Automotive hackers commandeered control of a Ford Escape and Toyota Prius during a recent experiment, and using data culled from the experiment came up with some tips on how automakers can block hackers from gaining access to cars.
Breaching security in the cars’ software, they did things like start and stop the engines, manipulate steering and brake functions and change odometer and speedometer readings. Then they told others how they did it.
Dr. Charlie Miller and Chris Valasek published a white paper last week that details the methods and code they used to manipulate the vehicles’ electronic control units and area networks. They released their findings at DefCon, an annual gathering of hackers in Las Vegas.
It marks the first time the step-by-step details of an automotive cyber attack have been published for a wide audience.
“The hope is that by releasing this information, everyone can have an opened and informed discussion about this topic,” the researchers wrote. “This will lead to safer and resilient vehicles in the future.”
Cars today are much more than mechanical. Computers control most of their major functions. These computers, known as electronic control units, can number between 50 and 80 per car. They are connected to each other by a Controller Area Network.
By accessing and transmitting coding via the network, Miller and Valasek could steer the cars, brake, accelerate and change the displays. In hacking the Escape, they said attacks that aimed to kill the engine “work at any speed.” In the Prius, they sent coding that red-lined the engine and forced it to eventually quit.
Miller and Valasek, who work at the security consulting firm IOActive, proposed solutions for thwarting attacks, noting that an uptick in traffic on the CAN stands out and can “easily” be detected. They say a system that detects traffic anomalies could be the first line of defense.
Their research builds upon a 2011 study conducted by researchers at the University of Washington and University of California-San Diego demonstrated they could remotely hack into a car and affect its functions, while ignoring driver inputs.
Detailed information about automotive cyber security is a closely guarded secret. Last week, Volkswagen filed a lawsuit to prevent researchers at the University of Birmingham from releasing a similar study.
Transportation experts fear the ease of automotive hacking, because someone with malicious intent could commandeer a car and cause it to crash. And as cars become more inter-connected with each other and infrastructure, security officials warn terrorists could control many cars at once and, in a worst-case scenario, initiate a mass accident.
The National Highway Traffic Safety Administration recently opened a 12-member office to deal with the emerging cyber threats.
“Automobiles have been designed with safety in mind,” Valasek and Miller wrote. “However, you cannot have safety without security.”
