Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Reveal Nasty New Car Attacks

Posted by samzenpus on from the unsafe-at-any-speed dept.

schwit1 writes "Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop–or even slow down–produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV's chassis. The more I pound the pedal, the louder the groan gets–along with the delighted cackling of the two hackers sitting behind me in the backseat. Luckily, all of this is happening at less than 5mph. So the Escape merely plows into a stand of 6-foot-high weeds growing in the abandoned parking lot of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have chosen as the testing grounds for the day's experiments, a few of which are shown in the video below. (When Miller discovered the brake-disabling trick, he wasn't so lucky: The soccer-mom mobile barreled through his garage, crushing his lawn mower and inflicting $150 worth of damage to the rear wall.) The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry's security problems before malicious hackers get under the hoods of unsuspecting drivers."

24 of 390 comments (clear)

  1. High risk by suso · · Score: 4, Insightful

    "The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry's security problems"

    As a security researcher who believes in the spirit of the open release of vulnerabilities, I feel that this is irresponsible behavior on the part of these security researchers. We're not talking about releasing a vulnerability that will compromise someone's e-mail. We're talking about a high risk vulnerability that could cost some random person their life. These two gentleman should take a deep breath before releasing this information to the computer industry first rather than the auto industry. The auto industry may not have a tradition of attending these types of conferences and so by releasing the information at Def-con you're giving the wrong people a head start. Sure, the auto industry already knows about these problems, but you have to try to give them the benefit of the doubt when you confront them about the problems that they will try to fix it.

    1. Re:High risk by Anonymous Coward · · Score: 5, Insightful

      Right now they have to hook directly into the odb plug to do this, the same person with that kind of physical access can do any number of nasty things to your car.

      They are more warning about the lack of security when this stuff becomes accessible remotely (cellular or otherwise wireless) that there are going to be serious security issues as anyone breaking into that remote access path can do serious things.

    2. Re:High risk by dyingtolive · · Score: 3, Insightful

      Or the attacker just cut your brake lines.

      That's not a hack though, more of a snip.

      --
      Support the EFF and Creative Commons. The war is coming, and they're supporting you...
    3. Re:High risk by viperidaenz · · Score: 3, Insightful

      Once someone has physical access to a vehicle, there are worse things they can do than mess with the traction control and abs systems.

    4. Re:High risk by radiumsoup · · Score: 3, Insightful

      You speak as if all companies are equally bad. Somehow, I think you're either young or more sheltered than you believe you are.

    5. Re:High risk by Joining+Yet+Again · · Score: 3, Insightful

      Argh, sophomores everywhere.

      Security through obscurity isn't "no security at all". It's just inadequate. There's still the hurdle of overcoming obscurity.

      Just like strong cryptography is great but not perfect because 1) implementation is often flawed; 2) rubber hose.

    6. Re:High risk by Anonymous Coward · · Score: 5, Insightful

      But the engine controller is going to have some form of authentication required and the hackers are going to be stopped right there.

      Yes, I too had noticed that authentication systems were 100% proof against hackers, especially those implemented by companies that obviously have no prior interest in security.

    7. Re:High risk by suso · · Score: 4, Insightful

      Because we all know that if the researchers quietly tell the auto manufacturers they will fix the issues and make sure everything gets updated. Our upstanding auto manufacturers would certainly not try to bury issue and sue the reporters out of existence!

      As a security researcher you should be used to companies trying to deny, bury and ignore reports instead of correct them.

      Seriously, the only way to get a company to fix a flaw is when the pr nightmare becomes so great that it is cheaper to fix the problem than deny it.

      Yes and I also know about technically minded people denying that problems are real issues too (See libvte vulnerability). DARPA has known about these issues for a while now and apparently the issues are a lot more real and scary than most people realize. We're talking about the ability for a hacker to do something to your car simply by playing a song over your iPod or on a CD. Or a program being injected the next time you get an oil change because the service center's computer had been hacked remotely.

      And we're not talking about ego maniac hackers sitting in their basements causing a few cars to honk their horn because they think it will be funny, we're talking about terrorists and countries writing a song that one day everyone plays one day and we have 1 million 60mph 2 ton missles with families in them flying up the road all the same time. That will be a very bad day. But that's ok, because we tried to tell the auto manufacturers and they just didn't listen, so its their fault right?

      What these researchers are doing here is treating this vulnerability as if its any other vulnerability, which its not. Human life is at stake, not your email or bank account password. Yes, they do recognize the dangers, but they don't seem to realize that they should be changing their approach accordingly. For instance, they do their tests out in the open on public roads and put someone behind the wheel who doesn't know what is going to happen. You don't really need to do that to demonstrate that there is a problem.

    8. Re:High risk by chiefmojorising · · Score: 3, Insightful

      Seriously. I've got a hack that'll disable the brakes on any car ever made. It's called a hacksaw (heh) and requires even *less* access than these guys had.

    9. Re:High risk by suso · · Score: 5, Insightful

      And what cars are those?

      Me, I stay safe and only drive cars with carburetors.

      Until one of the hacked cars hits you head-on at 60 mph.

    10. Re:High risk by Roskolnikov · · Score: 4, Insightful

      unless you add a wireless dongle (they come in Bluetooth and wifi but they still require physical access and close proximity).
      every person that has done a 'reflash' on their car to get more performance has done similar things, I can with the right parameters make my cars motor throw a connecting rod through the block, I don't consider this hacking, I consider it sky is falling stupidity... if they had done this through on-star, now that, I would consider hacking and truly the danger that should be exposed by this article.

      --
      Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
    11. Re:High risk by WaffleMonster · · Score: 3, Insightful

      Right now they have to hook directly into the odb plug to do this, the same person with that kind of physical access can do any number of nasty things to your car.

      TFA asserts otherwise. Apparently onstar and integrated infotainment systems can obtain same access to CAN bus access as the OBD port.

      They are more warning about the lack of security when this stuff becomes accessible remotely (cellular or otherwise wireless) that there are going to be serious security issues as anyone breaking into that remote access path can do serious things

      "When this stuff" ??? This is 2013.

    12. Re:High risk by Charliemopps · · Score: 3, Insightful

      Uh... it's already being exploited...
      http://news.yahoo.com/blogs/lookout/hastings-crash-witness-113514329.html

    13. Re:High risk by LinuxIsGarbage · · Score: 3, Insightful

      The problem is most drivers don't know that it's a redundant system, and never think of trying the parking brake if the brake pedal fails. This is one area where linguistic drift has hurt us. They were originally called the emergency brake, whose name clearly implies they're to be used in an emergency if the regular brakes fail. But since they were also used to keep manual transmission cars from rolling when parked, they've colloquially been called parking brakes. To the point where most people refer to them as parking brakes now and don't know about their emergency braking function.

      It's also referred to as a hand-brake (especially outside of North America where front bench seats with foot operated e-brakes where not near as popular). I've heard of people trying to use it in an emergency, a panic stop situation. In which case it's far worse than the service brakes, unless the service brakes have failed.

      The truth is a frightening number of people don't understand how the cars they're driving work, and it's not just limited to e-brake / p-brake / h-brake, and it's not due to the name. Many don't understand basic concepts of gears, how and when to use manual modes of an automatic, how to shift into neutral or kill the ignition in the case of a stuck throttle. A shocking number of people don't understand that an oil light means a loss of oil pressure and the car should be pulled over and shut off immediately. A shocking number of people don't know how to jump-start a car, or change a flat, or check / adjust their tire pressure, or oil / tranny / brake / power steering fluid. A shocking number don't know that a quick blinking turn signal means you have a turn signal bulb out.

    14. Re:High risk by lennier · · Score: 5, Insightful

      The underlying problem is that CANbus was designed by automotive engineers and not network security people.

      A good point. Another way of phrasing the problem I think is:

      Systems are too often specified, designed and tested entirely in terms of their positive capabilities, rather than their negative capabilities. In the networked remote security environment, we need a design process that guarantees both.

      In other words, most of our design process up to now has been all about "what a system CAN DO". But securing a system from to intelligent attackers is about what that system CAN'T do, even in the worst case. And since the number of things a Turing-complete computer with an always-on connection to the Internet CAN buut SHOULDN'T do is potentially infinite, that can be really difficult.

      Tests generally only cover the positive features. It's hard to achieve complete test coverage by trying every possible combination of bad input (though fuzzers seem to be doing quite well at finding vulnerabilities, and it's embarrassing that amateurs keep finding bugs that the professional developers didn't.) Typing seems to be more useful in limiting capability, but our current type systems are very limited - for example, in most OO languages, the type system only guarantees that the call signature of a method is correct; it doesn't give any way of describing any other invariants that should be preserved during the computation; and the entire architecture of OOP is based on methods with side-effects which scales really badly to concurrent processing.

      I think we've reached the limit of what can be safely achieved with loosely-typed imperative side-effectful OO languages like C++. These languages give us enormous power to create positive capability, but very little in the way of assuring negative capability. I'd like to think that Haskell or Erlang might be a way forward, but I've yet to wrap my head around either of them. I'm hoping we can eventually get something simpler, that allows creativity where it's needed but also lets us place hard limits on what unexpected interactions can arise.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    15. Re:High risk by JWSmythe · · Score: 4, Insightful

          Apply Occam's Razor. User or mechanical failure are much more likely than his car being hacked.

          The story talks about a *wired* port by the parking brake. That would mean the attacker was in the car, or a remote device was attached, which investigators would (or at least could) find. It also only addresses a specific Ford vehicle, which has no relationship to a Mercedes.

          Significant user failure would seem to be present. Options are available when the brakes don't work. Downshift. Turn off the key, let the engine stop, turn the key on to unlock the steering wheel. Spin the car. Even hard maneuvering will bleed speed off. Ask any racer. Turn the key off, let the steering wheel lock, and have a slower speed impact into a fixed object.

          The option of driving as fast as possible, and dying in a fireball is the poorest choice. A conspiracy is one the must unlikely scenarios, only slightly better than alien abduction/intervention, and poltergeists taking over the car.

          I'm kind of fond of the alien theories.

          If it were the feds, wouldn't it be easier to pay a thug to do a random carjacking? A home invasion gone wrong? Shot by SWAT in a drug raid at the wrong address? There are a million other ways to remove someone without needing a high tech solution that doesn't exist yet.

      --
      Serious? Seriousness is well above my pay grade.
    16. Re:High risk by Jah-Wren+Ryel · · Score: 3, Insightful

      If it were the feds, wouldn't it be easier to pay a thug to do a random carjacking? A home invasion gone wrong? Shot by SWAT in a drug raid at the wrong address?

      I'm not going to speak to the larger question of how true the theory is, but to this question there is a good reason why not. If they can make it look like the crash was completely the driver's fault then that would eliminate any question of it being a government hit. All those other options involve third parties that, exactly as you postulated, could be hired to do the hit.

      --
      When information is power, privacy is freedom.
    17. Re:High risk by pla · · Score: 4, Insightful

      Downshift.
      Does nothing on an automatic until your speed drops below an appropriate threshold. Even reverse won't engage until you come to a stop. Park theoretically jams the output shaft with a pawl, but even that can't "catch" above a certain (very low) speed.

      Turn off the key
      Many new cars (Priuses, for example) don't have mechanical keys, just a button that even under the best of conditions doesn't always do quite what you want it to - Hold it just a hair too long or too short, or have the car in the wrong gear for what you want to do, and it just laughs at you.

      Spin the car.
      At 80MPH, "spinning" the car means flipping the car, and will likely get you just as killed as the "brick wall" method of decelerating.

      Even hard maneuvering will bleed speed off.
      This one really will always work, but as with spinning, careful just how hard you maneuver at high speeds.


      Overall, Sorry for the negative tone I have here, because I completely agree with you in spirit. If the driver doen't panic, he can do a lot to slow down a car with no brakes and/or a stuck accelerator. Most people don't expect that to happen, though, and simply go into a mental freeze, stomping uselessly on the brakes harder and harder rather than taking other corrective measures. As you say, "Significant user failure would seem to be present".

  2. Locking down the cars for security by IndustrialComplex · · Score: 4, Insightful

    I can appreciate applying Anti Tamper and other IA techniques to 'harden' cars, but I hope this doesn't return us to where only ''licensed' repair facilities can work on cars.

    --
    Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
  3. Meh... Give me access, I own your computer by Mr+Krinkle · · Score: 5, Insightful

    So

    if I'm sitting in your car, plugged in to the canbus, I can control things on the canbus....

    Yeppers....

    Just like if I have access to your laptop for long enough, I can get whatever is on it. (encryption will slow it down, but like I said, given time and access?)

    But you'll probably notice me sitting in your car, plugging a cord into the port before I take the time to crash your car, with me riding in it.....
    While this is amusing, I'm not that nervous about "security through not having some donkey plug his laptop in your car with a death wish while you are hurtling down the highway"

    Having them use the "open" canbus specs, you can add aftermarket devices, and not have to take your car to the dealer for any service.

    If they fully lock it down, the dealer will be the ONLY place that could work on it. And the ONLY parts you could add to your car.

    --
    I am 31337 or something.
  4. Re:Rev Up Those Conspiracy Theories - by Anonymous Coward · · Score: 5, Insightful

    Or a reporter (Michael Hastings) whose award winning work caused Stanley McChrystal's resignation mysteriously dying in a single car accident with a tree; without skid marks and the engine winding up 200 feet away...

  5. Indeed there must be many ehtical companies ... by golodh · · Score: 4, Insightful
    apart from the banks, the tobacco industry, the arms industry, big pharma, big oil, marketing firms and so forth.

    If only because their helmsmen are required, by law, to maximise shareholder value. Nothing else. In fact: senior management can be sued if they don't set policy to that effect.

    The upshot is that no publicly traded company can really afford a moral or ethical compass. What passes for ethics in companies is usually nothing but well-understood self-interest (as in: avoidance of PR damage and a resulting slump in sales through bad publicity).

    Whilst I'm against releasing any kind of software vulnerabilities before the responsible parties have had a decent chance to fix it, I'm just as skeptical as most regarding the inclination of e.g. car manufacturers to improve security unless there is a massive PR debacle. For massive PR debacle read: a nasty and widely covered crash involving a photogenic celebrity (ugly celebrities won't cut it) and his/her children, that can be traced unequivocally to the lax security of a car's on-board datacommunication infrastructure.

    That's the main thing I can see as getting their attention and lending the issue any kind or urgency. If only because of CYA considerations on part of top management. The only alternative would (in my view) be compulsory network safety standards for cars.

    1. Re:Indeed there must be many ehtical companies ... by lennier · · Score: 3, Insightful

      The board of directors do not have a requirement to "maximise shareholder value." Most companies could acheive this by liquidating their assets and investing a another company which is doing better.

      And isn't that exactly what the tidal wave of mergers, acquisitions and restructurings from the 1980s on have all been about? Buying and selling shells of companies, liquidating their assets, closing the factories, selling the brand to someone else, and then outsourcing the production to China and Mexico while centralising the banking in London, the paperwork in the Cayman Islands and the corporate headquarters in New York.

      Doing this kind of shell game creates a reputation for a CEO as a "miracle worker" and "turnaround artist" and billions of dollars in share value. But if you look behind the scenes you see an increasingly hollow stack of cards that's propped up by debt and gambling rather than production.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  6. Re:Nothing to see here...move along... by rahvin112 · · Score: 4, Insightful

    Yes I can, it would be on the back of the engine and would require a special tool only sold by the dealer to open the door and would likely require the removal of the starter motor and timing belt/chain to access and for bonus points someone like Porsche would require removal of the head gasket to reach the port.

    Putting it within 2 feet of the driver was smart, it should have had the additional requirement to be within 6 inches of both the radio and climate controls because if they had everyone would notice some strange object plugged into the port.