Hacking Automotive Systems

alphadogg writes "University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results. In a paper set to be presented at a security conference in Oakland, California, next week, the researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car. The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems. Other experts describe the real-world risk of any of the described attacks as low." Here is the researchers' site, and an image that could stand as a summary of the work.

Cccess to unlocked car = can damage it, duh

[noidentity]

Someone with access to your unlocked car can cause it to malfunction by messing with its systems, story at 11!

Re:Cccess to unlocked car = can damage it, duh

[clone53421]

Then it’s a good thing that they’ve already thought of that, I guess.

He and co-researcher Tadayoshi Kohno of the University of Washington, describe the real-world risk of any of the attacks they've worked out as extremely low. An attacker would have to have sophisticated programming abilities and also be able to physically mount some sort of computer on the victim's car to gain access to the embedded systems. But as they look at all of the wireless and Internet-enabled systems the auto industry is dreaming up for tomorrow's cars, they see some serious areas for concern.

Re:Cccess to unlocked car = can damage it, duh

[DriedClexler]

An attacker would have to ... be able to physically mount some sort of computer on the victim's car

Yeah, and if I could physically mount your wife, I could inject her with all sorts of viruses, maybe even spawn a child process!

So, is "security hole" the next euphemism for vagina?

So what?

[franz]

Computer or no computer, if I climbed under your car in the parking lot, I could cut the brake lines.

Re:So what?

[thijsh]

There are some real-world scenario's where this can be used... A cut break-line will be detected by professionals, just like explosives, and every car is inspected prior to leaving with a VIP. So cutting the break line on the presidents limo probably won't get an attacker anywhere. But if the attacker could load software that stalls the engine or cuts the brakes at a predefined time (and place) the attackers can kidnap or kill the VIP without any advance indication that the car has been compromised.

FTA: "In one attack that the researchers call 'Self-destruct' they launch a 60 second countdown on the driver's dashboard that's accompanied by a clicking noise, and then finally warning honks in the final seconds. As the time hits zero, the car's engine is killed and the doors are locked. This attack takes less than 200 lines of code -- most of it devoted to keeping time during the countdown."

Remove the clicking and countdown and no-one will know the car is sabotaged until it's too late. When I would be in charge of securing the president or other VIPs during transport I would want to be able to know if the vehicle has undetectable security flaws like this... The problem is that you don't even know if the software might have been compromised in the months/years that the car has been in service.

Re:So what?

[fl!ptop]

if I climbed under your car in the parking lot, I could cut the brake lines

This is true, however your target would notice their brakes didn't work before pulling out of the parking space, when they pressed them to put the car into gear. Even if the car had a standard transmission, your target wouldn't get far in the parking lot before realizing something was wrong.

Getting the brakes to fail at any time after the car is in motion would be impressive.

Re:So what?

[geekoid]

Fine, A tine explosive the sets after the vehicle hits 55 mph.

Re:So what?

[thijsh]

Getting the brakes to fail at any time after the car is in motion would be impressive.

Using this hack an attacker could probably let the brakes fail the moment you go over 100mph, as well as disabling steering-assist and traction control, and maybe even floor the gas pedal...
This is the ultimate 'digital brake line cut' turning the vehicle into a crippled metal cage of death hurling to whatever is in front of it with (most likely) lethal consequence.

Re:So what?

[jackbird]

Think 'open hood,' 'attach doohickey,' 'wait 30 sec. while it flashes the new firmware,' 'remove doohickey'. Bonus points if you can compromise the motor pool's code reader while the VIP limo is nowhere nearby, and the trustworthy mechanic is the one inadvertently doing the flashing during routine scheduled maintenance.

Yeah...

[Pojut]

...no matter how insecure they are, until hackers find a way to wirelessly connect to my car that doesn't have a wireless connection, I'm not going to worry.

Now if you'll excuse me, I have to make sure some crazy ex-girlfriend doesn't have something stuffed in my OBDII port. "Your mom's OBDII port is stuffed!" Dammit! Almost made it without the mom joke...

I'm not worried about those hacks

[wiredog]

We all know that once someone has physical access to your system it's theirs. But can they do this via OnStar or other remote access systems?

Re:I'm not worried about those hacks

[zmaragdus]

OnStar themselves can do several things like disable your engine, track your car, open the doors, etc. I would expect that it's theoretically possible (though unlikely) that a person could hack into your car via that method. It would certainly be quite a feat of hacking, but I believe it is possible.

Re:I'm not worried about those hacks

[ledow]

People have physical access to the outside of my car, it doesn't mean they can change my speedo, mileometer, fuel mixture, etc. quickly and without me realising that something has happened. They certainly can't do it just by plugging a box into the port even if they *do* break into my car... because my car is mechanical and doesn't run with this sort of shit (Note: I can and have removed the entire ECU box from a car in the past - it runs, but slowly and less efficiently and may not pass an emissions test, but it still works in a driveable condition - very modern cars literally do not work without them so they are "essential" and thus should work as bloody advertised).

All of these things were done over an ODB cable to a standardised port on every car. On every decent model of car, they should be read-only information about the car's engine. The port is standardised, commonplace, accessible from the driver's seat (by law in the EU), hidden, and (with these models) accepts almost any device / commands without question. It's standard practice to connect an OBD box to modern cars if they have an indicator light up (in fact, it's usually the ONLY way to clear such a light). My car has one. I'm pretty damn sure that you can't modify my mileage or speedo via that route, though, or my fuel mixture, or stop my brakes working. About the worst you might be able to do is clear a warning light. This is because the OBD is designed properly, doesn't allow things it doesn't and it helped by the fact that my speedo is a needle connected to a magnetic induction coil produce by a spinning cable spun at a ratio of the speed of the wheels, and my mileometer is a tick-over-style mechanical one. The Prius-scare should have shown people what happens when you take away control of a vehicle from a driver and put it in the hand of a computer - it was discussed that virtual-ignition-systems, virtual-gearing-systems, etc. are just dangerous and provide no advantage to anyone.

Nobody is saying these things are not do-able on any car with physical work, we're asking why the hell they are modifiable over such a cable in such a "simple" way that someone could literally sell a box on eBay that, when connected to a car, can fraudulently adjust mileage, turn on hot air vents, TURN OFF THE BRAKES (FFS!), and basically cause it to crash and explode whenever you want. That's *NOT* what the OBD standard is for - it's for diagnostics and diagnostic indicators. Why the hell can I adjust the hot air vent through that cable?

The problem is that there is absolutely no NEED for the speedo to be "writable" over a diagnostics cable, or anything else for that matter. The only "writable" things should be to clear diagnostic lights, which will inevitably pop up again if the problem is "real". So you can't just switch off the ABS light on a car and then sell it as having working ABS... OBD logs and records such actions in the car itself and will redisplay those indicators if there is a real problem still.

Why the hell would you *ever* want to be able to modify information like that? Why should a mechanic ever be able to adjust the mileage on the car? It's stupid, not-thought-through and terrible design. Next up is being able to open the doors of any car that has Bluetooth OBD, or changing the VIN numbers or whatever. It's just ridiculous. Even if the car is computer controlled, there are some places where access control of sorts should prevent certain actions.

More to lose than to gain

[llZENll]

It would seem to me we have a lot more to lose by auto manufacturers implement software security than to gain. Its hard enough as it is for repair shops to work on engines and electronics without adding security, which would make repairs even more proprietary and expensive. With almost nothing to gain, if someone wants to disable your brakes they can (gasp) damage your brake line without even opening your car door! Mess with your tires, exhaust, gas, etc. There are many more ways to mess with your car externally than via the software port. And yet somehow the earth keeps rotating.

Re:More to lose than to gain

[Pojut]

www.obd-codes.com is your friend.

Re:More to lose than to gain

[couchslug]

IAAM (I Am A Mechanic) too.

Current OBD systems aren't guaranteed to be the future standard, and if the makers can use the excuse of "security" to restrict access to an increasing number of functions (including "functions yet unborn" they can ensure a revenue stream.

Trusting auto makers to ensure easy system access is like trusting Sony to look after your PlayStation.

So they're asking for DRM?

I'd rather leave my port accessible- someday I may want to write some software. If someone has physically broken into my car and put something on my port, then that's my problem. Don't force DRM on us.

I love how we as geeks sometimes want it both ways. "Keep it secure! Add encryption". "Wait wait! That's DRM, I want it gone!"

This isn't a bad thing

[acoustix]

I want to be able to connect diagnostic equipment to my car so that I know what's going on. I don't trust a mechanic to tell me what's wrong and how much it will cost. I like being able to do most of the work myself when possible.

Manual Override

[happy_place]

Why not provide manual overrides for things like door locks and windows. Even CD drives have that little pinhole reset so you can manually pop the sucker open. It just seems ridiculous to automate everything in a device that is always going to be mechanical in nature.

Re:Manual Override

[Thelasko]

Why not provide manual overrides for things like door locks and windows.

Jaguar has such an override for their electronic transmission.

Re:They were able to

[gardyloo]

Ah. Rush Limbaugh. That would be the parsimonious explanation.

radio

[dxkelly]

I want to know how they made the radio blow hot air.

Re:radio

[andrewbaldwin]

I want to know how they made the radio blow hot air.

Simple!

Just tune it to the local talk radio channel covering politics/religion/sport**...

** select / delete according to your views

This just reaffirms...

[DarkKnightRadick]

...my decision to make my next vehicle a 1968 VW Beetle.

Re:This just reaffirms...

[netsavior]

68 was an ok year, but I would go with a 69, unless you can find a late 68. In late 68 and 69 on the independent rear suspension transaxle was added. The swing axle was dangerous, as it causes camber changes when you go over a bump, and it was less fun to drive in my opinion. Of course if you get a much earlier model it will be swing, and I would keep it that way, but if you want a 68, be sure to get the *right* 68.

Ah, the Rootbacca defence

[Rogerborg]

Why did my client accelerate to 90mph? I put it to you, ladies and gentlemen of this supposed jury, that he did not. No, it was Evil Hackzorz, doubtless acting on the orders of the Saucer People, or perhaps the Mole Men. This is technically possible - for all you know - so you must have a reasonable doubt that my client was responsible.

Appearing in a celebrity traffic trial near you in 3... 2...

Re:The only concern...

[drinkypoo]

You'd have to reflash the PCM (ECU is an OBD-I term; this kind of stuff is only possible with OBD-II, which actually mandates the term "PCM" — if you want to be accurate, stop calling it an ECU in this context) entirely. I imagine that this sort of functionality is available on all modern cars; possibly not all OBD-II cars, but probably anything new enough to have CAN. Most OBD-II cars on the road do not use CAN anywhere, though today a car might have three or four CAN buses; PCM to OBD-II DLC (diagnostic link connector), PCM to transmission computer, PCM to BCM (body control module) and possibly even BCM to stereo. And other models exist but I personally think buying a car with a CAN bus shared between more than two components is asking for a foot in your ass.

I happen to like my mechanical diesels, which achieve efficiencies very near to modern systems. It's only too bad International-Navistar lacked the foresight to implement the engine as a full-mechanical design, as Mercedes did; your battery can explode and the engine keeps running until you shut it off, because the shutoff is a vacuum switch on the back of the ignition lock. I've had my alternator fail completely and my battery down to about 4V in my 300SD, still made it to work. Nobody will be tampering with my DLC :D

Dear researchers

[BitZtream]

Please to be shutting the fuck up and panicing people.

I WANT my car to allow me to do those things. Thats why I have an ODB-II dongle hooked up between my car and the PC thats in it ... so I can control my cars features the way I want.

Being that the ODB port is generally directly under the drivers side dash, its rather hard for someone to plug into it without it being noticed. If they've plugged into it, they've got physical access to your car, which means they can do a lot more damage than fucking up your heater and blasting you with hot air.

You said you didn't want to spread fear and panic, and you're lying, thats exactly your goal, and to use that to get attention for yourself.

This isn't anything new, its been this way for at least 10 years if not longer (I haven't tried anything on older models) maybe all the way back into the ODB-I days and probably well before that when some cars had interfaces of their own standard.

Sensationalism at it's finest.

[Lumpy]

I've been "HACKING" car computers for a decade now. and a lot of other people have as well. Most hot-rodders from import tuners to vette performance guys have been hacking ECM's. Many of the honda hackers even go as far as opening up the ECM and desoldering chips to hack them. Changing the ignition timing table, fuel tables, Disable the Rev limiter, Disable Passkey for engine swaps (I do this with the GM 3800sc and it's ecm from the Buicks) add features, change a Standard ECM program to a program that understand boost for a turbo install... etc.....

Heck a friend of mine is hacking the computer that controls the new power steering system in cars so we can retrofit power steering to vehicles that dont have it.

I guess us car ECM hackers are the new "EVIL DOERS"

I guess "researchers" have not met any modders?

[netsavior]

As a car modder, who has been doing this kind of stuff (not malicious) since the early 1990s, wow welcome to the future guys.

Just an example: When my throttle position is above 90% depressed, my A/C compressor disengages(or rather the A/C Clutch engages), giving me that little bit of horsepower and theoretically saving my compressor from 7500 RPM (engine speed, not compressor speed) redline. I did this in an afternoon using only software.

The ECU has a lot of control over the car, especially in drive by wire cars... My car happens to have a cable accelerator, and I vastly prefer that because of throttle response time (a physical link is better most of the time than a software one, assuming both are properly maintained).

If they were really trying to be malicious without being deadly, you could change the air/fuel ratio to be really lean and burn up the valve train the first time they hit the gas pedal, there is no physical override for that, not like brake pedals (which if you turn it off it merely removes the power assist and only prevents you from stopping the car if you aren't strong enough to push the pedal down.)

You missed another point - aftermarket installers

[name_already_taken]

OBD II is all well and good for basic emissions/driveability/MIL diagnostics, but adding security to the other functions, such as the door locks, windows, etc. could basically kill the aftermarket alarm/remote start business.

On many (if not most) cars these days, many of the basic functions such as door locks are controlled via a CAN bus (a 2-wire twisted pair network) and more and more functions are migrating to network control rather than having dedicated wiring. In my car, everything other than the lights and the radio is run over CAN (even the seat adjustments and the rear window defogger).

Take, for example, installing an aftermarket stereo: Many new cars don't have a wire that supplies 12V when you turn the key on to turn on the radio, the radio is always powered and listens to the CAN bus for the command from the car's BCM (body control module) to turn itself on. On these cars, a separate aftermarket module has to be installed to turn the radio on (or the installer has to dig around in the car to find something else that only turns on with the key, like a power outlet). There are also aftermarket modules that can translate the CAN bus commands from the car's factory steering wheel controls to control an aftermarket stereo.

Adding a layer of security (presumably encryption or authentication) could cripple these abilities with aftermarket equipment.

Don't believe me, well take the example of remote start on my current car a 1999 (yes, 12 model years old now) Mercedes Benz. I have installed 3 remote start systems on various cars (a Subaru, a Honda, and a Mazda) which were what I'd call conventionally-wired cars, having accessible wires to turn the ignition and engine computer on and start the car. Easy. Cost, under $100 for all the parts including extra relays to turn on accessories and such.

On my '99 M-B, the engine computer will not allow the engine to run unless it can maintain a constant 2-way conversation over a separate CAN bus between itself and the EIS. What's the EIS? It's the Electronic Ignition Switch. Here's where things get complicated. M-B cars don't use conventional keys any more, the use a "SmartKey", which is an electronic key fob thing that inserts like a key, but has an infrared emitter-receiver in the end. The EIS supplies power to the SmartKey via an inductive coil around the key opening. The EIS and the SmartKey then engage via infrared in a continuous encrypted conversation which authorized the EIS to tell the engine computer to let the engine run. Because you need to have the SmartKey in place, it has been impossible to install a remote start system.

Recently, a remote start system became available for my car (sold new 12 model years ago, remember), which will simulate the EIS' conversation with the SmartKey and allow the factory remote's Panic alarm button to be repurposed to start the car (the SmartKey is also the remote, but don't worry about that, it's actually two devices in one package). Cost: $1000. That's over ten times the cost of a remote start system for a regular car. And it took 12 years to develop.

All because of a single encrypted function. Admittedly, a really well designed one that makes the car impossible to hotwire, but you can see what problems might face the aftermarket if things like door lock controls became encrypted.

All in all, this research exercise is just stupid. Of course you can make a complicated system do silly things if you have physical access to it. I don't see the point of adding encryption to it when the aftermarket will have to figure out how to bypass it eventually anyway.

Off topic, but in case anyone's interested, you can have up to 24 SmartKeys issued for an M-B vehicle, but I think only eight can be active at one time. The service information talks about having three ranks of eight keys. Once you need to replace the key for the 24th time, you need to replace the EIS, the engine computer and a couple of other items. SmartKeys can only be ordered at a dealer and you h

Re:I DONT WANT FSCKING DRM ON MY CAR!!!!

[AndersOSU]

Why, why, why on earth would anyone *EVER* want to legitimately activate a mode on their car where the brake function no longer corresponds to the brake pedal position?

ABS.

Modern car's know when they're skidding, and pulse the brakes to regain traction. There may be ways to be clever with "I'm skidding" signal to effectively disable the brakes.

Want another one? Regenerative braking.

This was the problem the Prius was having. If you brake with the throttle open you can ruin the car. The system was designed to cut throttle power before engaging the brake, and IIRC the flaw was the brakes wouldn't engage if, for some reason, the computer couldn't close the throttle. This was obviously a design flaw, but it is a legitimate reason you might want to run the brake signal through a computer.

We've done it on race cars for years

[slacklinejoe]

A lot of us car nuts have been hacking our car computers for years. There's systems that go light years beyond the factory systems. 10 years ago, I was able to use my Palm Pilot II to modify my fuel trims while driving, monitor horsepower and adjust an electronically controlled boost controller for my turbo. That was all on a 1990 Talon AWD so it didn't even had ODBII yet. My new model actually fully replaced the EEPROM chips in the ECU and has bluetooth capabilities to be controlled from my smartphone, controls the doorlocks, radio, moonroof etc. In theory, it would be a trival bluetooth hack to not only cause the engine to stop but to detonate the engine (destroy - not actually cause an explosion) by pulling the fuel trims too lean. The bluetooth module was a snap on vampire chip with a tiny lead to a receiver. The whole system looked 100% factory and was tiny. It would be a trival system to integrate a remote kill and unless they were specifically looking for a technology related problem, investigators would likely never realize that it had been installed.

Shenanigans.

[Burning1]

I'm going to call shenanigans on this post. There has never been a vehicle where you could remove the ECU and expect it to run.

A little history... The introduction of computers to vehicles has happened in many stages.

The first stage was the introduction of electronic ignition computers in the late 70s. These systems replaced the vacuum ignition advance on older cars. The signal from the distributor literally ran through the ignition computer. Removing the computer means that there is no connection between engine timing and plug coil. With the ignition computer removed, you have no spark, and the engine cannot start.

The next major step forward was the introduction of electronic fuel injection. This computer was responsible for controlling the fuel injectors. No ECU, means no fuel in the cylinders, which means no running vehicle. Power for the injectors literally comes via the ECU. Without the ECU, the injectors are literally unplugged.

Later vehicles used more computers in more components of the vehicle, to the point that a computer controls the brakes on my motorcycle.

But, there was no time where you could remove an ECU and expect the vehicle to still run.*

* Yes, it is possible to disconnect a lot of the sensors on an electronically fuel injected vehicle, and it will still run. But the ECU must still be in place.

Seriously Slashdot... You call yourself geeks, and you fall for this kind of stuff? Shame.