Can Somebody Steal Your Car By Calling It On The Phone?

Dan Wallach
by Dan Wallach

A team of researchers at UC San Diego and the University of Washington, Seattle, has just published a paper titled “ Comprehensive Experimental Analyses of Automotive Attack Surfaces“. Behind that dry title is a very exciting research study. In essence, they bought a modern reasonably-priced car with lots of fancy features, including a built-in cellular phone interface, and did a serious reverse-engineering exercise to determine whether it had any security vulnerabilities. It’s the most comprehensive study of its kind.

Curiously, you can read their paper all the way through and not see any name of the particular car they studied; they argue these issues apply everywhere. This seems unnecessarily conservative. Besides, if you read their previous paper and look at the photos, any car nut will be able to identify the car without any trouble. Let’s play along anyway; we’ll just say it’s a Generic Motors product.

You see, Generic Motors (and, I agree that this is about far more than any one car company) thought it would be really cool to have a telematics system that could do a variety of clever things, like automatically connect an operator to your car when the airbags deploy to ask you whether you’re in need of medical assistance. The way a security person looks at that, though, is that there’s a communications path from the inside of the car out to a data center somewhere and back in again. If the attacker can interpose on that, there’s just no end of mayhem that could be accomplished.

Earlier press reports on this research focused on how they found an attack against the car through the CD player. A carefully constructed CD-ROM, using a malicious compressed music file that would play without issue on your regular PC, could exploit a buffer overflow vulnerability and then control the CD player. Meanwhile, in modern cars, everything’s actually networked together. Consequently, from the compromised CD player, the attacker can take over everything else in the car with the greatest of ease: engine control, door locks, you name it.

Still, that attack is for chumps. How’s a car thief supposed to realistically get a malicious CD into your CD player? Do you valet park your car? No, the really exciting attack, and by exciting I mean “expensive factory recall” exciting, focuses on that built-in cellular phone interface. You see, that means that every Generic Motors car has a phone number and it turns out you can call it. Generic Motors got the security all wrong, and an attacker can thus take over your car without being anywhere physically near it.

What could this evil attacker do? Track you, actuate your brakes, listen in to your conversations, etc. This is normally the stuff that only dystopian science fiction authors dream about. If you want to get seriously dystopian, though, you have to read the paper’s own speculation (page 13). The authors imagine a world where a criminal agency tracks all of the Generic Motors cars in the city. When a garden variety criminal has an hankering for a particular car, he phones up the agency and asks where such a car might be and what it’s owners’ habits are. For a suitable fee, the agency directs the criminal to the car, helpfully unlocks the doors, and starts the engine, all for a modest fee. That’s service with a smile! Similarly, think how much fun the paparazzi could have using similar techniques to eavesdrop on the Hollywood starlet du jour.

Is this just a problem for Generic Motors? Far from it. Virtually any modern car can connect to your phone via Bluetooth and increasingly many cars come with built-in phones. To pick one example, the new Audi A7 uses this to great effect with Google Maps for navigation. To pick another example, Tesla has said that the forthcoming Model S will allow third parties to develop “apps” for their car. What could possibly go wrong with that?

Are our automotive companies and their suppliers responding appropriately? Maybe. I’ve spoken to a number of security people, both in the U.S. and Europe, who consult with these companies. The companies prefer to keep their security concerns under wraps. Suffice to say “they’re working on it.”

[Disclosure, I was the “shepherd” for this paper, meaning that the USENIX Security conference program committee asked me to help the authors of the paper make the changes that the committee requested. I’m not a co-author of the paper and I have had not personally participated in any automotive security analyses, unless you count the time, in high school, that we discovered that my Nissan key worked perfectly in a friend’s Mazda. Zoom zoom.]

Dan Wallach
Dan Wallach

More by Dan Wallach

Join the conversation
2 of 27 comments
  • V-Strom rider V-Strom rider on Aug 11, 2011

    Back in the 70's there were only 24 unique keys for the Honda 750 (the gun sportsbike of it's day). A friend of mine had one, but I declined his offer of free use of his spare key so I could "acquire" one of my own.

  • Avalon RF Avalon RF on Sep 06, 2013

    Wireless Mobile phones connectivity is a better option, but it can be a harmful for us because if your mobile will steal than your car is in the danger. Now a day's many cars having so many security options, and it will be increasing for more secure future of us and our cars.

  • NJRide So this is an average age of car to be junked now and of course this is a lower end (and now semi-orphaned) product. But street examples seem to still be worth 2500? So are cars getting junked only coming in because of a traumatic repair? If not it seems a lot of cars being junked that would still possibly worth more than scrap.Also Murilee I remember your Taurus article way back what is the king of the junkyard in 2024?
  • AMcA I applaud Toyota for getting away from the TRD performance name. TuRD. This is another great example of "if they'd just thought to preview the name with a 13 year old boy."
  • Jeff Does this really surprise anyone? How about the shoes and the clothes you wear. Anything you can think of that is either directly made in China or has components made in China likely has some slave labor involved. The very smart phone, tablet, and laptop you are using probably has some component in it that is either mined or made by slave labor. Not endorsing slave labor just trying to be real.
  • Jeff Self-driving is still a far ways from being perfected. I would say at the present time if my car took over if I had a bad day I would have a much worse day. Would be better to get an Uber
  • 2manyvettes Time for me to take my 79 Corvette coupe out of the garage and drive if to foil the forces of evil. As long as I can get the 8 track player working...