Tiffany Rad got interested in hacking cars because she wanted to drive her Land Rover off-road on rugged terrain without worrying about setting off the air bags. Her efforts to disable them sparked a series of garage experiments to reprogram her car in unusual ways. One idea: “creating a switch you could flip, so the car would perform differently when off-road and on-road.”
Teaming with a computer hardware engineer, Rad, a security expert who holds a law degree, created OpenOtto, software designed to run on a smart phone, plug into a car’s diagnostic port, and interface with a vehicle’s computer system. The set-up could scoop up information on, say, how the car’s tire suspension or drivetrain is working, or scan car software for security vulnerabilities. The project’s goal: “to provide complete free and open access to the networked electronic devices in an automobile.”
Rad’s open-source experiment, still in development, reflects how easily automobiles can be controlled and tweaked by tinkerers and malicious attackers alike. Now, as manufacturers add growing amounts of electronic gadgetry such as Internet radio and Bluetooth devices to cars, Rad warns that they are also multiplying the ways hackers could interfere with a vehicle’s operation.
Automakers got a jolt in 2010 when researchers at the University of Washington and the University of California at San Diego showed that they had successfully taken control of a car, manipulated its locks, and shut off its brakes with a script that ran on a computer plugged into the vehicle. They even orchestrated a “self-destruct demo” in which a 60-second countdown flashed on the car’s dash before its engine went dead. A year later, the same researchers announced that they’d hacked a car through its wireless interfaces. One way they accessed the car’s systems was by getting its CD player to play a tune encoded with an exploit.
“That has Hollywood action movie written all over it,” says Stefan Savage, a UCSD computer science professor involved in the effort. “But the attacks weren’t hypothetical.”
Some carmakers reacted by hiring more security experts. For instance, General Motors’ OnStar division, whose devices connect drivers to roadside assistance, increased its security budget about tenfold in the past year, according to chief information security officer Eric Gassenfeit, adding nine new staffers to what had been a one-man security team.
At least one large antivirus company, Intel’s McAfee, has also started eyeing the automobile sector, in particular hybrid vehicles. “The combination of technology deployed in these cars offers a unique attack surface,” says Ryan Permeh, a principal security architect at the company.
Car computer security is now turning into a bona fide discipline. Rad herself was recently hired as an embedded-systems engineer at the nonprofit research group Battelle, where she is part of a new six-person team that will begin testing cars at an automobile laboratory in Aberdeen, Maryland, this year. Rad’s team will be assessing known security flaws, looking to see how common they are across different car models, and evaluating whether auto thieves could exploit them.
“If it’s a known vulnerability, it needs to be addressed,” she says. Her own research includes helping to demonstrate last year that systems controlling prison-cell gates can be hacked remotely. Similarly, researchers have already shown how to manipulate a car’s brakes and produce false dashboard readings. Rad’s group will be looking for new flaws as well.
The way manufacturers build cars may make it difficult for them to identify security vulnerabilities on their own, researchers say. Modern cars are put together with electronic parts from numerous third parties, which makes it hard to weed out hardware glitches.
Researchers say it’s not clear whether carmakers will avoid the pitfalls encountered by other high-tech manufacturers, who have often created security holes by adding new features and leaving security as an afterthought. “The answer is to develop a sound security architecture instead of making the old mistakes of trying to ‘bolt on’ security widgets,” says Battelle senior research director Karl Heimer, who leads research on automobile cybersecurity.