University Study Demonstrates That ’05 And Newer Cars Can Be Remotely Hacked And Controlled

OBD-II Laptop connectionComputers are everywhere in our daily lives. At the grocery check-out, in banks, laptops and smart phones keeping people connected. But all of the Operating Systems running these devices that are network capable have one thing in common: Security. One area I neglected to add to the above list, is the automobile. Cars have computers to control everything from the radio to the brakes…and in 2005 the US government made sure that every car sold in the US was equipped with something called OBD-II, or On Board Diagnostics. This is the port, (usually under the dash,) that a mechanic uses to diagnose problems, it allows access to every computer that is on board and connected to the car.

Control AbilityThe Study

The University of Washington conducted a study in 2010 on these on board computer networks to determine how hackable such a system is. And guess what, the systems are so easily controlled remotely, via a laptop, or even the internet if the car is blue-tooth enabled or has something similar to GMs OnStar. The computers in cars today looks more like a business’s computer network than ever…minus the security protocols. The system, a network called CAN, (Controller Area Network,) operates much in the same way that any other network does, with one component relying on information coming from another. This is the network that the study was working to hack.

Dash picAnd Hack They Did

From my experiences in hacking secured networks, I thought the study would describe a lot of failed attempts, with a couple of actual successes…boy was I wrong. The study team made hacking the 2 different cars systems look like the Pwn2Own competition when Safari was broken in 5 seconds. But to be fair, the study did use a laptop connected through the OBD-II port which they controlled from another laptop in a pace vehicle that was being used for safety during the road test. They verified that they could remotely control the braking system completely, the dash and related panels, accelerator, engine RPM, and could shut off the motor, all while the vehicle was in motion. They only drove 40 mph on the test track, for safety, and they had a lot more control of the vehicle than I have time to list here.

Table 2&3The Implications

This essentially means that any vehicle that has any kind of telematics system, (OnStar, Bluetooth, broadband, wireless tire pressure systems, etc,) can be a target of anyone with murderous or harmful intents. Click on the pics to see some of the results of the study, (note how the braking system has no manual override in table 4,) for the entire report, click here. And there’s virtually nothing that can be done about it yet. According to the study, the main reason for this is economics. After market add-ons, improvements, and repairs are certainly part of the issue, i.e. GPS systems, stereo and entertainment systems that are remotely controlled or network connected,, etc. For now, we’ll just have to make our voices heard on this issue…too.