After journalist Michael Hastings earned himself a spot in the Conspiracy Theory Hall of Fame with his remarkable fiery demise just hours after announcing via email that he was on to a big story, some other journalists went and did some digging as to just what was possible. Some of the research has been covered here before, some of it’s new even to me. All of it ought to make you think twice about buying an all-electronic car.
Not only can you remotely pwn cars by exploiting the cell phone stack built into the OnStar module (always on, always connected) or the Bluetooth module… you can even mount an “evil song” attack and burn a CD where one track contains a buffer overflow that hacks the car. (this was apparently left out of the original papers intentionally, but mentiond on Reddit by a friend of the researchers, it’s quite hard to do right)
Oh, yeah, and same goes for the radio data channel embedded in FM broadcasts, the remote keyless entry, and even the freaking TIRE PRESSURE SENSORS.
You can hack a car using the tire pressure sensors! Remotely!
And if you believe second-hand rumors from random Redditors, police are actively exploiting tire pressure sensors to remote-unlock target vehicles.
But wait, it gets worse: not only can you trigger (or cause to fail) the braking systems on the highway, douse the headlights on a pitch-black road, falsify instrument readings, or any other imaginable mayhem… researchers designed self-erasing code that would do its damage and then remove every trace it had ever been there.
So not only can you do everything but make the car climb up a building, but when you’re done there need be no evidence left behind at all.
In case I haven’t got you headed for the “1980s diesel” section of othe used car lot just yet… JMA covered the less dramatic side of this four years ago, talking about “giving free tune-ups while driving down the Autobahn” courtesy his trusty Bluetooth scantool. (http://blip.tv/source-boston-2009/james-atkinson-horseless-carriage-exploits-and-eavesdropping-defenses-1-1-22-2349107)
“Maybe it wasn’t mentioned in the article, but I go to the University of Washington where the research was done, and they were able to gain access to the car network via Bluetooth and by the cell phone stack that was built into On Star.
My favorite vector of attack was burning the attack onto a music CD, that when played by any cd player would just play music, but once inside the car’s cd player would root the car and allow commands to be sent to it via IRC.[…]
IRC they found a serial port on the back of the stereo and were able to hack together a remote in-dash debugger. They went to town looking for buffer overflows, identified one, and then produced a crafted WMA that would trigger it. The kicker: the WMA looked and played fine on a PC.[…]
They purposely didn’t publish the good stuff. […]
t all comes down to a buffer overflow due to mismatched assumptions between the CDFS and WMA libraries. The CDFS library assumes all reads will be less than 128 bytes, and the WMA library assumes it can read more than that. Combined with the TLV structure of WMA files, you can cause it to go down a code path where it tries to read an arbitrarily large amount of data into RAM. Of all the attacks, this one is the most unreliable because you have to overwrite a bunch of state referenced by other threads before you hit the function pointers.[…]
I heard of a good one about the tire pressure sensors in a cop car setup that allowed you to unlock the car.”
Shortly after Rolling Stone contributing editor Michael Hastings died in a fiery auto crash in Los Angeles, conspiracy theories began to pop up online. The mysterious circumstances practically begged for a new brand of ’70s-era Nixonian paranoia. Hastings had regularly pushed buttons in DC. The accident occurred at around 4:00 AM. Only hours earlier, Hastings had been at the sold-out premiere of friend Jeremy Scahill’s Dirty Wars documentary. And, most notably, Hastings spoke to a WikiLeaks lawyer Jennifer Robinson hours before his death, then sent a panicky email to BuzzFeed staff, stating he was “onto a big story” and going off the grid for a bit.
The conspiracy theory suggesting Hastings’ Mercedes C250 was hacked is both extremely unlikely and near impossible to prove. That said, is such a hack even possible? Yes.[…]
n the first study, researchers, led by UW professor Tadayoshi Kohno and UCSD professor Stefan Savage, were able to hack just about everything electronic in a car. They demonstrated the ability to mess with the car’s radio and instrument panel cluster (to falsify fuel level and speedometer readings), jam locks, pop the trunk, honk the horn, enable/disable windshield wipers, control the A/C environment. Most importantly, they were able to disable the engine, disable or enable brakes, and create a general denial of service while the car’s wheels were doing 40 mph. […]
“One can imagine this attack to be extremely dangerous in a situation where a victim is driving at high speeds at night in a dark environment,” wrote the researchers. “[T]he driver would not be able to see the the road ahead, nor the speedometer, and people in other cars would not be able to see the victim car’s brake lights.”
The terror of this scenario was only surpassed when the researchers described how malicious code could be erased, leaving no trace of who had done it. As they wrote (emphasis mine):
Hosting our own code within a car’s ECU enables yet another extension to our attacks: complicating detection and forensic evaluations following any malicious action. For example, the attack code on the telematics unit could perform some action (such as locking the brakes after detecting a speed of over 80 MPH). The attack code could then erase any evidence of its existence on the device… If the attack code was implanted within the telematics environment itself, then more sophisticated techniques may be necessary to erase evidence of the attack code’s existence. In either case, such an attack could complicate (or even prevent) a forensic investigation of a crash scene. We have experimentally veriﬁed the efﬁcacy of a safe version of this attack while driving on a runway…[…]
the researchers demonstrated that a hacker could gain access to the car via “Bluetooth, Remote Keyless Entry, RFIDs, Tire Pressure Monitoring Systems, WiFi, and Dedicated ShortRange Communications.” To do this, the hacker would have to be within 5 to 300 meters from the car’s receiver. On the high end, that’s 984 feet of distance from hacker to hacked car. Point being, the hacker need not actually be in the car to deliver the malicious code.
UW and UCSD researchers also demonstrated that long-range (greater than 1km) wireless access to a car’s computer system is possible. How? Well, this will make you soil your drillies: through GPS, satellite radio, digital radio, radio data systems (digital information embedded in FM broadcats), and traffic message channels.
“To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s systems,” wrote the researchers. Complete control.”