• May 16, 2010
During the 17 years this writer worked on braking and stability control systems, we occasionally joked about being able to remotely update the software in people's vehicles and bring them to a halt. At that time, the technology didn't really exist to actually do that. Today that's no longer true. Researchers the Universities of California and Washington will present a paper at a security conference in Oakland, California next week outlining how they were able to hack into vehicle computer systems.

When electronic control units were first added to cars in the 1970s, the firmware was all in masked read-only-memory that couldn't be modified once it was fabricated. In the late 1990s, as systems became more complex, engineers began using flash memory so that firmware could be updated with bug-fixes and other changes. With most current vehicles you have to be plugged into the OBD-II diagnostic port in order to communicate with the ECUs, which are now connected over a vehicle-wide controller area network.

Now that we're starting to move into the age of connected vehicles, the risks are rapidly increasing. OnStar already has the ability to remotely slow a stolen vehicle. Ford is currently demonstrating Fiestas that can download applications and communicate with the vehicle systems to broadcast vehicle information. Without putting adequate security into vehicle ECUs, it's possible that someone could download a malicious application with the potential to disable or otherwise damage the vehicle.

[Source: PC World]


I'm reporting this comment as:

Reported comments and users are reviewed by Autoblog staff 24 hours a day, seven days a week to determine whether they violate Community Guideline. Accounts are penalized for Community Guidelines violations and serious or repeated violations can lead to account termination.


    • 1 Second Ago
  • 30 Comments
      • 4 Years Ago
      These systems are not unnecessary.
      They will allow a whole host of new options both in features and design layout.
      They are not being done for the hell of it.

      The big winner will be safety.
      Allowing computer monitoring/control of these systems will aid in everything from a driver falling asleep to bad road conditions to emergency maneuvers to tire blow-out.
      The simple fact is, these systems will eventually be able to out-perform a human driver.
      They will have more and faster input, be able to compute the best corrective action faster and react faster.
      That's not just some hot-shot driver-dude, but also your elderly aunt mary or your 17 year old who has had a drivers license for a month.

      It has already begun - what do you think all these traction control and stability control systems are doing?

      There is zero doubt that cars will progress toward more-or-less complete fly-by-wire controls systems.
        • 4 Years Ago
        You might see safety, I see lobbyist, politicians, and corporations forcefully installing an endless list of "safety" equipment that raises the cost of new cars well beyond the inflation rate of pay rates. I fully agree that some of it is important, but cars are so much safer already, I see the rest as overkill. Why does 115hp car need traction control? You can't opt out of it, you want a new car, your paying for it. TPMS.. No thanks.

        If you want to trust and pay others for you to feel secure, go ahead, but I don't want others telling me what I need to feel safe. I just pay attention on the road and I don't assume I can multi-task other operations. I personally don't need the government to make me safe.
      • 4 Years Ago
      The "hackers" did nothing scary whatsoever. Every page I've seen this on, including Gizmodo, Slashdot, HardOCP, PC World, and even Fox News and CNN has the story completely wrong (because the real story is boring.)

      The researchers connected an OBD-II interface to the car, and in turn connected it to a laptop, which streamed the connection wirelessly. They were able to use the OBD-II system (on a Chevrolet Impala) to override the car's systems. This should be a shock, because the OBD-II system is designed to function like that.

      Unlike what every major news outlet is reporting, the "researchers" needed physical access to the car, and they needed to leave large amounts of powered gear IN THE CAR in order to be able to control it. Hardely a "discreet hack."

      The crux of it? Read this quote from the actual study:

      "In this paper we intentionally and explicitly skirt the question of a “threat model.” Instead, we focus primarily on what an attacker could do to a car if she was able to maliciously communicate on the car’s internal network. That said, this does beg the question of how she might be able to gain such access."

      That's right, they intentionally "skirt the question" of how the hell anyone could possibly do this without first being in the car. So, obviously, every news network is running the story as if they have done exactly that, because it's more exciting. Who cares that it's totally untrue and misleading.

      Sorry to disappoint.

      Source: http://www.autosec.org/publications.html
        • 4 Years Ago
        I couldn't have put it better myself.

        I work for a telematics company that relies on OBDII as a core technology in our automotive information system (http://www.carcheckup.com)

        I can tell you a few of the obstacles of pulling off a Hollywood style attack like this:
        1. The OBDII bus isn't wireless - you'd have to cable in directly (yes...even OnStar is cabled into the bus)
        2. Various protocols - There are several protocols for OBDII. You'd have to know the protocol, and then debug the idiosyncrasies of that protocol (ie. bus transmission timing)
        3. If someone has access to the most common OBDII interface (the one these researches were connected to with a laptop and a protocol interface) then they are already in your car or have wired a device to the ODBII port on your car. In either case, you probably have bigger problems than someone shutting off your breaks when your going down the road.

        These aren't trivial. Our engineers can spend days trying to debug something as simple as pulling the RPM from a specific model of car because the manufacture took liberties with the protocol.

        And...as Kinosen pointed out...even the researches point this fact out (as already quoted). It just makes a much better story if the media hypes it up to draw pictures of highway trouble when a malicious hacker slams on everyone brakes remotely and causes an accident.

        Don't loose any sleep over this folks...it's media hype.



        • 4 Years Ago
        But that's not what the study actually did, or proved. They specifically say that they didn't examine any possibility of hacking into a car's ECM remotely.

        There's a difference between being able to control a car's every system via the OBD-II port, and being able to use an internet-connected car to access that same system.

        The news media is being misleading because they are tying the study to the possibility of hacking a car via its internet connection, which is not covered by the study.

        The problem comes when you recognize that this "NEW TECHNOLOGY" is not able to interface directly with the OBD-II system, and therefore cannot be used to "kill brakes and more", which is implied by the title of this very article.

        I know what the news reports say. They're wrong. They use this study as a source to prove their inflammatory claims, which is wrong, just like you.

        What about that is difficult to understand?
        • 4 Years Ago
        Oops, rather, it SHOULDN'T be a shock that they could use the OBD-II system... the way it was designed to be used.

        The shock is that Autoblog requires logins and passwords to post comments, but in turn doesn't allow you to delete or edit them.
        • 4 Years Ago
        Actually you have the story incorrect.

        What the news accounts have CLEARLY stated is that with the NEW technology where internet access and wireless capabiliites are being built into new cars (that's why the Ford Fiesta is mentioned), hackers could exploit this NEW TECHNOLOGY.

        Perhaps you should read before you blab like you know what the hell you are talking about!
      • 4 Years Ago
      Technology is not the problem.

      Ethics of people with access to technology has always been the problem, and some of us have been saying it for a long time.
      • 4 Years Ago
      what happens if the concept of adware reaches cars' ecus?
      • 4 Years Ago
      While this story might have been misrepresented, I don't like unnecessary computer software/hardware in cars. It is often too easy to find ways around things. All it takes is one person to figure something out, who shares it and then free software or instructions are available. So in the end, it doesn't take a bunch of real hackers to do damage, just anyone who knows where to look and that is getting all too easy. Its also more opportunity for big brother to spy. While I don't think anything really nasty can happen with ODB II, the next gen could cause more problems if it has any kind of wireless communication.

      As far as On-Star hacks, they do exist (just search for it). While no one seems to have access to the whole network and target random cars (yet) it is foolish to think it can never happen. Any computer controlled device can be hacked in time. The lack of a gain or reason is probably the only reason it hasn't been done yet. A-hole hackers might be happy to steel your CC#, but they don't know what to do with a stolen car. They are criminals, but they are still nerds who don't like to get their hands dirty.
      • 4 Years Ago
      The real fun begins when wireless network interfaces start to replace the OBD-II port on cars....
      • 4 Years Ago
      Utilizing mechanical code units to provide encryption has worked for decades. Simple hackers cannot defeat them. I imagine the engineers must be looking at this type of time tested tech that protects ICBM enable and launch codes as well as system access.
      • 4 Years Ago
      i'm surprised it took this long. onstar's remote disabling functions have been around for a long time... why did it take hackers this long to crack the security on it?
        • 4 Years Ago
        It was just a matter of time, I suppose they probably haven't been interested till now.
      • 4 Years Ago
      "a security conference in Oakland, California"

      LOL!
      • 4 Years Ago
      Jeez guys. Give somebody another excuse to ruin my day. Oh wait I drive cars that are not linked with the outside world, whew. For those people that are linked, good luck with that one.
      • 4 Years Ago
      Maybe Skynet had the right idea all along.
      • 4 Years Ago
      If this is the one I recently read about then the guys had a direct hook-up to a laptop which was then accessed via wireless.
      There probably could be a little security added to these systems, but the headline innuendo of hackers remotely doing this is a bit misleading.
      You need physical access to the car.
      ...and if you have that you could also just cut the brake line, or do any number of other things... like strap a bomb to it.

      Though as cars become more fly-by-wire over the coming years I am sure we will see this kind of thing.
      I'm sure we'll see systems implemented for emergency control and stopping via automatic 'autopilot' systems and also systems police can dial into to stop vehicles they are after.
      Then we will see some hacking... both to get in the police only door and to close the police door if you are the on in the car they are after.
    • Load More Comments