Sophos Cloud Optix
At Black Hat Asia next month, two Spanish security researchers are going to show a palm-sized device that costs less than $20 to build from off-the-shelf, untraceable parts and that, depending on the car model, can screw with windows, headlights and even the truly scary, make-you-crash bits: i.e., steering and brakes.
The upcoming demo, colorfully titled “DUDE, WTF IN MY CAN!”, is being given by Javier Vazquez-Vidal and Alberto Garcia Illera.
Forbes’s Andy Greenberg spoke to the researchers for his writeup of the technology behind the upcoming demo.
The hacking tool works by bypassing the security of a modern vehicle’s Controller Area Network, aka the CAN bus.
The tool hooks up to a car via four wires, allowing an attacker to then take over a car remotely.
Once it’s physically connected, the tool can inject malicious commands. It draws power from the car’s electrical system and waits to relay wireless commands sent remotely from an attacker’s computer, Greenberg reports.
The researchers call their gadget the CAN Hacking Tool, or CHT.
Vazquez Vidal, who works as an automobile IT security consultant in Germany, told Greenberg that it takes 5 minutes or less to hook it up and walk away, after which the researchers can mess with a hacked car at will:
We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.
At the moment, the CHT communicates only via Bluetooth, limiting the range of a wireless attack to a few feet, but the researchers said that by the time they present next month at Black Hat they’ll have upgraded the tool to use a GSM cellular radio that will enable it to be controlled from miles away.
Mind you, the Spanish researchers’ $20 car-hacking gizmo isn’t the first bargain-rate car hacking kit.
A few years back, it emerged that any idiot with $30 could buy a hacking kit to steal your BMW.
Likewise, this isn’t the first time Greenberg has been exposed to cars that have been hacked to run amok.
But at least this time, he wasn’t stomping on the completely unresponsive brakes of a 3,500-pound Ford Escape that wouldn’t slow down and which eventually plowed into weeds in an abandoned parking lot.
Sat in the back seats were researchers Charlie Miller and Chris Valasek, who not only circumvented the Ford Escape’s brakes but also showed Greenberg how a ride in a Toyota Prius could turn into a journey that spanned the annoying (an uncontrollably blasting horn) and zoomed right into the potentially lethal: slamming on the Prius’s brakes at high speeds, commands sent from a laptop that killed power steering, spoofed GPS, and tinkered-with speedometer and odometer displays.
These car-hacking headlines recently prompted US Senator Edward Markey to ask leading car manufacturers to explain how they secure their vehicles against cyber attacks.
Senator Markey thinks, as do researchers including Vazquez-Vidal, Garcia Illera, Miller and Valasek, that the threat of cyber car attacks is quite real.
The National Highway Traffic Safety Administration (NHTSA) said in response to the concerns over car hacking that yes, these hacks are real, as are the challenges they represent to manufacturers.
But c’mon, they said – is anybody outside of tinkering researchers actually doing this?
From the statement the NHTSA released in December:
While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities. NHTSA recognises these new challenges but is not aware of any consumer incidents where any vehicle control system has been hacked.
Some auto security experts have pointed out that these types of attacks are a lot tougher to implement on vehicles than they are on traditional computing devices.
Stuart McClure, chief executive of Cylance Inc and an expert on auto security, told Reuters that what the government should really look into is how automakers secure data that customers hand over to get a lease or a loan:
If I want to get a whole bunch of social security numbers and private data, I'm going to hack into their corporate servers and gain access to the data belonging to the millions of people who ever got a car from them.
But just because it hasn’t happened yet, doesn’t mean it won’t happen soon. It’s something that needs fixing before it becomes a widespread problem.
Which are you more worried about: a James Bond-like scenario where hackers disable your brakes and you helplessly speed toward a cliff, or the specter of your bank account, drained by some thief who got his hands on your bank card data?
I guess we don’t have to choose. We can always worry about both.
Image of car on fire courtesy of Shutterstock.
If you’re an ordinary person, you probably don’t have to worry about this, as there are far more effective ways to get rid of you if someone really wants to. And if someone wants to sabotage your car, attacks like “cut the brake lines” have been around since before computers. However, if you’re an important government official in a televised motorcade, I could see this as a way someone could wreak havoc at the worst possible time without worrying about the armed guards. (Though “attach a bomb to the car” has been around a while, too.)
The point is — if cars, why not planes?
“At the moment, the CHT communicates only via Bluetooth,”
This is not a major restriction: Just fix a Bluetooth capable and paired mobile in the vicinity of the CHT and you can controll it from anywhere.
I would be worried as a car manufacturer about my own money. The plot is simple: The crooks threaten to create or do realize a few accidents of the same model here and there, and send a friendly message “Better pay $$$$$$$, or you will have a very bad press, a recall campain and a class action lawsuit.”
re: “The tool hooks up to a car via four wires”
Please correct me if wrong:
If this requires the hacker to have physical access to the otherwise locked interior of the car, or engine compartment (etc.), it seems to be a lot of concern about something that is not likely to happen to most people most of the time.
On the other hand, for people that leave their car unlocked, or give their keys to parking attendants or other service personnel, including car mechanics, the concern is presumably more significant.
And to think, a lot of these weak links in transportation security were created by gov’t requirements to have cars compensate for poor drivers’ education. The technology is a very expensive means to the same end, driver safety. Something that can (and should IMHO) simply be taught to people. It raises the cost of cars and creates security loopholes. I personally feel it is sad that technology has to compensate knowledge instead of enhance it. I mean, I’d rather have a teacher than a nanny. It’s not that hard to pay attention and drive safely. I love my old ‘dumb’ car, old ‘dumb’ phone and old ‘dumb’ coffee maker, none of which can be controlled remotely.
BTW – this demo sound really cool and I hope to see the video soon.
But, c’mon – Michael HASTINGS!
“But c’mon, they said – is anybody outside of tinkering researchers actually doing this?”
Well once the instructions are posted on the Internet by a black hat, then a disillusioned spouse, or that guy who’s working for peanuts in the local parking garage, or maybe even the car wash attendant, will all be able to do this.
But the real concern is that while nothing has yet been developed, IF your car connects to the Internet for some reason and that access is not adequately firewalled, then a remote hacker can cause accidents at will. They don’t necessarily even need to know the driver. Just picture someone pressing a button and causing 50,000 cars to crash.
So please, car makers, make sure you do not have any connection between that Internet radio and the more important bits of your vehicles.