Car Hacking
Computer systems in modern autos can pose a security risk

Source: “Experimental Security Analysis of a Modern Automobile”
Karl Koscher et al.
IEEE Symposium on Security and Privacy, May 16-19, 2010, Oakland, CA

Results: A group of researchers at the University of Washington and the University of California, San Diego, have demonstrated that it’s possible to take unauthorized control of a car’s embedded computer systems. After gaining access through the federally mandated onboard diagnostics port–located under the dashboard in almost all cars today–they could disable a vehicle’s brakes, stop its engine, or take control of its door locks, among other things.

Why it matters: A typical luxury sedan now includes 50 to 70 embedded computers controlled by about 100 megabytes of code. The researchers wanted to demonstrate the need for added security at a time when more of these computer systems are gaining wireless capabilities. For the most part, however, the hacks they’ve performed so far required physical access to the car. The possibility of interfering with a car’s computer remotely is a concern mainly for future models.

Methods: Without any special knowledge from the manufacturer, the researchers pulled the hardware from a car and ran standard security analyses such as fuzzing, which tests software to see if it’s possible to induce any glitches or strange behavior. They used this information to craft attacks that could take over and control systems on the car’s internal network. They tried out their attacks on a parked car and then in road tests to ensure that they were practical in the real world.

Next steps: Many of the techniques commonly used to protect electronic devices won’t transfer well to cars: a corrupted braking system, for example, can’t just shut down. The researchers hope to work with manufacturers to develop more appropriate security features.