Since today’s vehicles are controlled by a host of computer systems under the dash and hood, the question arises: Can a car be hacked? Could a thief armed with the right programming and technology remotely unlock an expensive rig, start the engine and drive off? Could an enemy turn off your brakes or shut down your engine without you knowing it? The answer, sadly, is yes.
While it doesn’t appear to be happening in the real world yet, computer scientists from the University of Washington and the University of California San Diego created a real life demonstration of hacking in two 2009 passenger cars of the same make and model. Using a program they designed called CarShark, they were able to shut off the engine, disable or activate the brakes, lock or unlock the doors or falsify instrument cluster information like fuel level or speed.
Using a wireless connection, the researchers adversely controlled their test car using the Internet. “In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance,” states the paper summarizing the project, which was presented to the National Academy of Sciences Transportation Research Board earlier this month.
A malefactor also could hack into a car using the legally-required on-board diagnostic port typically found under the dash in some contemporary vehicles. While mechanics or emissions testers typically use this port to check vehicle function, bad guys could also use it to insert malicious programming into a car’s internal network.
A device attached to the port could be left there undetected, or even do its job transmitting malware after only a brief connection. What’s worse, any “attack code” inserted into the car could be written to erase itself after performing its evil job, making forensic detection at a crash scene impossible.
The researchers won’t say what kind of car they used in their testing, but believe virtually all modern vehicles–because of their computerization–are vulnerable to assault.
Will the findings encourage criminals to start hacking cars? The research team asserts that as cars become more connected to the Internet and even more computerized, criminals will inevitably figure out how to hack into them all on their own.
“All of our work is motivated by a desire to improve automotive security before there are real threats in the field,” said Stefan Savage, one of the researchers involved in the study. “We have been incredibly impressed by our reception within the automotive industry and our experience is that they are extremely diligent in working to improve their systems.”
We contacted a half dozen major automakers to get their take on the car-hacking project.
Ford said it is “…taking the threat very seriously and investing in security solutions that are built into the product from the outset. The safety, privacy, and security of our customers is paramount. With our development of the SYNC platform and associated features, we’ve had security engineers working to ensure that we’ve developed a product that is as resistant to attack as possible.”
“All of the automobile companies work very hard to keep everything in their electronics extremely secure,” said a spokesperson from Chrysler. “I think that those fellows had a lot at their disposal rather than the average street thief.”
Toyota said it doesn’t use digital communication modules that allow customers to activate the doors and check various vehicle components using a smart phone so the only way someone could hack into their cars would be to physically break into them.
For more information about the research project, visit its Q&A site, which includes a link to the full report.