Tiffany Rad got interested in hacking cars because she wanted to drive her Land Rover off-road on rugged terrain without worrying about setting off the air bags. Her efforts to disable them sparked a series of garage experiments to reprogram her car in unusual ways. One idea: “creating a switch you could flip, so the car would perform differently when off-road and on-road.”
Teaming with a computer hardware engineer, Rad, a security expert who holds a law degree, created OpenOtto, software designed to run on a smart phone, plug into a car’s diagnostic port, and interface with a vehicle’s computer system. The set-up could scoop up information on, say, how the car’s tire suspension or drivetrain is working, or scan car software for security vulnerabilities. The project’s goal: “to provide complete free and open access to the networked electronic devices in an automobile.”
Rad’s open-source experiment, still in development, reflects how easily automobiles can be controlled and tweaked by tinkerers and malicious attackers alike. Now, as manufacturers add growing amounts of electronic gadgetry such as Internet radio and Bluetooth devices to cars, Rad warns that they are also multiplying the ways hackers could interfere with a vehicle’s operation.
Automakers got a jolt in 2010 when researchers at the University of Washington and the University of California at San Diego showed that they had successfully taken control of a car, manipulated its locks, and shut off its brakes with a script that ran on a computer plugged into the vehicle. They even orchestrated a “self-destruct demo” in which a 60-second countdown flashed on the car’s dash before its engine went dead. A year later, the same researchers announced that they’d hacked a car through its wireless interfaces. One way they accessed the car’s systems was by getting its CD player to play a tune encoded with an exploit.
“That has Hollywood action movie written all over it,” says Stefan Savage, a UCSD computer science professor involved in the effort. “But the attacks weren’t hypothetical.”
Some carmakers reacted by hiring more security experts. For instance, General Motors’ OnStar division, whose devices connect drivers to roadside assistance, increased its security budget about tenfold in the past year, according to chief information security officer Eric Gassenfeit, adding nine new staffers to what had been a one-man security team.
At least one large antivirus company, Intel’s McAfee, has also started eyeing the automobile sector, in particular hybrid vehicles. “The combination of technology deployed in these cars offers a unique attack surface,” says Ryan Permeh, a principal security architect at the company.
Car computer security is now turning into a bona fide discipline. Rad herself was recently hired as an embedded-systems engineer at the nonprofit research group Battelle, where she is part of a new six-person team that will begin testing cars at an automobile laboratory in Aberdeen, Maryland, this year. Rad’s team will be assessing known security flaws, looking to see how common they are across different car models, and evaluating whether auto thieves could exploit them.
“If it’s a known vulnerability, it needs to be addressed,” she says. Her own research includes helping to demonstrate last year that systems controlling prison-cell gates can be hacked remotely. Similarly, researchers have already shown how to manipulate a car’s brakes and produce false dashboard readings. Rad’s group will be looking for new flaws as well.
The way manufacturers build cars may make it difficult for them to identify security vulnerabilities on their own, researchers say. Modern cars are put together with electronic parts from numerous third parties, which makes it hard to weed out hardware glitches.
Researchers say it’s not clear whether carmakers will avoid the pitfalls encountered by other high-tech manufacturers, who have often created security holes by adding new features and leaving security as an afterthought. “The answer is to develop a sound security architecture instead of making the old mistakes of trying to ‘bolt on’ security widgets,” says Battelle senior research director Karl Heimer, who leads research on automobile cybersecurity.
This new data poisoning tool lets artists fight back against generative AI
The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.
Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist
An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.
The Biggest Questions: What is death?
New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.
How to fix the internet
If we want online discourse to improve, we need to move beyond the big platforms.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.