Skip to Content

Hacking Cars to Keep Them Safe

Researchers are challenging the auto industry to rethink security.
January 30, 2012

Tiffany Rad got interested in hacking cars because she wanted to drive her Land Rover off-road on rugged terrain without worrying about setting off the air bags. Her efforts to disable them sparked a series of garage experiments to reprogram her car in unusual ways. One idea: “creating a switch you could flip, so the car would perform differently when off-road and on-road.”

Car hacker: Tiffany Rad, an embedded-systems engineer at the nonprofit research group Battelle, will be studying security flaws in car systems and whether hackers could exploit them.

Teaming with a computer hardware engineer, Rad, a security expert who holds a law degree, created OpenOtto, software designed to run on a smart phone, plug into a car’s diagnostic port, and interface with a vehicle’s computer system. The set-up could scoop up information on, say, how the car’s tire suspension or drivetrain is working, or scan car software for security vulnerabilities. The project’s goal: “to provide complete free and open access to the networked electronic devices in an automobile.”

Rad’s open-source experiment, still in development, reflects how easily automobiles can be controlled and tweaked by tinkerers and malicious attackers alike. Now, as manufacturers add growing amounts of electronic gadgetry such as Internet radio and Bluetooth devices to cars, Rad warns that they are also multiplying the ways hackers could interfere with a vehicle’s operation.

Automakers got a jolt in 2010 when researchers at the University of Washington and the University of California at San Diego showed that they had successfully taken control of a car, manipulated its locks, and shut off its brakes with a script that ran on a computer plugged into the vehicle. They even orchestrated a “self-destruct demo” in which a 60-second countdown flashed on the car’s dash before its engine went dead. A year later, the same researchers announced that they’d hacked a car through its wireless interfaces. One way they accessed the car’s systems was by getting its CD player to play a tune encoded with an exploit.

“That has Hollywood action movie written all over it,” says Stefan Savage, a UCSD computer science professor involved in the effort. “But the attacks weren’t hypothetical.”

Some carmakers reacted by hiring more security experts. For instance, General Motors’ OnStar division, whose devices connect drivers to roadside assistance, increased its security budget about tenfold in the past year, according to chief information security officer Eric Gassenfeit, adding nine new staffers to what had been a one-man security team.

At least one large antivirus company, Intel’s McAfee, has also started eyeing the automobile sector, in particular hybrid vehicles. “The combination of technology deployed in these cars offers a unique attack surface,” says Ryan Permeh, a principal security architect at the company.

Car computer security is now turning into a bona fide discipline. Rad herself was recently hired as an embedded-systems engineer at the nonprofit research group Battelle, where she is part of a new six-person team that will begin testing cars at an automobile laboratory in Aberdeen, Maryland, this year. Rad’s team will be assessing known security flaws, looking to see how common they are across different car models, and evaluating whether auto thieves could exploit them.

“If it’s a known vulnerability, it needs to be addressed,” she says. Her own research includes helping to demonstrate last year that systems controlling prison-cell gates can be hacked remotely. Similarly, researchers have already shown how to manipulate a car’s brakes and produce false dashboard readings. Rad’s group will be looking for new flaws as well.

The way manufacturers build cars may make it difficult for them to identify security vulnerabilities on their own, researchers say. Modern cars are put together with electronic parts from numerous third parties, which makes it hard to weed out hardware glitches.

Researchers say it’s not clear whether carmakers will avoid the pitfalls encountered by other high-tech manufacturers, who have often created security holes by adding new features and leaving security as an afterthought. “The answer is to develop a sound security architecture instead of making the old mistakes of trying to ‘bolt on’ security widgets,” says Battelle senior research director Karl Heimer, who leads research on automobile cybersecurity.  

Keep Reading

Most Popular

It’s time to retire the term “user”

The proliferation of AI means we need a new word.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

Sam Altman says helpful agents are poised to become AI’s killer function

Open AI’s CEO says we won’t need new hardware or lots more training data to get there.

An AI startup made a hyperrealistic deepfake of me that’s so good it’s scary

Synthesia's new technology is impressive but raises big questions about a world where we increasingly can’t tell what’s real.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.