Tiffany Rad got interested in hacking cars because she wanted to drive her Land Rover off-road on rugged terrain without worrying about setting off the air bags. Her efforts to disable them sparked a series of garage experiments to reprogram her car in unusual ways. One idea: “creating a switch you could flip, so the car would perform differently when off-road and on-road.”
Teaming with a computer hardware engineer, Rad, a security expert who holds a law degree, created OpenOtto, software designed to run on a smart phone, plug into a car’s diagnostic port, and interface with a vehicle’s computer system. The set-up could scoop up information on, say, how the car’s tire suspension or drivetrain is working, or scan car software for security vulnerabilities. The project’s goal: “to provide complete free and open access to the networked electronic devices in an automobile.”
Rad’s open-source experiment, still in development, reflects how easily automobiles can be controlled and tweaked by tinkerers and malicious attackers alike. Now, as manufacturers add growing amounts of electronic gadgetry such as Internet radio and Bluetooth devices to cars, Rad warns that they are also multiplying the ways hackers could interfere with a vehicle’s operation.
Automakers got a jolt in 2010 when researchers at the University of Washington and the University of California at San Diego showed that they had successfully taken control of a car, manipulated its locks, and shut off its brakes with a script that ran on a computer plugged into the vehicle. They even orchestrated a “self-destruct demo” in which a 60-second countdown flashed on the car’s dash before its engine went dead. A year later, the same researchers announced that they’d hacked a car through its wireless interfaces. One way they accessed the car’s systems was by getting its CD player to play a tune encoded with an exploit.
“That has Hollywood action movie written all over it,” says Stefan Savage, a UCSD computer science professor involved in the effort. “But the attacks weren’t hypothetical.”
Some carmakers reacted by hiring more security experts. For instance, General Motors’ OnStar division, whose devices connect drivers to roadside assistance, increased its security budget about tenfold in the past year, according to chief information security officer Eric Gassenfeit, adding nine new staffers to what had been a one-man security team.
At least one large antivirus company, Intel’s McAfee, has also started eyeing the automobile sector, in particular hybrid vehicles. “The combination of technology deployed in these cars offers a unique attack surface,” says Ryan Permeh, a principal security architect at the company.