With a modest amount of expertise, computer hackers could gain remote access to someone's car — just as they do to people's personal computers — and take over the vehicle's basic functions, including control of its engine, according to a report by computer scientists from the University of California-San Diego and the University of Washington.
Although no such takeovers have been reported in the real world, the scientists were able to do exactly this in an experiment conducted on a car they bought for the purpose of trying to hack it. Their report, delivered recently to the National Academy of Sciences' Transportation Research Board, described how such unauthorized intrusions could theoretically take place.
Advertisement
Because many of today's cars contain cellular connections and Bluetooth wireless technology, it is possible for a hacker, working from a remote location, to take control of various features — like the car locks and brakes — as well as to track the vehicle's location, eavesdrop on its cabin and steal vehicle data, the researchers said. They described potential compromises of car security and safety.
"This report explores how hard it is to compromise a car's computers without having any direct physical access to the car," said Stefan Savage of the University of California-San Diego, who is one of the leaders of the research effort.
Given that the researchers were able to do it, they are now trying to pinpoint just how hard it might be for others, he said.
In the experiment, the research teams bought a car they described as a representative example of a moderately priced sedan. They declined to identify the brand.
"In the case of every major manufacturer, if they do not have this capacity in their mainstream products, they're about to," said Tadayoshi Kohno, an assistant professor in the department of computer science and engineering at the University of Washington.
For example, services like General Motors Co.'s OnStar system, Toyota Motor Corp.'s Safety Connect, Lexus' Enform, Ford Motor Co.'s Sync, BMW's Assist and Mercedes-Benz's Mbrace all use a cellular connection embedded in the vehicle to provide a variety of automated and call center support services to a driver.
These subscription services make it possible to track a car's location, unlock doors remotely and control other functions.
In their remote experiment, the researchers were able to undermine the security protecting the cellular phone in the vehicle they bought and then insert malicious software. This allowed them to send commands to the car's electronic control unit — the nerve center of a vehicle's electronics system — which in turn made it possible to override various vehicle controls.
"These cellular channels offer many advantages for attackers," the report said. "They can be accessed over arbitrary distance (due to the wide coverage of cellular data infrastructure) in a largely anonymous fashion, typically have relatively high bandwidth, are two-way channels (supporting interactive control and data exfiltration), and are individually addressable."
The researchers declined to speculate about the worst situations, such as interfering with a vehicle's control system to make it crash.
However, they noted that their research showed how a next-generation car thief might operate. Instead of using today's "smash and grab" tactics, the thief might be able to simply dial up a parked car, unlock its doors and turn on the engine, then arrive on the scene and drive off.
In addition to the cellular telephone vulnerability, the report details similar weaknesses in other systems that allow remote access, including short range wireless networks like Bluetooth, network ports used for car maintenance and even internal CD players.
The researchers noted that their report was about potential vulnerabilities and said there was no evidence that the safety loopholes they discovered had been used by criminals.
They also said they believed that the automotive industry was treating the threats responsibly and working to improve the security of modern automobiles.
"Everyone has taken this extremely seriously," Savage said.
Subscribe to Detroit News home delivery and receive a SPECIAL INTRODUCTORY OFFER.
No comments:
Post a Comment