Self-pwning cars: the future of automotive rooting

Security researches at UCSD and UWash have been looking at advanced ways of making mischief with computerized automotive systems, from messing with Bluetooth to inserting malware into the diagnostic tools. The most baroque and interesting attack they've demonstrated, though, uses a malformed MP3 that exploits a bug in the sound system (I'm assuming some sort of buffer overflow). Once they're in, the researchers have been able to control the car's locks, speedometer, brakes and engine.
They found lots of ways to break in. In fact, attacks over Bluetooth, the cellular network, malicious music files and via the diagnostic tools used in dealerships were all possible, if difficult to pull off, Savage said. "The easiest way remains what we did in our first paper: Plug into the car and do it," he said.

But the research shows how completely new types of automotive attacks could be on the horizon. For example, thieves could instruct cars to unlock their doors and report their GPS coordinates and Vehicle Identification Numbers to a central server. "An enterprising thief might stop stealing cars himself, and instead sell his capabilities as a service to other thieves," Savage said. A thief looking for certain kinds of cars in a given area could ask to have them identified and unlocked, he said.

With hacking, music can take control of your car (via MeFi)

(Image: Even technology needs it, a Creative Commons Attribution Share-Alike (2.0) image from pnglife's photostream)


  1. Well, well. Looks like we might want to keep the entertainment devices and the safety/security-critical devices on separate CAN busses…

  2. I remember when there was:
    A big wire from the alternator to the battery.
    A big wire to the solenoid and then to the starter.
    A smaller wire between the battery and fuse block leading to the lights, radio, wipers, blower, spark ignition system, and directional signals/brakes.
    The radio had wires running to speakers, if you felt fancy you could install a stereo with a tape player or even patch in a CD player with a cassette tape adapter.
    If you were really feeling like hacking you could install a CB radio or stereo amplifier and big speakers.
    Most under hood systems worked off of manifold vacuum or PTO belts.
    Cars were easy to unlock with a shim and you could easily hotwire most ignition systems.

    1. That’s pretty much how my ’88 Citroën CX is – about the only electronic thing in the car is the clock on the dashboard.

      I had a diesel one before that, which I drove back from where I bought it with no functioning electrical system at all – just popped the brass slider out of the stop solenoid and stuck it back in, bump-started and off I went.

      My van has all kinds of CANBus goodies, including the ability to “boot” off a special CD in the CD player while holding down some combination of buttons. This means that it doesn’t have to go back to Mercedes for firmware updates, they can just pop a disc in the post. I’m not *totally* sold on that idea.

      No, I’ll stick to contact breaker ignition and clever hydraulics for the steering, brakes and suspension.

      1. That is the cool thing about old diesels, if it is warm you can sometimes bump start and never need any electricity at all especially if you have stating fluid. All you need then is carbide headlights. I used to daydream of a totally diesel mechanical 1970 Toyota Land Cruiser, park it on a hill and roll start it, live near a petro well distill my own fuel.

        1. Yeah. Of course with the Citroën the fun bit is when you bump start one that hasn’t run for a few days, there’s no hydraulic pressure. So, the steering is heavy, there’s an inch of ground clearance and you’ve got no brakes for the first ten seconds! Fortunately the handbrake works on the front wheels and will bring it to a halt at typical “push start” speeds…

  3. As cars get more and more complicated, they get more and more easier to steal. I wouldn’t be surprised if it got to the point where you could instruct a car to drive itself to a chop shop.

  4. I’m curious what sort of communication bus is happening with the car stereo and the master control program.

    Probably some control registers that an I2C bus member can twiddle and thus fark up the whole car.

    One more actual truth to support a paranoid schizophrenic’s conspiracy. Who’s crazy now?

  5. “It wasn’t me- some virus got into my car’s software, then deleted itself to make it look like it was my fault for running over all those people. I’m the victim!”

    “Oh, and we’re all suing the auto manufacturer because they didn’t keep us safe.”

  6. Given how early these results are, and how surprised the automotive sector seems to, we can probably assume that pretty much every new car on the market is a security disaster.

    What is someone to do who’s looking to buy a new car? I don’t want to sink many thousands into something that turns out to be Win95 for the auto sector.

    About the only thing I can think of is to try to find a car without any bluetooth, on-star, cellphone integration of any kind, XM radio, GPS, keyless locks, etc.- if the car doesn’t have it, it can’t be the entry point into the swiss-cheesey internal security domain of the car, just waiting to be dicovered…

  7. I think there definitely is something lost in the transition from simple, mechanical and manually operated vehicles to today’s computerized-to-the-hilt vehicles. For one thing, it’s a lot more fun to drive a fully-mechanical everything-manual car.

    But, I can certainly appreciate why everything is being computerized now. You can’t deny the improvements in safety, reliability, and so on. You used to be able to easily fix anything in your car… and you had to, frequently, because the parts weren’t reliable. Now you can drive for tens of thousands of miles with minimal maintenance. You don’t even have to change the oil very much like you used to.

    There’s always something lost in the analog-to-digital or mechanical-to-computerized transition: same for music, photography, etc., even going from manual-wind watches to battery-powered ones and things like that.

    There will always be people who romanticize the old ways, and that’s fine. Most people will instead appreciate the massive increase in convenience of the new stuff. I’m somewhere in between.

    And as for the comment that new cars are easier to steal – despite these clever hacks described here, I really don’t think that’s true. Being mostly mechanical and having really simple electronics means easier to steal, I would think. What this shows us is simply that when one side ups the ante (computerization etc. making things harder to steal), the other side can always match it (computer-based attacks in this case).

    1. You can’t deny the improvements in safety, reliability, and so on.

      Not that I disagree with your overall point, but It seems I can deny this part in one word: TOYOTA.

  8. In 1997 I tried to drive an early-80s car with its (extremely primitive) computer removed through the hills of Thunder Bay, while towing a trailer. It got all anemic on me (damn American automatics) and couldn’t make it without manual carburetor adjustments.

    Now I’ve lost all the kids ;)

    Wish I had the softmod for my 98 Beetle though — that could’ve been fun!

  9. From the article, it sounds like there were 2 different hacks. One involved plugging a laptop into the diagnostic system, and allowed the researchers to “kill the engine, lock the doors, turn off the brakes and falsify speedometer readings.” The other involved hacking into the stereo system with specially crafted audio file, but it’s not clear from the article what this hack actually accomplished. I would hope that no car manufacturer would be stupid enough to link the entertainment system to the systems that control critical functions like braking and engine speed.

    1. Jonah – the first work (with the laptop) demonstrated what can be done by software with access to the internal network of the car.

      The second set of work (with the mp3, bluetooth, cell phone transmissions) demonstrated a number of ways of gaining remote access to the internal network of the car.

      Think of it this way – if a country demonstrates the detonation of a nuclear bomb underground, and separately demonstrates a radar-invisible missile capable of circling half the globe, they don’t need to demonstrate that the power demonstrated in one case applies to the weaponization capabilities demonstrated in another.

      That’s what we have here – a demonstration of power, and a separate demonstration of weaponizability. It’s entirely appropriate that they not write a single bluetooth exploit kit that lets you disable the brakes, accelerate, and veer hard left on certain 2011 Subarus, all from your cellphone.

      1. Think of it this way – if a country demonstrates the detonation of a nuclear bomb underground, and separately demonstrates a radar-invisible missile capable of circling half the globe, they don’t need to demonstrate that the power demonstrated in one case applies to the weaponization capabilities demonstrated in another.

        They kind of do. If the missile has a 500lb payload capacity and the bomb weighs 10 tons, then they have only demonstrated that they can bomb territory they have physical access to.

        Which is pretty much the same problem with the first ‘attack’. You /should/ have access to upload new software on your vehicle, so you can put in new fuel maps, recalibrate the speedometer after you change the final gear ratio, etc.

        The interfaces to do those kinds of things should probably be protected of course, it would be silly if the valet could pop a machine onto your ODBII port and mess with your systems.

  10. Showed this to some friends with a note of “Hey, remember back when I said why I don’t like the idea of drive by wire or a bunch of extraneous extras? I’ll be a dickhead and say ‘told you so!’ :) “

  11. So Sammy Hagar’s “I Can’t Drive 55” can be taken literally by one of these fancy new cars? Better yet, this creates interesting possibilities for the next Dethklok album.

  12. I read somewhere that cars unlock themselves when the air bags blow, to aid rescue, and that thieves know how to trick an accelerometer into thinking the car has crashed so they can break in and steal the contents.

    Probably a simple whack with a hammer in the right place would do the trick.

  13. This, and the Toyota thing, are two of my many compelling reasons for sticking with a manual transmission.

    You can pwn the whole thing and tell it to drive me over a cliff, even disengage the brakes, and I can still stop a manual in its tracks. Might wreck the transmission, but in a life or death situation, that’s fine.

  14. So, could the same code tagged onto a digital music file be placed on a bought CD, but “restrained” by a second piece of code? Perhaps in such a way that the first code would be copied in the event of files being ripped from the CD, but not the second “restraint” code?

    The ultimate DRM – “you copy our CD, we take over your car”!

Comments are closed.