Warning: your car can be hacked

By Aida Sevilla-Mendoza August 28,2013

Computers and smartphones are not the only targets of hackers.  Very soon if not already at present, hackers can take over the electronic control unit (ECU) of your car and reprogram it to do essentially whatever they want, such as disable the brakes and distort the steering. This kind of digital mischief, which can lead to a deadly road crash, was demonstrated by Charlie Miller (a security researcher at Twitter) and Chris Valasek (director of security intelligence at IOActive, a security research company) at Def Con, the world’s longest running and largest annual underground hacking conference. Def Con 21 was held in Las Vegas last July 27-Aug. 1 together with the Black Hat computer security conference.


This year’s Black Hat and Def Con attracted more than 7,500 of the world’s security experts including computer researchers and hackers who presented the latest bugs and vulnerabilities they have discovered.  It was a combination of public service, business and sport.  By drawing attention to the more popular targets, the “white-hat” (ethical) hackers hope to encourage greater security from the various manufacturers and industries and more vigilance from consumers.  The presenters inform manufacturers of bugs ahead of their talks so the companies can fix the issues before they are exploited by criminals.


INVITING TARGETS. Modern cars contain 10 to 40 little computers, what with Bluetooth, wireless tire sensors, telematics units and other high-tech gizmos on board. As cars get Internet connections, they will become more inviting targets since anything that can connect to a network can be hacked. In other words, your car is just a rolling personal computer waiting to be hacked. Car manufacturers and the United States government are aware that motor vehicles are vulnerable, thus the US military’s Defense Advanced Research Projects Agency (Darpa) gave a grant to Miller and Valasek to look into what kind of damage hackers could do to a car and  research ways carmakers can thwart hacker attacks.


Working on two hybrid vehicles, a Toyota Prius and a Ford Escape, Miller and Valasek accessed the systems by physically connecting a computer to the cars through a diagnostics port.  They wrote custom software that let them hijack the systems and disable the brakes, change the display to show incorrect speed or fuel levels, and meddle with the steering and seatbelts.  They were able to kill the engine and toy with less consequential features like the car’s horn and lights.


SUSCEPTIBLE. Toyota downplayed the wired demonstration and said it is focusing on security measures to prevent wireless attacks. The hybrid Prius and Escape are probably not the only cars susceptible to these attacks, they just happened to be the research vehicles for Miller and Valasek.  In their paper presented at Def Con 21, they said that automobiles have been designed with safety in mind, but you can’t have safety without security.  If an attacker (or even a corrupted ECU) can send CAN packets, this might affect the safety of the vehicle, they added.


The demonstration of Miller and Valasek was preceded at Def Con 21 by Australian hacker Zoz, who outlined the security issues fully autonomous cars will face. Autonomous vehicles like cars and drones are essentially robots and they rely on sensors to operate. Although fully driverless cars are still years away, Zoz said car-hacking is inevitable.  He pointed out that even today, computerized systems are common in vehicles on the road and ECUs control a range of car functions including braking, accelerating and steering aside from managing security features, in-car displays and even seatbelts.


THEORETICAL. But the hacking demonstrations presented at Def Con 21 do not mean that we should bury our computers and smartphones and never drive our cars again.  Some researchers commented that many of the hacking demonstrations were provocative but more theoretical than real and that these exotic technologies don’t really impact on our daily lives yet.  On the other hand, Miller at Twitter said that hacking against Web browsers had not halted despite efforts to stop them over the past 10 years, so there is no reason to think that we can stop attacks against cars and other devices in the near future.  “We should be concerned and start taking action now,” he added. (Sources: CNN.com, IHT, threatpost.com)


* * *


CORRECTION, PLEASE:  In last week’s column on the Peugeot 5008 Allure, the last two sentences should have read: “It may not excite car enthusiasts, but what mom mobile does? Rather, the 5008 Allure quietly satisfies and impresses the attentive driver with a Gallic shrug.”

Disclaimer: The comments uploaded on this site do not necessarily represent or reflect the views of management and owner of Cebudailynews. We reserve the right to exclude comments that we deem to be inconsistent with our editorial standards.