Got An IPod? Want To Steal Some Cars?
…We also found that the entire attack can be implemented in a completely blind fashion—without any capacity to listen to the car’s responses. Demonstrating this, we encoded an audio file with the modulated post-authentication exploit payload and loaded that file onto an iPod. By manually dialing our car on an office phone and then playing this “song” into the phone’s microphone, we are able to achieve the same results and compromise the car.
This tidbit, found on page 11 of “Comprehensive Experimental Analyses of Automotive Attack Surfaces” by researchers from the University of California (San Diego) and the University of Washington, says exactly what you think it says: it’s becoming easy for intelligent, dedicated criminals to steal your car — or, worse yet, to control certain functions of the car remotely while you’re driving it.
The complete article details the team’s attempts to find vulnerabilities in an unnamed, “100,000 to 200,000 units per year” sedan. Here’s another super-fun discovery by the team. I’ve bolded the horrifying part for our readers who don’t like long quotes.
For the former, we experimentally verified this by compromising two cars
The entire article is worth reading, even if talk of “stack overflows” won’t exactly rivet those of you who didn’t grow up writing “sploits”. It details one exploit in which the team remotely unlocked a car and started it up so an “unskilled accomplice” could drive it away. Another scenario: by compromising a group of cars in the Google parking lot, decoding the VINs to determine which ones were expensive, and correlating the location of the car at 7pm to known property records, it would be possible to sell Google executive conversations to third parties. Gosh, I can’t think of anyone who would pay money to hear what the Google CEO is talking about in private.
The team goes on to state how the exploits they discovered can be easily disabled in the future by adding encryption, reducing unnecessary “easter eggs” in embedded vehicle code, and more thorough debugging. What they do not explicitly state is that anyone familiar with how the car business works will be rolling on the proverbial floor laughing at the idea of automakers taking due care with their on-board electronics.
Not frightened by the idea of losing your car to hackers in Romania? Unconcerned that someone might be able to remotely throw random inputs into the adaptive steering in your wife’s BMW while simultaneously cranking the stereo to 110 dB, permanently locking the doors, and turning off the headlights? Just think of what will happen when self-driving cars become the norm.
More by Jack Baruth
Comments
Join the conversation
The heck with car thieves, what about either some teenager doing the "I wonder if I could....." or worse a terrorist deciding to suddenly attack all the cars in all the major cities with say, loud stereo, reverse the input of the steering wheel and full acceleration. How many accidents do you think would happen within 3 minutes. How many dead, or in the hospital? Lastly, who'd feel safe going to work in their car again? Everyone would be trying to buy 1970's pinto's etc. That would truly be a catastrophe on a scale that I don't think we're ready to deal with.
You can't be scared of something if it is inevitable to happen. Remember the car thief that stole the victim's caddy? It had an ONSTAR in it. Victim called ONSTAR, who GPS'd its location and notified the Police. When the Police ID's the vehicle, ONSTAR asked the Police if they wanted ONSTAR to disable the vehicle and they did (cut off the fuel supply). I'm not worried about the future of NETWORKED Cars. It just means you'll have to install a firewall and security software to prevent intruders. Or do what I plan to do...buy an Apple iCAR---see, no more security worries because it is a totally closed system.