Skip to main content

How to hack into a car and why the industry is nervous about it

Computer security experts have shown how easy it is to hack into a car's electronics and control brakes, steering, and more. Even remotely. It has got the auto industry on edge and SAE is taking steps to form new security standards for automotive electronics.

A lot of research has gone into protecting online bank accounts, cell phones, home computers, and more. Almost none has gone into automotive electronics, even in today's emerging age of the connected car. Researchers at the University of California, San Diego succeeded in infiltrating automotive computer systems that are standard in every new car, truck, and minivan. Their research was backed by similar hacks done by a researcher at the University of Washington.

They showed that not only could they break into the electronics of today's vehicles easily, but they could do it remotely. They weren't just gaining access to controls for the radio or the headlights either. They were able to activate brakes, turn off engines, lock and unlock doors, and more. All potentially serious safety hazards should they be used nefariously.

Early research by the scientists required physical access to the car and its computer diagnostic port, so it was not concerning. Their latest study, presented in August 2011, however, showed how they were able to remotely gain access through common Bluetooth, telematics cell connections (such as GM's OnStar system), and the computers used by mechanics during diagnostics. All three of these did not require the hacker to have physical access to the car and two of them could be done at any time.

In response to the research and the gasps of concern from automakers, SAE International has formed a committee to draft new standards for security measures in automotive electronic systems. SAE, North America's largest automotive trade group and industry guideline provider, says that the committee formed in March of 2011 and will likely have draft recommendations for the SAE's annual meeting this year.

For its part, the U.S. Department of Transportation says that they're working on revising their own testing procedures for automotive electronics and will likely have new regulations for them in coming years.

Both General Motors and Ford have said that they are internally implementing security precautions in their vehicle's systems, but have cited security concerns when asked to elaborate on what those precautions are.

The worries the automotive industry is seeing with its more connected vehicles and their electronic vulnerabilities are similar to what has happened before, multiple times, in many electronics markets. Mobile phones, when first introduced, had almost no security and those with the know-how could easily tap into a phone remotely and listen to conversations or download contact lists. Today, encryption and hack proofing are standard. The same happened when the Internet was publicly introduced, when mobile banking entered the scene, and more.

Earlier research in Japan and by automakers themselves showed exploits that could be used to gain access to vehicles and even start them without a key using keyless entry systems and other now-common devices. Security designers quickly responded with better standards and new technologies.

Will cars ever be totally secure? Probably not. As with other electronics, the innovation and upgrades usually happen faster than security measures can keep pace, so vulnerabilities will always exist. Add to that the ingenuity of people who are intent on breaking those systems and nothing can be considered 100% secure. Still, standards will help minimize risks and keep all but the most concerted attacks from being successful.

Comments

Anonymous (not verified)    January 13, 2012 - 12:15PM

re: the innovation and upgrades usually happen faster than security measures can keep pace.
This is pure editorializing, and it's also untrue. Security does not HAVE to be an afterthought. It is frequently and should always concurrently engineered as part of the design spec for systems where safety ought to be a concern.

Furthermore, autos are not mobile phones. Mobile phones do not fly down the freeway like a giant missile at 80 MPH on their own. Autos should have the strictest safety and security requirements that can be devised, given the fact that they are always a lethal weapon at any speed, and because there are so many of them. They are no different, in terms of lethality, than putting a gun or even an RPG (Rocket Propelled Grenade) into the hands of each and every driver. Given the ability to surruptiously take over electronics, this represents the greatest possibility for a mass terrorist attack in human history. If even a mere 0.01% of cars on the roadway were to be taken over all at once, the casualties could easily number into the 1000s or higher. This sounds like the greatest opportunity for Al Qaeda or similar group to pull off something 100 times bigger than the 9/11 attacks.

Gerrit (not verified)    January 13, 2012 - 4:04PM

In reply to by Anonymous (not verified)

Talk about editorializing, " this represents the greatest possibility for a mass terrorist attack in human history." This is a common misunderstanding seen in Hollywood movies where just because something is electronic it is assumed it is in constant communication and able to be completely controlled and manipulated by some evil doer. We are no more at risk of this than of Al Qaeda taking control of everyones microwave and burning up all our food so we starve to death.

Also, like most issues, this is more complex then you might think. Just like consumers would like the ability to Buy and use an iPhone with T-mobile some auto owners would like to not be completely held hostage by the auto manufacturer anytime they need work done on their car. This necessitates open standards and carefully thought out standards that make things like aftermarket scan tools and even cool accessories possible while not putting the owner at risk. There is more gray area there than you might think.

Anonymous (not verified)    January 13, 2012 - 6:13PM

In reply to by Anonymous (not verified)

1- THE the 9/11 attacks. WAS AN INSIDE JOB, WE ARE NOT STUPID- THE FASCIST GEORGE BUSH "GOVERMENT" OR SHOULD I SAID THE WHITE COLLAR CARTEL, INCLUDING THE "OFENSE" INDUSTRY, THE ESTABLISHMENT, THE WALL STREET COCOONS.
2-THE CARS HAVE SUCH A DESING BECAUSE THE GOVERMENT WANTS TO CONTROL EVERYTHING TO AUTOMATIZE THE TRAFFIC OR TO CONTROL THEIR SPEED LIMITS, BUT YES AS ALLWAYS YOU WILL HAVE CROOCKS, USUALLY THEY ARE IN THE CORPORATIONS ADMINISTRATION, ALWAYS LOOK FOR THE WHITE COLLAR CROOCKS THEY ARE THE MOB.

Aaron Turpen    January 13, 2012 - 10:38PM

In reply to by Anonymous (not verified)

I highly doubt alCIAda or any other terror group is going to go after cars on a mass scale. There are far better ways to carry out acts of terrorism. You can't take over a car and steer it to propel it into anything. You can, at best, activate its (anti-lock) braking system, stopping it on a highway, or slow it down/turn off its engine. Yes, if you were fast enough (good luck), you could hack three or four cars and potentially shut down a freeway. Not likely.

Given the security problems at most of our nation's infrastructure points (water, gas, sewer, etc) I'd find it far more likely that someone hoping to carry out a mass terror attack would target something more useful than your family sedan for the purpose.

Besides, given the statistics, you're far more likely to have something fall on your car and kill you than you are to be the victim of a terror attack in the U.S. Assuming you don't consider the IRS a terror organization, haha.