Engineers Can Now Wirelessly Hack Your Car

By Patrick Morgan | March 16, 2011 4:11 pm

It wasn’t too surprising when scientists first hacked into a car using its own onboard diagnostic port—sure, it’s easy to get into a car’s electronic brain if you’re already inside the car. Now the science of car-hacking has received a digital upgrade: Researchers have have gained access to modern, electronics-riddled cars from the outside. And in so doing, they’ve managed to take control of a car’s door locks, dashboard displays, and even its brakes.

The oddest part of these findings, which were presented this week to the National Academy of Science’s Committee on Electronic Vehicle Controls and Unintended Acceleration, is that they weren’t entirely intentional: It was all part of an investigation prompted by the Toyota acceleration problems, and was meant to probe the safety of electronic automotive systems. But testing those system’s safety also uncovered some flaws.

How It Works

The researchers took a 2009 sedan (they declined to identify the make and embarrass the manufacturer) and methodically tried to hack into it using every trick they could think of. They discovered a couple good ones.

By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe. “It’s hard to think of something more innocuous than a song,” said Stefan Savage, a professor at the University of California. [PC World]

Built-in cellular services that provide safety and navigational assistance, like GM’s OnStar, can also be used to upload malicious code:

The researchers found that they could take control of this system by breaking through its authentication system. First, they made about 130 calls to the car to gain access, and then they uploaded code using 14 seconds of audio. [Technology Review]

In the wrong hands, the technology could certainly be harmful; once a hacker gains access, they can do anything from sabotage brakes to monitor car movements (by forcing the car to send GPS signals). But the engineers say the “wrong” hands wouldn’t have the know-how to undertake these complicated procedures—at least for now. As Stefan Savage, a computer scientist at the University of California, San Diego, told Technology Review: “This took 10 researchers two years to accomplish,” Savage adds. “It’s not something that one guy is going to do in his garage.”

Related Content:
DISCOVER: 20 Things You Didn’t Know About… Computer Hacking
80beats: Is the U.S. Government Losing the Battle Against Hackers?
80beats: The Latest Threat to the Amazon Rainforest: Hackers
80beats: Forget Car-Jacking: Car-Hacking Is the Crime of the Future

Image: Courtesy Center for Automotive Embedded Systems Security

CATEGORIZED UNDER: Technology
  • Jody

    Wow. That guy savage basically just challenged hackers to try and do this.

  • Solitha

    I think he underestimates the mindset of the criminal. You’re talking about cars costing $20k or more… the push for that money will easily drive some guy in his garage to find those security holes.

  • kirk

    What the 10 engineers worked on for two years was 15 year old code running on 20 year old embedded controller architectures. This is like cutting and polishing diamonds by hand. In 10 years telematics – completely integrated dashboard, engine and safety – will run embedded Linux on 5 year old hardware comprising an automotive node on the internet. I for one welcome out Stuxnet overlords. I like my bicycle more everyday.

  • s

    Jody is bang on. I had that same thought that this article dares hackers to try.

    Hackers are unscrupulous….but they are also ego-centric and will no doubt come up with a way.

    At least I know my “Vette is safe. No electronics on the old girl. :)

  • plutosdad

    “This took 10 researchers two years to accomplish,” Savage adds. “It’s not something that one guy is going to do in his garage”
    this is the dumbest comment ever.
    The first time it’s hard, the second time will take months, in a few years script kiddies everywhere will be able to do it. Why do they think secure communications all use encryption AND continual rotating frequencies, and even that can be defeated by kids with black boxes that rotate (for opening cars)

    I see tv ads of people controlling cars via phone apps, hacking of that is only months away

  • justanotherday

    It is likely that hackers already knew about it, are already doing it and since have found a better and easier way. The arrogance is appalling. How often does the police recover a stolen car whole and no sign of damage? Then, assuming if they do recover it whole, how often do they figure out exactly how it was stolen? Finally, the cop is not going to just dismiss a car thief had a tow truck, made keys or didn’t exist because the owner was completely incompetent and forgot where they put the car in the first place. Or the owner was trying to commit insurance fraud. I think those would be first. I highly doubt the dealer is going to suspect that the computer was hacked–assuming it was recovered whole. They would just re-flash the memory. In closing, it is much harder to find something that you don’t know even exist, than to find something that you do know exist. I could see if they found a way to hack into the DOD. Not that it is impossible. Just that there is a little more security at the DOD than in a car computer. At the DOD, you expect and get attacks.

  • http://discovermagazine.com Iain

    Lol! Now that the world is alerted, it’s coming to a Christine near you soon.

  • Idlewilde

    Lol, my family’s car is too old for this….

  • KCBlues

    10 guys x 2 years = 240 person months of effort
    = 2.4 months x 100 guys in a hacker forum

  • Deborah

    Yet another reason to keep my ’97 Volvo. (Still runs like a dream, btw. Made back in the day when they were constructed by a team of efficient Swedish elves.)

  • gwg

    Wow they just made the value of good old fasioned non computerized car’s gp up a whole lot. I am really loving my 66 chevelle right now.

  • Susan

    I too have an old-fashioned non-electronic ‘Vette, and when I order my next one, I will specify that it does NOT include the fancy-schmancy OnStar system. I’ve been teasing my husband for months that I don’t want my car telling him which bar and which hotel my car is parked at if I’m AWOL!!

    Tee hee!! Used to be if you wanted to cheat, all you had to do was pay cash and sign a fake name. Used to be if you wanted to secure your money you used a money clip. Used to be if you wanted to wish someone “Happy Birthday” you had to buy and mail a greeting card a week in advance. Don’t get me started on what HR departments can do with your Facebook account . . . I miss the ’80′s . . .

  • Sam Marasco

    Holy Mackerel Andy!! This is really a scary thought. Just think if terrorists set up a hidden antenna on a large ‘beltway’. My gosh! what havoc they could wreak!

  • http://bigthink.com/mosesbaldwinhenson symptoms of bipolar disorder in adults

    Hi exactly what theme are you currently using on this website? I enjoy it :)

  • http://www.NYYUniverse.com Yankees

    I love yours website template, what template do you have?? please reply!

  • http://bitly.com/qRvZlP Laree Swarn

    Howdy I am so happy I found your website http://blogs.discovermagazine.com/80beats/2011/03/16/scientists-can-now-wirelessly-hack-your-car, I really found you by chance, while I was researching on Aol for something else, Nonetheless I am here now and would just like to say thanks a lot for a fantastic post and an all round enjoyable blog (I also love the theme/design), I don’t have time to look over it all at the minute but I have book-marked it and also included your RSS, so when I have time I will be back to read much more, Please do keep up the awesome job.

  • http://daafeet.com/index.php?news=440 ipad 3

    This blog site is extremely cool. How can I make one like this ?

  • http://www.blurty.com/talkpost.bml?journal=mousekevitz582&itemid=508 Tamra Durtsche

    Hey There. I found your blog using msn. That is a very smartly written article. I’ll be sure to bookmark it and return to learn more of your helpful info. Thank you for the post. I will certainly return.

  • Don

    Well everyones comments are old news, read this story of a 20 year old man http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/
    Their on there way!!!!

NEW ON DISCOVER
OPEN
CITIZEN SCIENCE
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

80beats

80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.
ADVERTISEMENT

See More

ADVERTISEMENT
Collapse bottom bar
+

Login to your Account

X
E-mail address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it e-mailed to you.

Not Registered Yet?

Register now for FREE. Registration only takes a few minutes to complete. Register now »