Skip to Content

Black Hat: Car Security Is Likely to Worsen, Researchers Say

In-car applications and wireless connectivity are a boon to hackers who take aim at cars.
August 8, 2014

As more cars come with wireless connectivity and in-car apps, more of them will be vulnerable to potentially dangerous hacking, two well-known researchers warned at the Black Hat security conference in Las Vegas on Wednesday.

In a study of nearly 20 different vehicles, Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of vehicle security research with security services firm ioActive, concluded that most control systems were not designed with security in mind and could be compromised remotely. The pair created cybersecurity ratings for the vehicles, which will be published in a paper later this week.

“When you are looking to buy a car, you can pick up a magazine and it will tell you, ‘Here are the safety features of this car,’” Valasek said. “Why can’t we, as the security industry, start making reports that say, ‘These cars have good cybersecurity and these cars don’t have good cybersecurity’?”

As the automotive industry has added more digital control systems and embedded computers, vehicles have become easier to hack. In 2011, researchers from the University of Washington and the University of California San Diego analyzed  a midpriced sedan, discovering that it could be compromised via either a disk inserted in its CD player, the diagnostic equipment used by mechanics, or a cellular connection.

Since then, other research groups have studied car security and demonstrated ways to take control of brakes, acceleration, and other functions. High-end vehicles often have computerized control of the brakes and acceleration, for collision prevention and intelligence cruise control, and automated steering to allow self-parking and the ability to remain centered in a lane.

Attacks on automotive control systems involve three steps, according to Valasek and Miller. An attacker must first find a way to exploit a vehicle system, then use that vulnerability to send a command to the electronic control unit (ECU), and finally get the ECU to execute the command.

Because of the proliferation of wireless access in vehicles, especially Bluetooth and cellular connectivity, remote execution is increasingly possible. The feasibility of sending commands to the electronic control units that manage different vehicle functions depends on the design of the car.

Car companies need to design their systems to detect exploitation attempts and prevent security from being compromised, Miller said: “You want to make each of these three steps harder for the attacker.”

But with car manufacturers competing on features, the addition of in-car applications from navigation to streaming music could leave more vehicles vulnerable, Miller added. “In-car apps and desktop-like features pose huge upcoming threats,” he said.

Designing security into vehicles is especially important because applying software patches is problematic. Updating the software in a car means bringing the vehicle to a dealer for service, a step that most owners will not take.

“When you get [recall] notices in mail, you ignore them,” Valasek said. “It is going to be really hard, if a real live exploit comes out, to patch the problem.”

Keep Reading

Most Popular

surgery
surgery

A gene-edited pig’s heart has been transplanted into a human for the first time

The procedure is a one-off, and highly experimental, but the technique could help reduce transplant waiting lists in the future.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

2021 tech fails concept
2021 tech fails concept

The worst technology of 2021

Face filters, billionaires in space, and home-buying algorithms that overpay all made our annual list of technology gone wrong.

Woman using Virtual Reality headset at night
Woman using Virtual Reality headset at night

The metaverse has a groping problem already

A woman was sexually harassed on Meta’s VR social media platform. She’s not the first—and won’t be the last.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.