Security
researchers from the University of Washington and the University of
California, San Diego took to the stage at a conference on Tuesday to
describe how they were able to remotely break into vehicle electronics
through an array of security holes. Speaking at the Enigma Security
Conference in San Francisco, they discussed how cars have evolved over
the years into computers on wheels that crafty hackers can penetrate
under the right circumstances.
Get Data Sheet, Fortune’s technology newsletter.
One
particularly sensitive entry point for hacking is the legally required
OBD II port, which is basically “the Ethernet jack for your car,” said
Stefan Savage, a University of California, San Diego professor of
computer science and engineering. It is typically located below the
dashboard on the driver’s side.
This
port acts as the car's command center that connects to all of the
different computers systems, said Savage. Mechanics often plug directly
into this port to retrieve diagnostics for the car's emissions, mileage, and engine errors.
However,
hackers who directly connect their laptops to the port through an
intermediary device can basically plug into car’s control system and
“have access to everything,” said Savage. “Once you get inside this
network, all bets are off,” he said.With cars containing multiple computers coupled together through a maze of networks, it’s also possible to break into the car’s command center without having to physically plug something into the port. Hackers just have to find a hole somewhere within one of the networks to sneak in.
These
holes are often created from software conflicts that emerge when code
from one device like a CD player communicates with code from another
device like a car's on-boarding system. There's so much code in a
typical car from so many different vendors that it can be virtually
impossible for auto makers to know all the software inside their
vehicles, he explained.
In 2010, Savage and his and his research team demonstrated how they were able to wirelessly hack
into the command centers of a 2009 Chevy Impala through the OBD-II
port. They were able to manipulate the car’s braking system so that the
vehicle suddenly stopped or failed to function at all.
Wired reported that it took General Motors (gm, -0.78%) five years to completely fix the bug and ensure that future models wouldn’t have the same vulnerabilities.
Savage stressed that the hacking incident on GM and similar research-led hackings into car models like the Toyota Prius and Ford (f, -0.76%)
Escape don’t show that any one company’s cars are more vulnerable than
the next. Instead, it’s an industry wide problem. It used to be that
manufacturers didn't typically have cyber security response teams or
other means to effectively deal with the issues, he explained.
Indeed,
at the time of the Chevy Impala hack, GM “didn’t have anyone to deal
with cyber security” and regulators didn’t know how to address the
problem, said Savage. However, his team worked closely with GM to fix
the problem and the company has since installed a chief security officer
in charge of product and now has a 100-person strong cyber security
team. The company also changed its overall development progress and is
trying to patch possible bugs in its systems before they become public,
he explained.
“I’m
not going to tell you there aren’t vulnerabilities in GM’s cars, but
they are in a much better position than what we started in 2010,” said
Savage.
For more on GM watch our video:
It’s
worth noting that the researchers were able to pull off their hacks in
staged projects in the lab. Just because they discovered them “doesn’t
mean [the problems] will necessarily manifest in the real world,” said
University of Washington professor of computer science and engineering
Tadayoshi Kohno.
The
researchers argued that security experts must continue to make bugs
public if the auto industry fails to address its loose security
standards. Hopefully, they said, it will prevent disasters before they
happen on the road.
0 comments:
Post a Comment