At Black Hat Asia next month, two Spanish security researchers are going to show a palm-sized device that costs less than $20 to build from off-the-shelf, untraceable parts and that, depending on the car model, can screw with windows, headlights and even the truly scary, make-you-crash bits: i.e., steering and brakes.
The upcoming demo, colorfully titled “DUDE, WTF IN MY CAN!”, is being given by Javier Vazquez-Vidal and Alberto Garcia Illera.
Forbes’s Andy Greenberg spoke to the researchers for his writeup of the technology behind the upcoming demo.
The hacking tool works by bypassing the security of a modern vehicle’s Controller Area Network, aka the CAN bus.
The tool hooks up to a car via four wires, allowing an attacker to then take over a car remotely.
Once it’s physically connected, the tool can inject malicious commands. It draws power from the car’s electrical system and waits to relay wireless commands sent remotely from an attacker’s computer, Greenberg reports.
The researchers call their gadget the CAN Hacking Tool, or CHT.
Vazquez Vidal, who works as an automobile IT security consultant in Germany, told Greenberg that it takes 5 minutes or less to hook it up and walk away, after which the researchers can mess with a hacked car at will:
We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.
At the moment, the CHT communicates only via Bluetooth, limiting the range of a wireless attack to a few feet, but the researchers said that by the time they present next month at Black Hat they’ll have upgraded the tool to use a GSM cellular radio that will enable it to be controlled from miles away.
Mind you, the Spanish researchers’ $20 car-hacking gizmo isn’t the first bargain-rate car hacking kit.
A few years back, it emerged that any idiot with $30 could buy a hacking kit to steal your BMW.
Likewise, this isn’t the first time Greenberg has been exposed to cars that have been hacked to run amok.
But at least this time, he wasn’t stomping on the completely unresponsive brakes of a 3,500-pound Ford Escape that wouldn’t slow down and which eventually plowed into weeds in an abandoned parking lot.
Sat in the back seats were researchers Charlie Miller and Chris Valasek, who not only circumvented the Ford Escape’s brakes but also showed Greenberg how a ride in a Toyota Prius could turn into a journey that spanned the annoying (an uncontrollably blasting horn) and zoomed right into the potentially lethal: slamming on the Prius’s brakes at high speeds, commands sent from a laptop that killed power steering, spoofed GPS, and tinkered-with speedometer and odometer displays.
These car-hacking headlines recently prompted US Senator Edward Markey to ask leading car manufacturers to explain how they secure their vehicles against cyber attacks.
Senator Markey thinks, as do researchers including Vazquez-Vidal, Garcia Illera, Miller and Valasek, that the threat of cyber car attacks is quite real.
The National Highway Traffic Safety Administration (NHTSA) said in response to the concerns over car hacking that yes, these hacks are real, as are the challenges they represent to manufacturers.
But c’mon, they said – is anybody outside of tinkering researchers actually doing this?
From the statement the NHTSA released in December:
While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities. NHTSA recognises these new challenges but is not aware of any consumer incidents where any vehicle control system has been hacked.
Some auto security experts have pointed out that these types of attacks are a lot tougher to implement on vehicles than they are on traditional computing devices.
Stuart McClure, chief executive of Cylance Inc and an expert on auto security, told Reuters that what the government should really look into is how automakers secure data that customers hand over to get a lease or a loan:
If I want to get a whole bunch of social security numbers and private data, I'm going to hack into their corporate servers and gain access to the data belonging to the millions of people who ever got a car from them.
But just because it hasn’t happened yet, doesn’t mean it won’t happen soon. It’s something that needs fixing before it becomes a widespread problem.
Which are you more worried about: a James Bond-like scenario where hackers disable your brakes and you helplessly speed toward a cliff, or the specter of your bank account, drained by some thief who got his hands on your bank card data?
I guess we don’t have to choose. We can always worry about both.