Skip to Content

Black Hat: Car Security Is Likely to Worsen, Researchers Say

In-car applications and wireless connectivity are a boon to hackers who take aim at cars.
August 8, 2014

As more cars come with wireless connectivity and in-car apps, more of them will be vulnerable to potentially dangerous hacking, two well-known researchers warned at the Black Hat security conference in Las Vegas on Wednesday.

In a study of nearly 20 different vehicles, Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of vehicle security research with security services firm ioActive, concluded that most control systems were not designed with security in mind and could be compromised remotely. The pair created cybersecurity ratings for the vehicles, which will be published in a paper later this week.

“When you are looking to buy a car, you can pick up a magazine and it will tell you, ‘Here are the safety features of this car,’” Valasek said. “Why can’t we, as the security industry, start making reports that say, ‘These cars have good cybersecurity and these cars don’t have good cybersecurity’?”

As the automotive industry has added more digital control systems and embedded computers, vehicles have become easier to hack. In 2011, researchers from the University of Washington and the University of California San Diego analyzed  a midpriced sedan, discovering that it could be compromised via either a disk inserted in its CD player, the diagnostic equipment used by mechanics, or a cellular connection.

Since then, other research groups have studied car security and demonstrated ways to take control of brakes, acceleration, and other functions. High-end vehicles often have computerized control of the brakes and acceleration, for collision prevention and intelligence cruise control, and automated steering to allow self-parking and the ability to remain centered in a lane.

Attacks on automotive control systems involve three steps, according to Valasek and Miller. An attacker must first find a way to exploit a vehicle system, then use that vulnerability to send a command to the electronic control unit (ECU), and finally get the ECU to execute the command.

Because of the proliferation of wireless access in vehicles, especially Bluetooth and cellular connectivity, remote execution is increasingly possible. The feasibility of sending commands to the electronic control units that manage different vehicle functions depends on the design of the car.

Car companies need to design their systems to detect exploitation attempts and prevent security from being compromised, Miller said: “You want to make each of these three steps harder for the attacker.”

But with car manufacturers competing on features, the addition of in-car applications from navigation to streaming music could leave more vehicles vulnerable, Miller added. “In-car apps and desktop-like features pose huge upcoming threats,” he said.

Designing security into vehicles is especially important because applying software patches is problematic. Updating the software in a car means bringing the vehicle to a dealer for service, a step that most owners will not take.

“When you get [recall] notices in mail, you ignore them,” Valasek said. “It is going to be really hard, if a real live exploit comes out, to patch the problem.”

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.