Aug. 29--LA JOLLA -- Computers in automobiles may mean more convenience and a better ride for motorists, but researchers have shown they provide the potential for hackers to take over the vehicles by remote.
A team led by UC San Diego professor Stefan Savage has demonstrated how a device plugged into a dashboard port could be hacked to work a Corvette's windshield wipers and brakes -- with a smartphone.
It was just the latest demonstration of how hackers can take over a vehicle's functions. Other cyber experts have had such success at taking control of a vehicle that the auto manufacturers have not only taken notice, but in one case, launched a massive recall to address the concern.
Savage, a professor in the computer science and engineering department, made his presentation at the Usenix security conference in Washington, D.C. on Aug. 11. In an interview, he said there has never been a reported case of somebody hacking into a car to maliciously take over its controls, though there been many cases of people stealing or breaking into cars by remotely unlocking doors.
But he expects that to change.
"Whether they're terrorists or someone who's disaffected who thinks it'd be really funny to take all the BMWs in the Bay Area and turn them into bricks so they'll never start again," he said.
At the Usenix conference, Savage and a team of researchers demonstrated how they can hack into a vehicle through the onboard diagnostic port -- more commonly called the OBD2 -- needed for emissions testing and for mechanics to check a vehicle's performance.
The team found they could access the computers that control the car by sending an update command to a telematics control unit, also known as a dongle, that plugs into the port. The device is used by some insurance companies, rental companies and fleet operators to track vehicles' location, speed and mileage.
In a video they posted on YouTube, the team demonstrated how they were able to use a smartphone to connect to a Corvette and control its windshield wipers and brakes.
The key for Savage and his team -- master's student Ian Foster, postdoctoral student Karl Koscher and master's student Andrew Prudhomme -- was to look inside a dongle and find the phone number to connect to the device within a string of numbers to many other dangles.
In an earlier interview with The San Diego Union-Tribune, he said he doesn't see much motivation for such cyber attacks, since they don't cause serious long-term damage and are less sensational than physical attacks.
But logic often doesn't play a role in mischief, as was clear in 2008 when a 14-year-old boy in Poland hacked a TV remote control to cause a tram to switch tracks, derailing four cars and injuring 12 people.
Already there's a move in Congress to address car-hacking concerns.
A Washington-based lobbying group that represents a dozen car companies doesn't support legislation to create new standards, but its spokesman said it is taking steps to make cars more secure.
"Cybersecurity is a serious issue for every industry, including autos," said Dan Gage, communications director for the Alliance of Automotive Manufacturers, which represents the BMW Group, Fiat-Chrysler, General Motors, Toyota and other car companies.
Gage said the auto industry is following a "privacy by design" approach of reducing risk and adding protection of data and privacy in the earliest stages of product development.
At the same time, the industry also is attempting to balance the extra security with consumer demands for the conveniences that come with interactive devices on vehicles, he said.
"A big push over last year has been to educate consumers," he said. "A lot of that data can be useful for providing consumer services. Consumers, being increasingly savvy, want to be increasingly connected."
Manufacturers have adopted an industrywide set of privacy principles and are working to establish a voluntary forum for collecting and sharing information about existing or potential cyber-related threats and vulnerabilities in cars.
Many manufacturers also are organizing an Automotive Information Sharing and Analysis Center, which will begin by the end of the year, he said.
How it can happen
To understand how a hacker can remotely operate a car, first consider how almost all functions in a car are connected with a controller area network. The network, first used in BMWs in 1988, allows devices to communication with each other without a host computer.
"A modern car today is entirely computerized," UCSD's Savage said. "Everything you think is mechanical, pretty much is not. You step on the gas, and you're telling a computer that you want to go faster."
A typical sedan has more than 30 interconnected computers, he said.
"There's pretty strong evidence that once you get into the network in the car, you can do just about everything," he said.
As an example, a luxury car's radio is connected to the drive train to adjust the volume at faster speed. The radio also may be connected to the alarm system, which is connected to the horn, which is connected to a system of devices that triggers actions after a crash, including unlocking doors and shutting off the engine.
Among the companies that use the dangles is the San Francisco-based company Metromile, which uses them to offer by-the-mile insurance to customers.
Savage said that Metromile was very responsive to his team's report, and announced patches to their dangles to address security issues. Metromile invited the researchers to speak to the company.
"Sometimes you come to companies and tell them they have an issue, and they lawyer up," he said. "That wasn't the situation at all."
Mobile Devices, a France-based company that makes the telematics control units hacked by Savage's team, also announced a security pack would be issued to its dangles soon after the Usenix security conference.
Automakers' responsibility?
Savage doesn't fault car manufacturers, which are required by law to have OBD2 ports. The ports are not defective, he said, but are working as intended.
That doesn't mean there isn't room for improvement. For instance, Savage said manufacturers of components within vehicles could require update commands to be digitally signed to ensure they are legitimate.
That idea was included in a bill co-sponsored by Sen. Edward Markey, D-Mass, a member of the Commerce, Science and Transportation Committee, and Sen. Richard Blumenthal, D-Conn.
The bill also would require National Highway and Traffic Safety Administration and the Federal Trade Commission to set standards that isolate critical software systems from the rest of a car's internal network, among other steps.
Gage, the car manufacturers' spokesman, said legislation isn't the answer.
"What automakers need now is not a new regulatory scheme with 18-month notices and multiyear reviews that suppresses innovation and hinders nimble efforts to stay steps ahead of malicious hacks," he said. "In fact, several of the bill's proposed requirements could provide consumers with a false sense of security in an ever-changing, data-driven tech world."
Gage said auto manufacturers already are being cooperative and working together to protect cars from cyber attacks.
Savage questioned whether automakers can be nimble.
"The automotive industry is not agile," Savage said. "It moves slowly. They have been moving toward doing a number of these things. But it does not turn on a dime."
More research hacking
Savage said his research may have been the first to remotely hack into a car using a dongle, but other people also are looking into cybersecurity in vehicles.
In July, cybersecurity experts Charlie Miller and Chris Valasek demonstrated how they could take control of a Wi-Fi equipped Jeep, causing it to slide into a ditch after disabling its brakes. The demonstration resulted in Fiat Chrysler Automobiles recalling 1.4 million vehicles.
The Defense Advanced Research Projects Agency within the Department of Defense also has demonstrated how a laptop can take over a vehicle. DARPA has funded research by Miller and Valasek.
Since 2012, the nonprofit research and development organization Battelle has hosted the annual Battelle CyberAuto Challenge in Troy, Mich. At this year's conference, a 14-year-old boy used $15 in supplies from Radio Shack to build a device that wirelessly communicated with a car's controller area network to turn on the headlights and windshield wipers, honk the horn, unlock the doors and even start the engine.
Savage first researched potential cyber attacks on cars in 2010. On a hunch, he and other UC San Diego researchers looked into vulnerabilities in the growing number of external communications devices in cars such OnStar, Bluetooth capability on stereo systems, remote keyless entry and even tire-pressure sensors.
"We found a flaw in a CD player in our car," he said. "You could pick a song and code it in a way that if you played on your PC it'll play fine, but if you play it in your car, it'll take it over."
Savage said the National Highway and Traffic Safety Administration and original equipment manufacturers reacted positively to his research in 2011. The agency created a new test center and efforts were made to create new standards, among other steps.
___
(c)2015 The San Diego Union-Tribune
Visit The San Diego Union-Tribune at http://ift.tt/1G66Hlp
Distributed by Tribune Content Agency, LLC.
0 Response to " Hackers: When Drivers Aren’t In Control "
Post a Comment