Hacking a car is way too easy

Could Michael Hastings' car crash have been caused by a remote attack? Technically, yes

Topics: Michael Hastings, Richard Clarke, car hacking, Hacking, Security,

Hacking a car is way too easy (Credit: Henrik5000 via iStock/Salon)

Conspiracy theories about the cause of the car crash that killed investigative reporter Michael Hastings on June 18 started sprouting immediately after the news of his death broke. So far,  no conclusive evidence supports foul play, but on Monday, counterterrorism expert Richard Clarke made news when he told the Huffington Post that the circumstances of Hastings’ car chase were “consistent with a car cyber attack.”

While hastening to state that he was not saying he believed the crash was a purposeful attack, Clarke did observe, reported the Huffington Post, that “‘There is reason to believe that intelligence agencies for major powers’ — including the United States — know how to remotely seize control of a car.”

Clarke served during both Bush presidencies and under Bill Clinton, so presumably he wasn’t speaking completely off the cuff. But just what is a “car cyber attack”?

The answer can be found in two alarming papers by researchers at the University of Washington and the University of California, San Diego, “Experimental Security Analysis of a Modern Vehicle,” and Comprehensive Experimental Analyses of Automotive Attack Surfaces.

Taken together, the papers make for scary reading. In the first the researchers demonstrate that it is a relatively trivial exercise to access the computer systems of a modern car and take control away from the driver. The second demonstrates that such mayhem can be achieved remotely, via a variety of methods. The inescapable conclusion: The modern car is a security disaster.



Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled bydozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks… We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.

We have endeavored to comprehensively assess how much resilience a conventional automobile has against a digital attack mounted against its internal components. Our findings suggest that, unfortunately, the answer is “little.”

The researchers’ findings are not theoretical. They were able to attack a 2009 model sedan and render its brakes ineffective while a test driver was operating the car.

The computerization of the modern car has been aggressively evolving for decades. (Ironically, the researchers credit California’s clean air laws in the 1970s with providing the first incentive for moving car engines into the digital era.) But it might come as a surprise to the average person just how interconnected and accessible today’s high-tech cars are. “Such [computer] systems have been integrated into virtually every aspect of a car’s functioning and diagnostics, including the throttle, transmission, brakes, passenger climate and lighting controls, external lights.”

There turn out to be multiple pathways for car hackers. Diagnostic tools used by mechanics can give hackers laptop access to critical systems. If an attacker is able to get a music file preloaded with malware onto your iPod, just plugging it into a car’s USB port could give that attacker full access. Nearly all new cars now have two-way cellular capability necessary for such systems as GM’s On-Star that are purposely designed to faciliate access to all-important systems.

Your car, ultimately, might be more vulnerable to attack than your computer or smartphone, because there’s little evidence that there has been any systematic thought devoted to vehicle cyber-security. Quite the opposite. Cars are increasingly designed to allow remote access via a variety of input systems.

Just one more reason why we should all be riding bikes.

Andrew Leonard

Andrew Leonard is a staff writer at Salon. On Twitter, @koxinga21.

More Related Stories

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 11
  • Close
  • Fullscreen
  • Thumbnails
    Burger King Japan

    2014's fast food atrocities

    Burger King's black cheeseburger: Made with squid ink and bamboo charcoal, arguably a symbol of meat's destructive effect on the planet. Only available in Japan.

    Elite Daily/Twitter

    2014's fast food atrocities

    McDonald's Black Burger: Because the laws of competition say that once Burger King introduces a black cheeseburger, it's only a matter of time before McDonald's follows suit. You still don't have to eat it.

    Domino's

    2014's fast food atrocities

    Domino's Specialty Chicken: It's like regular pizza, except instead of a crust, there's fried chicken. The company's marketing officer calls it "one of the most creative, innovative menu items we have ever had” -- brain power put to good use.

    Arby's/Facebook

    2014's fast food atrocities

    Arby's Meat Mountain: The viral off-menu product containing eight different types of meat that, on second read, was probably engineered by Arby's all along. Horrific, regardless.

    KFC

    2014's fast food atrocities

    KFC'S ZINGER DOUBLE DOWN KING: A sandwich made by adding a burger patty to the infamous chicken-instead-of-buns creation can only be described using all caps. NO BUN ALL MEAT. Only available in South Korea.

    Taco Bell

    2014's fast food atrocities

    Taco Bell's Waffle Taco: It took two years for Taco Bell to develop this waffle folded in the shape of a taco, the stand-out star of its new breakfast menu.

    Michele Parente/Twitter

    2014's fast food atrocities

    Krispy Kreme Triple Cheeseburger: Only attendees at the San Diego County Fair were given the opportunity to taste the official version of this donut-hamburger-heart attack combo. The rest of America has reasonable odds of not dropping dead tomorrow.

    Taco Bell

    2014's fast food atrocities

    Taco Bell's Quesarito: A burrito wrapped in a quesadilla inside an enigma. Quarantined to one store in Oklahoma City.

    Pizzagamechangers.com

    2014's fast food atrocities

    Boston Pizza's Pizza Cake: The people's choice winner of a Canadian pizza chain's contest whose real aim, we'd imagine, is to prove that there's no such thing as "too far." Currently in development.

    7-Eleven

    2014's fast food atrocities

    7-Eleven's Doritos Loaded: "For something decadent and artificial by design," wrote one impassioned reviewer, "it only tasted of the latter."

  • Recent Slide Shows

Comments

Loading Comments...