Auto makers have long downplayed the threat of hacker attacks on their cars and trucks, arguing that their vehicles’ increasingly-networked systems are protected from rogue wireless intrusion. Now two researchers plan to show that a few minutes alone with a car and a tiny, cheap device can give digital saboteurs all the wireless control they need.
How To: Buy a Pokemon Go Plus
At the Black Hat Asia security conference in Singapore next month, Spanish security researchers Javier Vazquez-Vidal and Alberto Garcia Illera plan to present a small gadget they built for less than $20 that can be physically connected to a car’s internal network to inject malicious commands affecting everything from its windows and headlights to its steering and brakes. Their tool, which is about three-quarters the size of an iPhone, attaches via four wires to the Controller Area Network or CAN bus of a vehicle, drawing power from the car’s electrical system and waiting to relay wireless commands sent remotely from an attacker’s computer. They call their creation the CAN Hacking Tool, or CHT.
“It can take five minutes or less to hook it up and then walk away,” says Vazquez Vidal, who works as a automobile IT security consultant in Germany. “We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.”
Just what commands the researchers can remotely inject with the CHT, Vazquez Vidal says, depends on the model of car. They tested four different vehicles, whose specific make and model they declined to name, and their tricks ranged from mere mischief like switching off headlights, setting off alarms, and rolling windows up and down to accessing anti-lock brake or emergency brake systems that could potentially cause a sudden stop in traffic. In some cases, the attacks required gaining under-the-hood access or opening the car’s trunk, while in other instances, they say they could simply crawl under the car to plant the device.
For now, the tool communicates via only Bluetooth, limiting the range of any wireless attack to a few feet. But by the time the two researchers present their research in Singapore, they say they’ll upgrade it to use a GSM cellular radio instead that would make it possible to control the device from miles away.
All the ingredients of their tool are off-the-shelf components, adds Vazquez Vidal, so that even if the device is discovered it wouldn’t necessarily provide clues as to who planted it. “It’s totally untraceable,” he says.
The Spanish researchers’ work adds to a growing focus in the security industry on the vulnerability of networked automobiles to hackers’ attacks. Before the Defcon hacker conference last July, researchers Charlie Miller and Chris Valasek put me behind the wheel of a Ford Explorer and a Toyota Prius and then showed that they could plug their laptops into a dashboard port of vehicles to perform nasty tricks like slamming on the Prius’ brakes, jerking its steering wheel and even disabling the brakes of the Explorer at low speeds.
That work helped to spur Senator Edward Markey to send a seven-page letter to 20 automakers asking that they detail their security practices. Though the automakers’ answers were due on January 3rd, Markey’s office hasn’t yet released the results of their responses.
Toyota both brushed off Miller and Valasek’s work by pointing to the fact that their hack required physical access to the vehicle. “Our focus, and that of the entire auto industry, is to prevent hacking from a remote wireless device outside of the vehicle,” Toyota safety manager John Hanson told me at the time.
But Miller and Valasek counter that others had already shown that the initial wireless penetration of a car’s network is indeed possible. In 2011, a team of researchers at the University of Washington and the University of California at San Diego wirelessly penetrated a car’s internals via cellular networks, Bluetooth connections, and even a malicious audio file on a CD in its stereo system.
Vazquez Vidal’s and Garcia Illera’s CHT device adds yet another way to cross that wireless divide, and one that’s likely far cheaper. But like prior researchers, they say their intention is to show that digital car attacks are possible, not to enable them. Though they’ll detail the physical construction of their tool, they say they don’t plan to release the code used to inject commands into their test vehicles’ networks. “The goal isn’t to release our hacking tool to the public and say ‘take this and start hacking cars,’” says Vazquez Vidal. “We want to reach the manufacturers and show them what can be done.”
Like Miller and Valasek, they argue that car makers need to look beyond the initial wireless penetration of a car’s network to consider adding security between a vehicle’s systems, limiting a rogue device’s ability to wreak havoc.
“A car is a mini network,” says Garcia Illera. “And right now there’s no security implemented.”
Follow me on Twitter, email me, anonymously send me sensitive documents or tips, and check out my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.
How To: Buy a Pokemon Go Plus