Hacking the Modern Automobile

If you’re reading the Kaspersky Daily with any degree of regularity than you likely already know that it is very possible to hack the modern automobile. In fact, I wrote

If you’re reading the Kaspersky Daily with any degree of regularity than you likely already know that it is very possible to hack the modern automobile. In fact, I wrote an article based on some widely cited research carried out by the Universities of Wisconsin and California at San Diego way back in 2010. The only problem – of course – is that the research was carried out in 2010. Luckily for us, Dr. Charlie Miller, the famed Apple hacker and highly respected computer security researcher, along with Chris Valasek, the head of security intelligence at IOActive, delivered a presentation on car hacking just last week at the Def Con security conference, which began at the Rio Hotel just across the highway from Caesars Palace in Las Vegas the day Black Hat ended.

car_title_EN (1)

Furthermore, Valasek and Miller’s research – as embodied in a more-than-100-page paper – is far more extensive than previous work. Miller and Valasek detail the cars they used; UC San Diego and UW researchers did not. Valasek and Miller published everything, exploit details, the codes used by the car’s computers to communicate and how to override or trick them, the layout of the onboard computers and how they are networked together, and much more. Beyond that even, the researchers took one of their hacked cars to road for a test drive, and literally giggled away in the backseat with their laptops as Forbes’ reporter Andy Greenberg struggled to drive a car that was being actively somewhat terrifyingly manipulated.

Before we get into the fun stuff, a quick lesson on cars and the computers living inside them: modern cars contain small computers called electrical control units (ECUs). The number of ECUs in the modern automobile varies, but some cars may contain as many as fifty ECUs. The ECU’s serve a multitude of purposes. In Miller and Valasek’s cars, the seperate ECUs controlled, monitored or helped regulate everything from engine control to power management to steering to skid control (anti-lock breaking system) to seat belt locks to airbags to parking assist technologies to something called the combination meter assembly and any number of other things I have never heard of. Nearly all of these ECUs are networked together on the controller area network (CAN) bus. The CAN bus and ECUs together act as the central nervous system of the modern vehicle, communicating with one another to report vehicle speed and revolutions per minute or to inform the pre-collision system when an accident is about to occur so that it can engage the brakes, cut the engine, lock the seatbelts and do whatever else it does when a car is about to crash. Most of these signals are triggered by sensors built into the ECUs.

For what it’s worth, Valasek and Miller were working with a 2010 Ford Escape and  a 2010 Toyota Prius, though their research is likely applicable – both directly and in theory – to any number of other makes and models as well.

The researchers bought a fairly cheap ECOM cable that runs though an ECOM device that can be plugged into a Windows machine through a USB port. With a little modification, they could plug the other end of the ECOM cable into the cars’ OBD II ports (this is the thing under the steering wheel that mechanics use to communicate with your car for inspections and other work and into which you can plug a diagnostic tool in order to reset engine codes, turn off the check engine light, etc). Once they were plugged in, they started monitoring the ways that the ECUs communicate with one another along the CAN bus and how these communications effect the operation of their two vehicles. Eventually they had a firm grasp on the communications protocols and they were ready to start spoofing them (injecting their own signals to mimic those passing through the cars’ CAN busses from each of the ECUs).

They found they could manipulate the speedometer, the odometer and the fuel gauge.

Depending on which car they were working with, the researchers could make the vehicles do different things. I’ll mention the some of the more interesting things they managed to do to each specific vehicle, you can read their report for yourself if you want to learn more.

They found they could manipulate the speedometer, the odometer (the instrument that measures the number of miles a car has traveled), and the fuel gauge. In the case of the speedometer, they found that the ECU monitoring vehicle speed repeatedly sent signals through the CAN bus to the ECU controlling the instrumentation panel. In order to trick the speedometer into believing their spoofed vehicle speed signal, the researchers had to send more fake signals to the instrument panel than the actual speed monitoring ECU did. Once they achieved the correct rate of signal-sending, they could make the speedometer display any speeds they wanted.

The doors of the Prius could be locked and unlocked. The locks could be physically over-ridden, meaning that they couldn’t lock someone inside the car, but they could access the car from outside by unlocking it.

On the Ford, they launched a denial of service attack, flooding the ECU in charge of monitoring steering with traffic from the CAN bus, causing the power steering to shut down, and limiting the vehicles steering radius to just 45 percent of capacity. They also found they could manipulate the parking assist module (the ECU that controls that automatic parallel park functions). They admit, however, that the parking assist system will only kick in a very low speeds and that the worst they could do is cause the car hit the one it is attempting to parallel park next to.

The researchers messed with the steering assist on the Prius as well. The ECU’s in the Prius had been set so that the auto-park steering assist feature would only work if the car were in reverse and traveling less than four miles per hour. So, Valasek and Miller tricked the car into thinking it was in reverse when it was really in drive and further tricked it into believing it was moving slower than four miles per hour when in fact it was traveling faster than that. They weren’t able to turn the wheel as precisely as the auto-park steering assist feature could, but they could control the wheel with harsh, sporadic jerks in one direction or the other.

The Prius also has a lane keep assist feature that has the capacity to angle the car slightly back toward a road if it senses that a driver is veering off the road. The ECU in charge of this feature only permits a five degree turn of the steering wheel. The researchers could reliably hijack this feature, and while five degrees constitutes a relatively small change in direction, they note it becomes a significant one if the car is moving at high speeds in traffic or on narrow roads.

On the Ford it is possible to send a command to the CAN bus that will tell the car to bleed the brakes. While the brakes are bleeding, they will not stop the car. The brake-bleed attack will only work if the car is moving slower than five miles per hour, which is pretty slow, but it was still fast enough for one of the researchers to crash the Ford Escape into the wall of his garage during the testing process.

There is a message that the Ford’s CAN bus can send to kill one or more of the pistons. Valasek and Miller reverse engineered this code and sent it over and ever again. The car would not start again until they stopped sending that code. The Prius is also vulnerable to having its engine cut off, though in technically different – but pragmatically similar – way.

They also found a command that would turn all the lights off inside and outside the Ford. The ECU in charge of lighting would only listen to the command if the car was not moving, but if the researchers issued the command while the car was stopped, the car would obey the command even after the car was in motion again. This cut off all the lights, meaning they could have taken the car on a highway with no brakelights. Furthermore, once they put the car in park, it would not come out of park – likely because the ECU in question here also controlled the brake switch that allows the drive to take the car out of park. They could mess with the headlamps on the Prius – turning them on and off – but only if the driver had the headlight set on the “auto” feature that turns the lights on and off depending on the amount of light outside the car.

While messing around with the Prius’s cruise control module, the researchers were not able to cause the car to accelerate in cruise control, which is good. That said, they did manage to trick the car into slowing down and even stopping completely by convincing the precollision system that the car was about to crash into some object in front of it. Even if the driver were pressing on the gas pedal, the car would continue to brake. In order to cause the Prius to accelerate outside of cruise control, the researchers had to modify their ECOM cable and connect directly to the power management console (the ECU that controls the car’s accellerations), because that ECU was not connected to the CAN bus. They only managed to cause the car to accelerate for a few seconds after the driver had let up on the gas. Still, such unwanted acceleration could be potentially dangerous.

Another function of the pre-collision system is to engage the seatbelt motor so that it tightens the belt ahead of an impending crash. Valasek and Miller could cause this to occur whenever they wanted.

The researchers also talked at great length about the potential for injecting code into the ECUs and the CAN bus (i.e. infecting the with malware). I won’t go into too many specifics here other than to say that it is quite possible to inject code into and execute code on these machines (so possible that the last 20 or 30-pages of their report is dedicated to it).

An additional fact to keep in mind with this type of hack is that it requires physical access to the car and (for now) it’s impossible to perform it remotely.

There is one obvious defense measure to make sure your car can’t be hacked: buy a really old car. This defense works, but, frankly, your hackable 2013 Nissan Maxima is way, way safer than my unhackable 1998 Honda Accord. Your hackable car has all sorts of wild safety features and sensors letting you know if something has gone awry before you even take it on the road. With my old car, it’s a total gamble every time I take it on the highway.

The reality here is that Miller and Valasek are two of the smartest people in the security industry. Their jobs are to hack things, and they hack things because they genuinely want to make the world of connected things a safer place. In addition to that and despite the fact that their research includes all the codes and techniques you need to do what they did, they are among the only human beings in the world with the technical knowledge to perform such a complicated attack. If that doesn’t assuage your fears, you should also know that the auto-makers – like the tech companies – look at this kind of research and better their vehicles based upon it.

If you haven’t seen it yet, head on over to the Forbes’s website and watch the video of Andy Greenberg driving around while Valasek and Miller actively hack the Toyota Prius as he drives it. It’s a good time. I promise.

Tips