Slashdot Mirror

← Back to Stories (view on slashdot.org)

Car Hackers Mess With Speedometers, Odometers, Alarms and Locks

Posted by Soulskill on from the no-mr.-bond,-i-expect-you-to-die dept.

mask.of.sanity writes "Researchers have demonstrated how controller area networks in cars can make vehicles appear to drive slower than their actual speed, manipulate brakes, wind back odometers and set off all kinds of alarms and lights from random fuzzing (video). The network weaknesses stem from a lack of authentication which they say is absent to improve performance. The researchers have also built a $25 open-source fuzzing tool to help others enter the field."

27 of 159 comments (clear)

  1. Hmmm... by AdeBaumann · · Score: 2

    How many idiots will use this in the safe knowledge that they can't be busted for speeding anymore, I wonder...

    --
    I gave up sigs almost a year ago.
    1. Re:Hmmm... by maxwell+demon · · Score: 2

      If your speedometer shows a higher speed than your real one, then whenever you are too fast, your speedometer will be showing a too high speed, and therefore you cannot claim not to have known that you have been too fast. However I'm not so sure what the ruling would be if the speedometer shows a too low speed (and it's not your fault for either negligence in getting the car serviced or proven active manipulation, and you weren't so much over speed limit that you should have noticed it even without reading the speedometer).

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Hmmm... by AlphaWolf_HK · · Score: 4, Informative

      Just to clarify how the law works on this one, in most states (probably all, but there are 50 of them so you never know if there are variations) when you hop behind the wheel and start driving any car (whether you own it or not) you are responsible for the operation of that car, including if anything is wrong with it that causes an accident or any sort of moving violation, such as a malfunctioning safety device (and the speedometer is a safety device.)

      Now that doesn't stop you from suing a manufacturer, mechanic, or other responsible party if something has gone wrong with the car that wasn't your fault and caused any damages. But, any damages (even just a ticket) are your responsibility first, and if the cause was from a manufacturer or mechanic, it's then on you to recover your losses from them. In other words, if your brakes fail due to manufacturer defect, you can't just tell the guy you rear ended to go collect from your car manufacturer. He goes after you, and whatever he collects from you, you then have to collect from the manufacturer.

      You also still end up with a ticket and a mark on your driving record, because again you assumed responsibility for anything wrong with the car by driving it.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    3. Re:Hmmm... by They'reComingToTakeM · · Score: 3, Interesting

      The UK's annual MOT test (compulsory for all vehicles over 3 years old) states that a speedometer is permitted to read up to +10%/-0% of actual speed. ie. 66mph when you're actually doing 60, but not 60 when you're doing 61.

    4. Re:Hmmm... by GeoBain · · Score: 2, Insightful

      Permitted is quite different from required.

    5. Re:Hmmm... by tlambert · · Score: 2

      vehicle speedometers are required to read 100km/h when actually doing 95km/h (or your local equivalent)

      Source please?

      http://www.caranddriver.com/features/speedometer-scandal
      http://online.wsj.com/news/articles/SB123119286106955181
      http://www.theglobeandmail.com/globe-drive/car-tips/why-you-may-not-be-driving-as-fast-as-you-think/article11487709/

      In general, German cars are known to exaggerate speed by up to 10% in order to guarantee compliance with European law (ECE-R39).

      In the U.S., it's been historically common to "detune" speedometers in rental cars to exaggerate the speed, and therefore clock up additional miles which are then charged to the renter. It's also been historically common to roll back odometers prior to sales of cars coming from rental fleets to increase their market price as used cars. Both of these practices are illegal these days, but as shown in the articles above, you can get up to a 10% exaggeration in cars which are explicitly within manufacturer specifications, which translates into 10% more miles on your rental bill, if you rent a car from one of those manufacturers.

    6. Re:Hmmm... by Anonymous Coward · · Score: 2, Insightful

      The speedometer and the odometer are two different instruments. You can certainly make the speedometer show a higher speed without having the odometer show a higher distance. It's as easy as printing a narrower scale on the speedometer.

    7. Re:Hmmm... by Anonymous Coward · · Score: 2, Informative

      Your WSJ link was written by someone that doesn't know a great deal about commodity GPS navigators. Yes, on straight and level ground a GPS navigator will tend to be more accurate than a speedometer, but by far the majority of them lose accuracy when driving up and down inclines. You can see this for yourself by keeping a constant speed on your speedo and monitoring the GPS speed drop as you climb or descend a hill.

      Why? Because the majority of GPS navigation software calculates speed based on delta-lattitude and delta-longitude only (well, with lattitude correction), completely ignoring delta-altitude. Apparently 3D velocity vectors are too hard for the average software engineer to calculate.

    8. Re:Hmmm... by swb · · Score: 2

      IANAL and I've never even had a speeding ticket in 31 years of driving, but isn't there a reasonable expectation of general accuracy in a speedometers, and also a reasonable expectation of deviation from specific accuracy?

      I don't think there is a specific requirement for me to check/verify my speedometer accuracy, there's a whole host of government regulations that require carmakers to produce vehicles to a specific standard. And as long as when I drive with the flow of traffic, I kind of have to believe my speedometer isn't grossly inaccurate.

      In general practice, the police don't ticket people for going 56 MPH in a 55 MPH zone because there are a whole laundry list of reasons why you cannot maintain perfect speed accuracy -- the equipment isn't capable of that precision, the data displays are generally analog displays lacking that kind of precision, and environmental factors (wind, road resistance, etc) can cause speed variations, not to mention the power controls (throttle) aren't perfectly linear or setup for fine-grained control.

      Now, you won't get away with doing in 80 in a 55 zone because there are all kinds of mediating factors that should make it obvious something is wrong with your car -- passing most traffic very quickly, etc.

      I always try to check my speedometer calibration either via GPS (now) or via cruise control on flat terrain over a marked distance with a stopwatch. I had a motorcycle that showed a displayed speed 9-11 MPH slower than actual speed. I actually enquired about having it fixed and they told me it could not be manually adjusted, only totally replaced and even then they said it was not likely to be any more accurate.

    9. Re:Hmmm... by zidium · · Score: 2

      If you haven't had a single speeding ticket in 31 years, and you're a heterosexual male and drive more than *very* rarely, then you have issues and should see a doctor, possibly about testosterone boosting.

      --
      Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
    10. Re:Hmmm... by X0563511 · · Score: 4, Interesting

      Indeed. My speedometer has matched every roadside radar display I've encountered.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    11. Re:Hmmm... by SleazyRidr · · Score: 2

      I am a heterosexual male, and while I do not have the experience of the GP, I have driven fast enough to make you shit your pants (one of the reasons I don't let you in my car.) I also have never received a ticket, because I go to magical places known as racetracks when I want to drive faster than the local constabulary allows.

      --
      Is 1563649 a prime number?
    12. Re:Hmmm... by Xicor · · Score: 2

      if you could prove that your car was tested in working condition with the proper speed on the meter, and you had proof of the speed your car was going before you got pulled over, you could go and argue that the police's radar wasnt in proper working condition... in fact that is one of the best ways to avoid all speeding tickets. 95% of the time, the radar gun isnt calibrated according to the calibration requirements of the manufacturing company (like once per couple of days or something). so you go to court and say the radar gun was wrong and get them to bring out the calibration logs... most of the time they cant.

  2. Surprising to me by Okian+Warrior · · Score: 4, Interesting

    I used to write software for aircraft instruments.

    What's surprising to me is that single-function devices can have their functions changed. The speedometer has one function: to report the vehicle's speed. What requirement is satisfied by allowing this to change? Why would you even need to upgrade it?

    I would have thought that certain features of the car would be fixed program/unchangeable, at the very least to simplify the design.

    1. Re:Surprising to me by Anonymous Coward · · Score: 2, Insightful

      It's not that its reprogrammable, it's that you can spoof the data going to it from the wheel sensors. Because they have everything on the same data bus (they use a modified version of CAN busses in aircraft) you can inject (by literally plugging into the bus) your own packets with new speed data.

    2. Re:Surprising to me by houghi · · Score: 2

      The speedometer has one function: to report the vehicle's speed. What requirement is satisfied by allowing this to change? Why would you even need to upgrade it?

      If^hWhen the US finally adapts to the metric system. Obviously.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Surprising to me by sjames · · Score: 4, Insightful

      Sadly, it may not require physical access. All the entertainment system and GPS nav are connected to the bus as well. It may be possible to get in through wifi or bluetooth and hack an entertainment device to proxy you in to the CAN bus. See this.

    4. Re:Surprising to me by brantondaveperson · · Score: 4, Informative

      This is the only comment here so far of any consequence. Hacking a car by plugging into the CAN bus is hardly rocket science, but remotely gaining access to the car's ECU's via bluetooth is a very different matter indeed. Securing CAN is pretty much a non-starter, but securing those wider area wireless networks that cars are increasingly supporting is something that should be taken very seriously indeed. And if Toyota's recent drubbing in the source code courts shows anything, it shows that car manufacturers don't make very good software houses.

    5. Re:Surprising to me by viperidaenz · · Score: 2

      Governed by the motor that controls the throttle. More and more cars are going to drive-by-wire systems. It makes traction control, economy modes and cruise control much easier.

    6. Re:Surprising to me by NJRoadfan · · Score: 2

      According to the service manual for my car, the "entertainment" CANBus system (which has the bluetooth connection) is separate from the rest of the car's systems. What worries me is that some companies (I'm looking at you Nissan) has gone to using bluetooth based diagnostics tools at their dealerships.

    7. Re:Surprising to me by zeroduck · · Score: 2

      What exactly does "separate" mean? Modern cars have multiple CAN and LIN (and FlexRay and Ethernet) networks, but they are bridged by modules that gateway specific messages/signals from one network to the other. Your entertainment system probably reacts to the state of your vehicle (are some functions not available when in drive? Going above some speed? Doors open?). Separate very likely does not mean "air gapped" like you'd mean in a high security computer network.

      That said, I'm not totally convinced by any of the hacks I've seen that there is reason for panic. The one I saw where they were able to control remotely required physical access to an ECU to reflash firmware. Give me physical access to any of your electronics, and I'll make it bend to my will.

  3. Re:nothing ot see, move on by sjames · · Score: 3, Informative

    Not really. ABS for example modulates the braking power. In one test, researchers were able to put the brakes into 'maintenance mode" normally used when changing the pads. In that mode, the brakes don't work. If I understand correctly, that mode is used instead of the old trick of compressing the wheel cylinder with a c clamp.

    To complete the lunacy, in some cars, the parking/emergency brake is electrically activated now.

  4. In other Breaking News... by nonsequitor · · Score: 2

    In other breaking news, cutting the brake lines of cars can prevent them from operating correctly. Somebody issue a recall, quick!

    This is not news, a CAN bus is viewed by the industry in the same way as analog wiring in the car, physically vulnerable. It's an issue when the side view mirror actuators are on the CAN bus, and thieves can open the door and start the engine with this technique. However, this research is stating the obvious for anyone in the know. Next thing you know, one of these researchers will find a copy of the J1939 protocol standard used by the automotive industry and discover what the CAN messages mean without fuzzing the problem space.

    If someone found an On Star exploit that allowed a hacker to remotely accomplish these things on the CAN bus, then it would be news, this is not.

  5. CAN bus + Wireless = Bad news by Opportunist · · Score: 2

    CAN was never developed with security in mind. What for, it was supposed to be a LOCAL, WIRED bus on a closed system that should only be accessed by someone whose authority to access it has been verified by different means (i.e. he has the keys to the car in the first place). Now, we can see how CAN can be abused with local access. Well, duh. Insecure system is insecure. Film at 11. Right? Well, technically, yes, but let's look a hint further, shall we?

    The news here is that cars get more and more wireless features. It's simply more convenient for you to plug in all your nifty toys, from cellphone to iToy to navigator system without actually having to PLUG them somewhere. Now it's very tempting for the makers of said cars to stuff them onto the very same bus. CAN is already in your car, pretty much every kind of electronics can talk to it, ain't it the perfect thing to tie your toy into?

    In theory, yes. In practice, I predict that unless car makers take special care to secure those wireless entry points we'll see a lot of similar hacks in the future, only that this time they'll be done from outside the car without physical access to it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Different wheel size by dutchwhizzman · · Score: 2

    Cars come with different wheel/tire size combinations. In the past, getting another circumference wheel on your car meant that your odometer/speedo was off and you had to fiddle with magnetic fields or gear boxes in the cable to correct that. Because you want a different size/width tire for winter tires (narrower, higher side) than for summer (wide tire, low profile) you will eventually have to deal with this somehow if you want optimal grip during both summer and winter. Car manufacturers chose to deal with this by making the tire size programmable, so there would be an electronic correction for this.

    --
    I was promised a flying car. Where is my flying car?
  7. None of this is new by sirwired · · Score: 4, Insightful

    Of course you can do all sorts of things exactly like this with the CAN bus; that is what it was designed for, that's what it's used for every day. Just about every make has software available (around for over a decade in many instances) to do every single one of those things; in most cases (except odometer rollbacks) they are replicas of the dealer tools to do the same thing. This includes speedometer adjustments (in place to account for wheel/tire diameter), diagnostic tests like cycling locks, ABS valves, various engine bits, etc.

    Exactly what "research" was required to discover this? Is it "hacking" for me to purchase a piece of commercial software and use it's well-documented functions, most of which are also detailed in the service manual they sold me for $50?

    Let me know when somebody has actually developed a Bluetooth-based attack vector and get back to me. (And plugging a Bluetooth transceiver into the OBD II port doesn't count) Until that point: snooze...

  8. Re:Somewhere by operagost · · Score: 2

    Correction: the US government can't build a web site. US companies build web sites all the time.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.