late 68. In late 68 and 69 on the independent rear suspension transaxle was added. The swing axle was dangerous, as it causes camber changes when you go over a bump, and it was less fun to drive in my opinion. Of course if you get a much earlier model it will be swing, and I would keep it that way, but if you want a 68, be sure to get the *right* 68.

G-dammit!

[BLKMGK]

The auto industry ALREADY encrypts the daylights out of most of their code! Which makes modifying it for performance reasons a PITA. I have to pay some guy a pile of cash to "flash" my current ECU because only a few guys have managed to figure out the code for it unlike with other cars. Duh, it's a computer and it controls things so yes it can be messed with.But the auto industry already encrypts it and makes this difficult. So long as the auto dealers are able to modify things like speedometers and other things this will always be a "threat" so stop running around like Chicken Little. Sheesh! What they should turn off the OBD-II standard codes so no one but a dealer can diagnose and make minor changes to cars? See how SEMA will like that and all of the independent garages and shade tree mechanics. then they will bitch that it's too locked down. Make up your minds and stop being so short sighted...

Ah, the Rootbacca defence

[Rogerborg]

Why did my client accelerate to 90mph? I put it to you, ladies and gentlemen of this supposed jury, that he did not. No, it was Evil Hackzorz, doubtless acting on the orders of the Saucer People, or perhaps the Mole Men. This is technically possible - for all you know - so you must have a reasonable doubt that my client was responsible.

Appearing in a celebrity traffic trial near you in 3... 2...

Re:The only concern...

[drinkypoo]

You'd have to reflash the PCM (ECU is an OBD-I term; this kind of stuff is only possible with OBD-II, which actually mandates the term "PCM" — if you want to be accurate, stop calling it an ECU in this context) entirely. I imagine that this sort of functionality is available on all modern cars; possibly not all OBD-II cars, but probably anything new enough to have CAN. Most OBD-II cars on the road do not use CAN anywhere, though today a car might have three or four CAN buses; PCM to OBD-II DLC (diagnostic link connector), PCM to transmission computer, PCM to BCM (body control module) and possibly even BCM to stereo. And other models exist but I personally think buying a car with a CAN bus shared between more than two components is asking for a foot in your ass.

I happen to like my mechanical diesels, which achieve efficiencies very near to modern systems. It's only too bad International-Navistar lacked the foresight to implement the engine as a full-mechanical design, as Mercedes did; your battery can explode and the engine keeps running until you shut it off, because the shutoff is a vacuum switch on the back of the ignition lock. I've had my alternator fail completely and my battery down to about 4V in my 300SD, still made it to work. Nobody will be tampering with my DLC :D

I DONT WANT FSCKING DRM ON MY CAR!!!!

[halfdan+the+black]

I want to be able to access the computer that I OWN in the CAR THAT I OWN to be able to modify it, reprogram the fuel maps, so forth. Its hard enough right now to be able to access modern engine control systems, just what I need, a bunch of chicken little, fscking "security experts" claiming that cars are "insecure", raising all kinds of alarm, then the car makers react, start putting all kinds of deliberate DRM on the computer systems, and it becomes absolutely fscking impossible to modify your own car.

If I want to modify the computer on MY CAR, THAT IS MY RIGHT, NOT A SECURITY ISSUE!!!!!

Re:I DONT WANT FSCKING DRM ON MY CAR!!!!

[ledow]

Sorry, but I think we'd all much rather have a car where the ABS (or, indeed, the brake-pedal) can't be disabled entirely, where brakes can't be activate entirely by software, where you can't play with mileometer just by sticking a box on the OBD port, or where the car cannot lock everybody inside if it crashes (the software, not the car!).

It's not a question of software freedom - it's a question of not having that capability automated in the first damn place. In every car I've ever owned, when I press the brake the wheels are slowed by huge hydraulic pressure whether or not the ECU / ABS is working. Sure, I wouldn't do without the ABS either but if it stops working, I can still bring the car safely to a halt. What we're discussing here are cars with computers that *DO* have control over what the brake pedal does - from nothing no matter how hard you press it, to full brakes no matter how you release it - and not the driver.

Some of the other things mentioned on the researcher's FAQ include the bonnet(hood)-latch behind software controlled. One software crash = one real crash. That's a sort of DRM you *don't* want anyway - where your entire ability to use the product is under the control of a computer that could crash at any minute, with serious consequences. Especially not when you're doing 70 mph.

It's the design that's stupid, not OBD, ECU's or being able to tune your car using it if you really want to. They are separate issues. Why, why, why on earth would anyone *EVER* want to legitimately activate a mode on their car where the brake function no longer corresponds to the brake pedal position?

Re:I DONT WANT FSCKING DRM ON MY CAR!!!!

[AndersOSU]

Why, why, why on earth would anyone *EVER* want to legitimately activate a mode on their car where the brake function no longer corresponds to the brake pedal position?

ABS.

Modern car's know when they're skidding, and pulse the brakes to regain traction. There may be ways to be clever with "I'm skidding" signal to effectively disable the brakes.

Want another one? Regenerative braking.

This was the problem the Prius was having. If you brake with the throttle open you can ruin the car. The system was designed to cut throttle power before engaging the brake, and IIRC the flaw was the brakes wouldn't engage if, for some reason, the computer couldn't close the throttle. This was obviously a design flaw, but it is a legitimate reason you might want to run the brake signal through a computer.

Re:I DONT WANT FSCKING DRM ON MY CAR!!!!

[ledow]

ABS is a function that I covered in my original rant. If the computer goes bang, the worst that happens on my car, most cars and ideally *all* cars with ABS is that a warning light comes on and it takes slightly longer to brake (no worse than *not* having ABS at all). There is *no* need to be able to disable and/or enable that feature, or any feature of the braking, through any interface at all. If ABS messes up, you can still brake and warning lights appear to let you know you should get it fixed. That's all that's required. And all the mechanic needs is a way to put out that warning light when they've fixed the problem (but the car is welcome to engage it again if it detects a problem, even immediately after it's been "fixed"). Why on Earth do you need a "disable brakes" function to even EXIST, no matter what the emergency? We're not talking about turning off ABS, the researchers were able to turn off THE BRAKES.

Regenerative braking systems that "ruin the car" if you brake while throttling need a complete redesign. How stupid to have to have a device that cuts one in order to allow the other? Of course, they are mutually-exclusive functions but, as with the Prius, the failure mode is inherently dangerous because it will fail to counteract if one "sticks open" because it's trying to enforce mutual-exclusion. And when your pedal jams down, you can't brake, which is the only vital function of a car. The opposite isn't true that if the brake jams down, you need to be able to accelerate away.

So where in that mess is it necessary to have any sort of enable/disable function of any of the braking system at all or be able to play with any of its parameters? And where is it necessary for that to be accessible over a cable AT ALL or be modifiable at all by the user, or even a third-party garage? It's crap. And the braking signal can run through whatever computers it wants - I damn well want flashy lights and warnings when something is wrong and, like ABS, a computer can check things a lot faster and more accurately than I can. But when that braking signal CONTROLS the brakes, rather than assists them, you have to go find the designer and shoot them.

Dear researchers

[BitZtream]

Please to be shutting the fuck up and panicing people.

I WANT my car to allow me to do those things. Thats why I have an ODB-II dongle hooked up between my car and the PC thats in it ... so I can control my cars features the way I want.

Being that the ODB port is generally directly under the drivers side dash, its rather hard for someone to plug into it without it being noticed. If they've plugged into it, they've got physical access to your car, which means they can do a lot more damage than fucking up your heater and blasting you with hot air.

You said you didn't want to spread fear and panic, and you're lying, thats exactly your goal, and to use that to get attention for yourself.

This isn't anything new, its been this way for at least 10 years if not longer (I haven't tried anything on older models) maybe all the way back into the ODB-I days and probably well before that when some cars had interfaces of their own standard.

Alarmist talk will get you locked out

[Dr_Marvin_Monroe]

Lets keep the alarmist talk down to a minimum here. As a few people have pointed out, the auto industry response will simply be to DRM you out of your own car. I'd expect that the government would want a part of the action, so expect a DMCA for autos too... They'll push you right into the loving arms of the factory service shops who will now be the only "authorized" repair option.

Re:Alarmist talk will get you locked out

[BitZtream]

ODB-II (And I to a lesser extent before it was superceded) exists for that exact reason.

Every manufacture used to do their own random proprietary crap. Governments who wanted to access the computer for emmisions controls started requiring them to standardize so they didn't have to buy new crap and codes every time the manfucature decided to change things just to make it so you have to buy stuff from them.

The government basically stepped in and stopped the DRM up front, which is why these ports are actually useful in the first place.

Sensationalism at it's finest.

[Lumpy]

I've been "HACKING" car computers for a decade now. and a lot of other people have as well. Most hot-rodders from import tuners to vette performance guys have been hacking ECM's. Many of the honda hackers even go as far as opening up the ECM and desoldering chips to hack them. Changing the ignition timing table, fuel tables, Disable the Rev limiter, Disable Passkey for engine swaps (I do this with the GM 3800sc and it's ecm from the Buicks) add features, change a Standard ECM program to a program that understand boost for a turbo install... etc.....

Heck a friend of mine is hacking the computer that controls the new power steering system in cars so we can retrofit power steering to vehicles that dont have it.

I guess us car ECM hackers are the new "EVIL DOERS"

Re:Sensationalism at it's finest.

[geekoid]

That was a long way to go to attempt to look like the cool kids at the auto show.

Re:Sensationalism at it's finest.

[Lumpy]

It's still doable. Most of the information is available on websites OUTSIDE the USA to protect the authors from being sent to jail for 60 years. I've got the info on decoding the GM canbus communications so I can actually change the shift points on the Transmission in the new 6 speed automatics. Tweaking the performance mode and being able to add an economy mode has made a difference.

All that has happened is that all the people that are the best and brightest in automotive are fleeing the country, or hiding behind pseudonym and publishing to a website outside the usa.

One thing super impressive is the guys that are getting the 7730 ECM from the 90's to do things that the current ones are not. That hacking is legal because that ECM was not crippled with raging retardation and stupidity on the car makers part.

Automotive computer hacking...

[pongo000]

...has been around since OBD-1 days, as far back as 1984. OBD-2 programming systems are available for anything from 1994 through 2010. There are even scanners that allow you to enter the PIDs of your choice (obtained from monitoring the data line while performing operations with a scantool).

Since newer vehicles control nearly everything via CANbus, it's no surprise that someone has taken the time to monitor the bus and inject various commands. This sort of hacking has been around for over 20 years (despite auto manufacturers' attempts to protect their hardware with security keys and seeds). I don't see them "solving" this "problem" anytime soon...unless they come up with a way to make a "secure" bus (perhaps using fiber optics).

Re:The only concern...

[mrchaotica]

I happen to like my mechanical diesels, which achieve efficiencies very near to modern systems.

The only problem is that the mechanical diesels don't achieve emissions very near to modern systems.

Of course, I have the same attitude you do (that the older cars are better), except I complain about failure-prone and biodiesel-incompatible diesel particulate filters while praising my rotary-injection TDI.

I guess "researchers" have not met any modders?

[netsavior]

As a car modder, who has been doing this kind of stuff (not malicious) since the early 1990s, wow welcome to the future guys.

Just an example: When my throttle position is above 90% depressed, my A/C compressor disengages(or rather the A/C Clutch engages), giving me that little bit of horsepower and theoretically saving my compressor from 7500 RPM (engine speed, not compressor speed) redline. I did this in an afternoon using only software.

The ECU has a lot of control over the car, especially in drive by wire cars... My car happens to have a cable accelerator, and I vastly prefer that because of throttle response time (a physical link is better most of the time than a software one, assuming both are properly maintained).

If they were really trying to be malicious without being deadly, you could change the air/fuel ratio to be really lean and burn up the valve train the first time they hit the gas pedal, there is no physical override for that, not like brake pedals (which if you turn it off it merely removes the power assist and only prevents you from stopping the car if you aren't strong enough to push the pedal down.)

Re:I guess "researchers" have not met any modders?

[toxonix]

Every new car I've driven in the last two years has a fully electronic throttle. I can't stand the things. If I blip the throttle to downshift, nothing happens. The computer ignores little throttle blips. You have to hold the throttle down much longer to get it to rev, and then the non-linear variable throttle curves make it difficult to hit the right engine speed. This is all dumbed down for your average human potato, which is no fun for everyone else. An F1 car is completely electronic, yet the throttle response is accurate and instantaneous. The mechanics can play songs on the engines by running through a sequence of throttle positions. Do you still have to send the ECU in to be de-soldered and re-soldered with a new EPROM? I believe there are aftermarket ECUS for BMW,Audi, Mercedes which provide almost complete control of the electronics systems for tuning. They have remotes for setting different levels of tune so that your valet driver can't get the thing into race mode or rev the engine beyond 2500 rpm etc. As for the electronic control of brakes, just switching off the power assist is not really the danger. The computer can pulse the ABS solenoids, making it impossible to brake at all. When this happens the brake pedal is useless even standing on it with both feet. I had an Audi which developed a problem like this due to bad wheel speed sensors. The sensors sometimes told the computer that the car was sliding when it slowed to around 10mph under light braking. The solenoids start pulsing and you better have plenty of stopping room, because it basically feels like you suddenly hit an ice patch. I don't recommend that particular vehicle to anyone. Configurable tuning chips are the way to go, but it would be nice if I could just hook up a PC and configure the factory ECU.

You missed another point - aftermarket installers

[name_already_taken]

OBD II is all well and good for basic emissions/driveability/MIL diagnostics, but adding security to the other functions, such as the door locks, windows, etc. could basically kill the aftermarket alarm/remote start business.

On many (if not most) cars these days, many of the basic functions such as door locks are controlled via a CAN bus (a 2-wire twisted pair network) and more and more functions are migrating to network control rather than having dedicated wiring. In my car, everything other than the lights and the radio is run over CAN (even the seat adjustments and the rear window defogger).

Take, for example, installing an aftermarket stereo: Many new cars don't have a wire that supplies 12V when you turn the key on to turn on the radio, the radio is always powered and listens to the CAN bus for the command from the car's BCM (body control module) to turn itself on. On these cars, a separate aftermarket module has to be installed to turn the radio on (or the installer has to dig around in the car to find something else that only turns on with the key, like a power outlet). There are also aftermarket modules that can translate the CAN bus commands from the car's factory steering wheel controls to control an aftermarket stereo.

Adding a layer of security (presumably encryption or authentication) could cripple these abilities with aftermarket equipment.

Don't believe me, well take the example of remote start on my current car a 1999 (yes, 12 model years old now) Mercedes Benz. I have installed 3 remote start systems on various cars (a Subaru, a Honda, and a Mazda) which were what I'd call conventionally-wired cars, having accessible wires to turn the ignition and engine computer on and start the car. Easy. Cost, under $100 for all the parts including extra relays to turn on accessories and such.

On my '99 M-B, the engine computer will not allow the engine to run unless it can maintain a constant 2-way conversation over a separate CAN bus between itself and the EIS. What's the EIS? It's the Electronic Ignition Switch. Here's where things get complicated. M-B cars don't use conventional keys any more, the use a "SmartKey", which is an electronic key fob thing that inserts like a key, but has an infrared emitter-receiver in the end. The EIS supplies power to the SmartKey via an inductive coil around the key opening. The EIS and the SmartKey then engage via infrared in a continuous encrypted conversation which authorized the EIS to tell the engine computer to let the engine run. Because you need to have the SmartKey in place, it has been impossible to install a remote start system.

Recently, a remote start system became available for my car (sold new 12 model years ago, remember), which will simulate the EIS' conversation with the SmartKey and allow the factory remote's Panic alarm button to be repurposed to start the car (the SmartKey is also the remote, but don't worry about that, it's actually two devices in one package). Cost: $1000. That's over ten times the cost of a remote start system for a regular car. And it took 12 years to develop.

All because of a single encrypted function. Admittedly, a really well designed one that makes the car impossible to hotwire, but you can see what problems might face the aftermarket if things like door lock controls became encrypted.

All in all, this research exercise is just stupid. Of course you can make a complicated system do silly things if you have physical access to it. I don't see the point of adding encryption to it when the aftermarket will have to figure out how to bypass it eventually anyway.

Off topic, but in case anyone's interested, you can have up to 24 SmartKeys issued for an M-B vehicle, but I think only eight can be active at one time. The service information talks about having three ranks of eight keys. Once you need to replace the key for the 24th time, you need to replace the EIS, the engine computer and a couple of other items. SmartKeys can only be ordered at a dealer and you h

Want your cake and eat it too!

[UnifiedTechs]

Didn't we just blast Toyota for having a completely closed system, that only 1 laptop in the US could access.... but now we blast everyone else for having an open system because it can be hacked?

Given physical access to any system it can be hacked.

Copy of the paper

[chrb]

The paper

That link really should have been in the summary....

OBDII via wireless? Here ya go!

[King_TJ]

http://www.carpartslights.com/elm327-bluetooth-obdii-obd2-scanner-vagcom-can-elm-327-p-28.html

(Now you know what to look for at least, when checking to see what the crazy ex-g/f might have put in there....)

re: ECM hacking

[King_TJ]

Actually, a whole bunch of us REALLY wish one of you experts at ECM hacking would figure out the Delphi branded ECU found in the Hyundai Genesis Coupe 3.8 V6!

It's a great little sports car at a reasonable price-point, but so far, it seems like its engine is held back from its full potential because the ECU can't be directly reprogrammed.
(Apparently, some folks in Korea have already cracked its ECU and done some custom tuning so they could add things like superchargers or turbos ... but here in the USA, we can't seem to get our hands on any of that info. I suspect part of it is purposeful on their part. I think the Korean tuning community rather enjoys keeping a lead over people in the USA for as long as possible, so they can keep taunting us with YouTube videos of their accomplishments, etc.)

A company called Road Race Motorsports released a couple different "piggyback" boxes that claimed to add as much as 20HP or so by plugging-in between the ECU connector and one of the sensors on the car -- but everyone on the car forums testing them out has seen negligible results, and sometimes dyno tests show power LOSSES with these things. As best as we can determine, the boxes are functioning like they're supposed to, but modifying the data coming from just one sensor (such as the mass airflow sensor) isn't enough to really trick the ECU into advancing timing or changing air/fuel ratios. Apparently, it sees unchanged readings from other sensors on the car and assumes the input is flawed, and starts disregarding it or acting on it in unexpected ways.

We've done it on race cars for years

[slacklinejoe]

A lot of us car nuts have been hacking our car computers for years. There's systems that go light years beyond the factory systems. 10 years ago, I was able to use my Palm Pilot II to modify my fuel trims while driving, monitor horsepower and adjust an electronically controlled boost controller for my turbo. That was all on a 1990 Talon AWD so it didn't even had ODBII yet. My new model actually fully replaced the EEPROM chips in the ECU and has bluetooth capabilities to be controlled from my smartphone, controls the doorlocks, radio, moonroof etc. In theory, it would be a trival bluetooth hack to not only cause the engine to stop but to detonate the engine (destroy - not actually cause an explosion) by pulling the fuel trims too lean. The bluetooth module was a snap on vampire chip with a tiny lead to a receiver. The whole system looked 100% factory and was tiny. It would be a trival system to integrate a remote kill and unless they were specifically looking for a technology related problem, investigators would likely never realize that it had been installed.

Um, how about firing the airbags?

[jafac]

My Jetta's VCDS software and port (as well as the printed Bentley shop manual) come with big fat user warnings about taking precautions against accidentally setting off the airbags. In fact, with multi-stage systems, if you're sitting in the front-seat, not buckled, maybe with a laptop on your lap, maybe scooted forward a tad, not resting back, you could probably end up with some serious ow-age.

(I know this, because my controller module has failed; and I'm debating whether to just remove it and live without airbags, or if I should have it re-flashed and deal with the risk of accidental discharge in the reinstallation process.)

Shenanigans.

[Burning1]

I'm going to call shenanigans on this post. There has never been a vehicle where you could remove the ECU and expect it to run.

A little history... The introduction of computers to vehicles has happened in many stages.

The first stage was the introduction of electronic ignition computers in the late 70s. These systems replaced the vacuum ignition advance on older cars. The signal from the distributor literally ran through the ignition computer. Removing the computer means that there is no connection between engine timing and plug coil. With the ignition computer removed, you have no spark, and the engine cannot start.

The next major step forward was the introduction of electronic fuel injection. This computer was responsible for controlling the fuel injectors. No ECU, means no fuel in the cylinders, which means no running vehicle. Power for the injectors literally comes via the ECU. Without the ECU, the injectors are literally unplugged.

Later vehicles used more computers in more components of the vehicle, to the point that a computer controls the brakes on my motorcycle.

But, there was no time where you could remove an ECU and expect the vehicle to still run.*

* Yes, it is possible to disconnect a lot of the sensors on an electronically fuel injected vehicle, and it will still run. But the ECU must still be in place.

Seriously Slashdot... You call yourself geeks, and you fall for this kind of stuff? Shame.