Car Hacking

A page just on cars.

2010 & 2011  Dr. Tadayoshi Kohno

Dr. Tadayoshi Kohno of the University of Washington reported successfully hacking cars without ever touching them.

2011  Keyless Hack / NDSS 2011

Paper Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars presented at Network & Distributed System Security Symposium (NDSS) 2011 in San Diego California. The paper (15 page PDF) and Presentation Slides (39 page PDF) make an interesting read.

10/13/2014  Art Anticipating Life?

An article in NetSwitch “reviews” a new action thriller movie plot where a third world hacker takes control of automobiles and demands $1 billion ransom. Given the increasing connectivity, unintended attack surfaces, and vulnerability of modern automobiles this is only improbable, not impossible.

10/13/2015 Update  Closer to reality

A year later, given the recent rise in ransomware and the automatic updates for in-automobile software, we are closer to the “movie” becoming reality.

2/18/2015  Your car, hacked by a 14 year old

Since 2012 Batelle has sponsored the Battelle CyberAuto Challenge, a five-day practicum-based camp designed to address cybersecurity in automobiles. Participants include students, engineers, scientists, policy leaders and white hat “hackers”. Today they released information about the accomplishments of a 14 year old during the Challenge of 2014. Without any guidance he got about $15 of parts from Radio Shack, stayed up late and built his own circuit board. Next morning, without ever touching the car, his device turned on and off windshield wipers, locked and unlocked doors, engaged remote start feature and got the headlights to flash on and off to tunes from his phone. Representatives from Delphi and Battelle confirmed the details.

Quite impressive for the kid. Quite unsettling for the car manufacturers. The car doors were unlocked and the remote start feature engaged. Please tell me the kid has been induced not to put the plans on eBay or the DarkNet? If this was from the July 2014 Challenge, why are we hearing about it six months later?

7/21/2015  Hacking your car from … anywhere

Today, two security researchers released a video showing they can hack a Chrysler Jeep’s air conditioning, radio, windshield wipers, steering, transmission or brakes. How? Manufacturers are trying to make your automobile work like a smartphone. An internet connection feature in hundreds of thousands of Chrysler cars, SUVs, and trucks allows access to more sensitive features from anywhere on the internet if the hacker knows the car’s IP address which you can find via active scanning. The attack appears to work on any Chrysler vehicle with the internet connection feature from late 2013 through early 2015. An estimated 450,000+ cars are vulnerable.

More exploits are expected to be revealed at the Black Hat hacker conference in August 2015 and Congress is considering minimum cyber security requirements for cars. Source: Wired on line includes a video.

07/21/2015  Ownstar!

The prolific social hacker Samy Kamkar (web site and YouTube Channel) has created a little box including three radios, a Raspberry Pi computer and more for about $100 in parts. If it is anywhere near (or on) your Onstar equipped car, he can locate the vehicle, unlock it, beep the horn, sounds its alarm or start the ignition. Also available to a hacker is the user’s name, email, home address, last four digits of a credit card, the card expiration date, all accessible from the OnStar account. The original app has been downloaded over a million times from the Google store for Android devices. There is an iOS version too. Samy calls it “Ownstar” and General Motors isn’t happy. More at Wired.

07/30/2015 Update  Ownstar patch

General Motors reported it had fixed the flaw by a change in its server software. Samy Kamkar tested again and surprise (not) he could still take control. GM has changed their tune and created a patch for its app, Users should updating their RemoteLink app to fully protect their vehicles. More at Wired.

Corvette hacked with text message

In August 2015 hijackers were able to apply and disable the brakes of a Corvette by sending a text message to a easily-available device connected to the car’s diagnostic port. Source: CBSNews

08/13/2015 Update  Ownstar gets BMW & more

Samy Kamkar found varying levels of access to BMW, Mercedes-Benz, Chrysler and Viper. He looked at 11 different automakers and found five were vulnerable. Those apps lack basic SSL authentication which, according to Kamkar, shows automakers are so much in a hurry to connect cars to the internet that their cybersecurity efforts haven’t kept up. More at Wired.

08/06/2015  Tesla Model-S HACKED

Researchers find two ways to drive away with your electric sports car

They plug a laptop in behind the driver-side dashboard, start and drive away. Or, they could load a Trojan virus on the car’s network and remotely stop the car for an easy car jack. A third way involved exploiting a four year old web vulnerability. If the car accessed a malware laden web site the crooks could escalate their privilege and take control without ever having been near the car. The researches also found multiple memory cards inside the car that contained keys for the VPN structure as well as unsecured passwords. This allows for fake updates to be processed. Telsa was responsive and created remote patches to fix some of the problems before the researchers went public. Source: Wired

09/09/2015  Stop Self Driving Cars with laser pointer

Self driving cars use a number of sensors to perceive the world around them. Many active sensors send out a pulse. How that pulse comes back can be interpreted to derive information. Chaff, thin strips of aluminum foil or mylar coated with aluminum, can confuse the return from radio waves emitted by RADAR (radio detection and ranging). LIDAR (light detection and ranging) works on the same concept with different principles. A researcher recorded LIDAR pulses and beamed them back using a laser pointer. The LIDAR interpreted those signals as representing objects and the self driving car slowed, stopped, or maneuvered to avoid them. The attack could come from any side. Total price of his equipment was $60. More on the story and the paper Potential Cyberattacks on Automated Vehicles (sign in with Facebook, Google+ or email required to download PDF)

09/24/2015  An Opinion on Cheating Software

In the wake of Volkswagen’s “defeat” software on diesel engines to cheat emissions standards and exhaust over 30 times the legal limit of pollutants a professor describes how we have laws with penalties to find and catch many miscreants, but (except for one great example) not software that cheats. Earthquake related building codes in Chile and Turkey and are cited as an example of pro-actively saving lives. De-certifying voting machines with hard coded passwords was another. She recommends three steps:

First, smart objects must be tested “in the wild” and not just in the lab, under the conditions where they will actually be used and with methods that don’t alert the device that it’s being tested. For cars, that means putting the emissions detector in the tail pipe of a running vehicle out on the highway. For voting machines that do not have an auditable paper trail, that means “parallel testing” — randomly selecting some machines on Election Day, and voting on them under observation to check their tallies. It is otherwise too easy for the voting machine software to behave perfectly well on all days of the year except, say, Nov. 8, 2016.

Second, manufacturers must not be allowed to use copyright claims on their software to block research into their systems, as car companies and voting machine manufacturers have repeatedly tried to do. There are proprietary commercial interests at stake, but there are many ways to deal with this obstacle, including creating special commissions with full access to the code under regulatory supervision.

Third, we need to regulate what software is doing through its outputs. It’s simply too easy to slip in a few lines of malicious code to a modern device. So the public can’t always know if the device is working properly — but we can check its operation by creating auditable and hard-to-tamper-with logs of how the software is running that regulators can inspect.

None of this is impossible. There is one industry in particular that employs many of these safeguards in an admirable fashion: slot machines in casinos. These machines, which in some ways present the perfect cheating scenario, are run by software designed by the manufacturers without a centralized database of winnings and losses to check if frequencies of losses are excessive. Despite all these temptations, in many jurisdictions, these machines run some of the best regulated software in the country. The machines are legally allowed to win slightly more often than lose, of course, ensuring a tidy profit for the casinos (and tax revenues for the local governments) without cheating on the disclosed standards.

[ highlighting ours -ed More at the source: NY Times ]

[ Considering what my smart lightbulb can do to hack my WiFi, Heartbleed (expose contents of memory to unauthorized access), Shellshock/Bash (exposure to unauthorized external commands) and the SandWorm exploitation (think weaponized PowerPoint) this sounds very good -ed ]

12/08/2015  Car calls cops on driver

After an accident where the car’s front hit another car in the rear, the car called emergency services in Port Lucie, Florida. A dispatcher called the driver who reported there was no accident. The dispatcher was skeptical and the police who followed up were even more convinced when they found the very damaged front end of the car with paint matching the color of the rear-ended car. After several denials and fabrications the driver confessed. Sophos has more on the story …

[ We’re pretty sure the Fifth Amendment that allows for people not to be compelled to testify against themselves does not apply to their automobile. Probably doesn’t apply to any thing connected to the rest of the world. Just think what can happen when your refrigerator tattles on you! On the other hand, is it true because the computer says so? Not always, but a flapping driver’s air bag makes for reasonable concern -ed ]

2/24/2016  Nissan Leaf App has Anonymous Remote Access

Back in December 2015 researcher Troy Hunt found from anywhere within internet range you can make requests of a Nissan Leaf without any authorization, token or other access controls. Those requests including modification of controls. Nissan was notified multiple times via email and telephone and the best response was “we’re working on it”. (source has detailed narrative and video)

Troy Hunt runs the site for one stop checking to see if an email address has been exposed in one, or more, of the many breaches. As of 2/24/2016 the site has data from over 80 pwned websites holding over 287 million email addresses. Highly recommended.

2/25/2016 Update  Nissan takes service off line

Only after publication did Nissan disable the app completely.

2/25/2016 Update  Nissan App Lives!

At least in Canada, Nissan Leaf vehicles can still be accessed using only the VIN for identification

3/10/2016  Trucker Tracker

Shodan, the same search engine that keeps finding unsecured database, was used to find Telematic Gateway Units (TGU) which provide truck related measurements (location, speed, oil pressure etc) via the internet.

An enterprising security researcher searched for the text string “GPS” that appeared on “port 23” which is the standard listening port for remote login service called Telnet. First attempt found 700 instances. The problem is Telnet is from the 1970s and does not use encryption at all. Was there something worse? Oh yes. See Naked Security / Sophos

3/21/2016  FBI issues warning

The Federal Bureau of Investigation (FBI) and the US National Highway Traffic Safety Administration (NHTSA) have created a public service announcement with a warning on the risks coming with all those computers in modern vehicles to control multiple critical functions from steering, braking, acceleration, on up to lights and windshield wipers.

Guidance includes: Ensure your vehicle software is up to date. Beware of fake “updates” leading to malware. Exercise caution about modifying vehicle software. Be aware of connecting third-party devices to your vehicle, especially into the diagnostics port. Beware of allowing physical access to the vehicle. More at Wired.

[ The warnings sound very similar to cell phone security. Given history of demonstrated car hacking (just look at 2010 above!), today’s announcement of a new Apple vulnerability and NIST guidance this warnings seems rather little and rather late. Also: site hosting PSA seems busy, often. -ed ]

3/23/2016  Radio car fob interception allows easy drive away for crooks

Fob intercept-replay attack.

First reported in Germany (Google translation to English). By design cars detect a keyless radio fob at about two meters. The car opens up and may perform other functions. When the fob leaves that radius the car locks itself. So far so good. The keyless technology makes it downright easy for thieves to take a car in seconds without use of and leaving no trace. Cars subject to this hack include small cars, luxury cars, and SUVs from the largest names in the industry including Audi, BMW, Ford, Lexus, Volkswagen, and those were just the ones tested. How many are there among the 24 models from 19 manufacturers? Hundreds of thousands easily. The interception of signals between fob and car has been around since at least 2011 but what has changed is the technology. The capability has gone up and the price has come way, way down.

The range is no longer two meters, but two orders of magnitude longer, several hundreds meters. The price is about $200 and a few hours of assembly. There are two boxes, one near the vehicle, the other anywhere nearby. Once the signals are captured it is like handing the keys to the crooks. Details of what models were found vulnerable, details on the hack, and a video (2m 18s narrative in German) showing the attack.

[ Once a concept has been demonstrated it is often no longer a question of “if”, but “when” it will be streamlined, optimized, cheaper and available for crooks. That automakers ignored the early work of Dr. Kohno, from NDSS in 2011, and when a 14-year old hacked a car in 2014 as a project during summer camp. So now, crooks can walk up to your car and drive away. -ed ]

4/28/2016  GAO Report

More than five years after demonstrating that cars can be compromised the Vehicle Cybersecurity report (61 page PDF) from the Government Accountability Office (GAO) has been published. It appears to have been designed as guidance on how to reduce risks related to increasingly computer-dependent automobiles. As a point of comparison: the USAF F-22 fighter has about 1.7 million lines of computer code supporting it. A Boeing 787 has about 6.5 million lines. A vehicle with the bell-and-whistles entertainment system, WiFi connectivity, satellite radio, keyless entry, bluetooth, cellular service, remote telematics and more has 100 million lines of code and growing. Along the way that report morphed into a basic instruction manual on how to perform cyber-attacks on the same automobiles. More at Data Breach Today

5/01/2016  Car Hacking = Life Sentence?

Causing another person’s death through reckless behavior, or in the commission of another crime, but without intent to kill, is manslaughter. Involuntary manslaughter at federal and state level is a felony and usually carries a jail or prison sentence of at least 12 months. The Michigan state Senate has proposed two bills which, if passed into law, will introduce life sentences in prison for people who hack into cars’ electronic systems.

[ The bills as written could discourage security researchers finding potentially critical vulnerabilities in vehicle systems. Who has found the majority of modern car insecurity? Those same security researchers. So, are the bills intended to apply a heavy hand to crooks or to keep the security researchers from informing the public of extensive vulnerabilities in the many attack surfaces of the modern automobile? -ed ]

5/22/2016  Ransomware and Cars

In this recent radio interview (audio and text at CBC) an attorney made two points. “…cases of ransomware being installed via the USB port on connected cars. One way this happens is through an innocuous visit to the mechanic.” Also “…a case of an entire fleet of vehicles disabled by ransomware.”

5/26/2016 Update  On cars and ransomware

Responding promptly to an email inquiry, the attorney cited client privilege and declined to provide a public reference.

6/06/2016  Mitsubishi PHEV Hacked

More than 100,000 Mitsubishi Outlander PHEV are vulnerable to hacking. Researchers were able change the air conditioning, turn lights on/off, change the car’s charging settings, drain the battery, and turn off the anti-theft alarm. More at The Hacker News including a brief video.

[ Dr. Kohno demonstrated cars could be hacked in 2010. How are manufacturers still creating the same vulnerabilities? -ed ]

7/07/2016  BMW vulnerabilities

The official BMW domain and ConnectedDrive portal have unpatched vulnerabilities. Some security functions rely on secure validation of the Vehicle Identification Number (VIN). That function can be bypassed to allow access to any vehicle. The web site has a cross-site scripting vulnerability that can inject a malicious payload into a vulnerable module. The result is bad for the user. More at The Hacker News.

7/08/2016  Duplicate Key? So old school!

Why make a duplicate key when you can tell the car’s computer to use the one you already have?

Yep, car crooks are getting smarter using tools intended for the dealer to “marry” the car to another keyfob for keyless entry. Even disconnecting from the internet is no guarantee, access can be made via the diagnostics port. More at Naked Security / Sophos

8/04/2016  Car & Truck Hacking

The Black Hat security conference is in process and again we are being informed that cars are vulnerable. Researchers were able to turn the steering wheel on a car at 60mph. The test put them in a ditch. These vulnerabilities could put you and others in the grave. Something a little less fatal? How about some crook putting on the parking brake in such a manner you can’t release it. A little ransom to get your car back? Or, a way to prevent you from leaving the site of your future murder? More at Naked Security / Sophos.

University of Michigan researchers plan to present at the Usenix Workshop on Offensive Technologies conference next week their findings on hacking vulnerabilities of industrial vehicles. Many large trucks and other commercial vehicles use a common communication standard from which hackers can change the instrument panel readings, compel acceleration or disable some braking systems. More at Wired.

8/05/2016  30 cars at 6 minutes each

Or, security continues to be an afterthought in moderns connected cars. See Hack Read.

9/19/2016  Security Blog Reports on Tesla Weaknesses

Multiple Tesla Model S were hijacked by a team of security researchers from Keen Security Lab. They exploited multiple flaws in multiple models running the most recent software in both parked and driving modes and never touched the car itself. Key fob? Totally bypassed. Engage the brakes during motion without driver command? Yep. Open trunk? Sure. The hack requires that the hackers be able to monitor a connection between the car and a wifi hot spot. Just browsing for the nearest gas station will do it. YouTube 8:05 video Watch full screen to see the smaller inset frames. More at Keen Lab

9/20/2016 Update  Tesla Patch

Next day Tesla rolls out a security patch. It was actually ten days because like good social hackers Keen Lab had given their results to Tesla privately. See Reuters.


Return to References page
Return to Year links page
Links above were active at the time they were gathered.