Warung Bebas

Monday, May 17, 2010

Hacking Cars? Not So Fast

In a widely publicized paper, here, a pair of research teams were able to "hack" cars, to demonstrate that modern cars are not sufficiently secure.

Don't worry, you're not in danger, yet.

The key to hacking a car is that the vehicle communications bus, typically a mix of high and low speed CAN bus, is not encrypted.  By connecting to the OBD-II port with the right tools (such as a laptop with a CAN communications interface device), a determined hacker could monkey with key signals.  To do so, he would have to either reverse engineer or obtain from other sources the CAN messaging protocol.  Then, by reading in, modifying, and rebroadcasting key messages, he could indeed do bad things, like shut down the car.  For example, a hacker could broadcast an erroneous vehicle speed on the bus, causing the speedometer to display the wrong speed, and other systems to think the car is moving (or not) at a different speed than it actually is.  

However, the only practical way to do this is to attach a foreign device to the cars CAN bus.  So your car would have to be physically compromised, either by having the wiring modified, or by having some sort of dongle installed on the OBD-II port.  The ECUs that form the vehicle CAN network are not typically easy to reflash with unauthorized firmware, so "hijacking" an ECU or installing a car virus is not really feasible.  The ECUs I have worked with all have memory checksum functions, and VIN compare software, to verify that the ECU has valid software and is in the correct vehicle.  According to the research paper, the team was able to compromise a telematics module and run malicious code on it.

The paper does point out some holes in vehicle bus security, and there are some things which can be done in the shorter term to mitigate such a threat.  ECUs should have robust challenge/response sequences before accepting diagnostic and test commands, for example.  They should also have robust checks against invalid software, so that it is difficult or impossible for a hacker to flash a module with homegrown software.  

0 comments em “Hacking Cars? Not So Fast”

Post a Comment

 

The Auto Prophet Copyright © 2012 Fast Loading -- Powered by Blogger