Slashdot Mirror

← Back to Stories (view on slashdot.org)

Car Hackers Mess With Speedometers, Odometers, Alarms and Locks

Posted by Soulskill on from the no-mr.-bond,-i-expect-you-to-die dept.

mask.of.sanity writes "Researchers have demonstrated how controller area networks in cars can make vehicles appear to drive slower than their actual speed, manipulate brakes, wind back odometers and set off all kinds of alarms and lights from random fuzzing (video). The network weaknesses stem from a lack of authentication which they say is absent to improve performance. The researchers have also built a $25 open-source fuzzing tool to help others enter the field."

6 of 159 comments (clear)

  1. Surprising to me by Okian+Warrior · · Score: 4, Interesting

    I used to write software for aircraft instruments.

    What's surprising to me is that single-function devices can have their functions changed. The speedometer has one function: to report the vehicle's speed. What requirement is satisfied by allowing this to change? Why would you even need to upgrade it?

    I would have thought that certain features of the car would be fixed program/unchangeable, at the very least to simplify the design.

    1. Re:Surprising to me by sjames · · Score: 4, Insightful

      Sadly, it may not require physical access. All the entertainment system and GPS nav are connected to the bus as well. It may be possible to get in through wifi or bluetooth and hack an entertainment device to proxy you in to the CAN bus. See this.

    2. Re:Surprising to me by brantondaveperson · · Score: 4, Informative

      This is the only comment here so far of any consequence. Hacking a car by plugging into the CAN bus is hardly rocket science, but remotely gaining access to the car's ECU's via bluetooth is a very different matter indeed. Securing CAN is pretty much a non-starter, but securing those wider area wireless networks that cars are increasingly supporting is something that should be taken very seriously indeed. And if Toyota's recent drubbing in the source code courts shows anything, it shows that car manufacturers don't make very good software houses.

  2. Re:Hmmm... by AlphaWolf_HK · · Score: 4, Informative

    Just to clarify how the law works on this one, in most states (probably all, but there are 50 of them so you never know if there are variations) when you hop behind the wheel and start driving any car (whether you own it or not) you are responsible for the operation of that car, including if anything is wrong with it that causes an accident or any sort of moving violation, such as a malfunctioning safety device (and the speedometer is a safety device.)

    Now that doesn't stop you from suing a manufacturer, mechanic, or other responsible party if something has gone wrong with the car that wasn't your fault and caused any damages. But, any damages (even just a ticket) are your responsibility first, and if the cause was from a manufacturer or mechanic, it's then on you to recover your losses from them. In other words, if your brakes fail due to manufacturer defect, you can't just tell the guy you rear ended to go collect from your car manufacturer. He goes after you, and whatever he collects from you, you then have to collect from the manufacturer.

    You also still end up with a ticket and a mark on your driving record, because again you assumed responsibility for anything wrong with the car by driving it.

    --
    Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
  3. None of this is new by sirwired · · Score: 4, Insightful

    Of course you can do all sorts of things exactly like this with the CAN bus; that is what it was designed for, that's what it's used for every day. Just about every make has software available (around for over a decade in many instances) to do every single one of those things; in most cases (except odometer rollbacks) they are replicas of the dealer tools to do the same thing. This includes speedometer adjustments (in place to account for wheel/tire diameter), diagnostic tests like cycling locks, ABS valves, various engine bits, etc.

    Exactly what "research" was required to discover this? Is it "hacking" for me to purchase a piece of commercial software and use it's well-documented functions, most of which are also detailed in the service manual they sold me for $50?

    Let me know when somebody has actually developed a Bluetooth-based attack vector and get back to me. (And plugging a Bluetooth transceiver into the OBD II port doesn't count) Until that point: snooze...

  4. Re:Hmmm... by X0563511 · · Score: 4, Interesting

    Indeed. My speedometer has matched every roadside radar display I've encountered.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...