The idea of hackers breaking into your personal computer is alarming enough. But what if they could seize control of your car's control systems while you are driving? Using a laptop and custom-written software, security researchers have hacked into the control systems of a family car, disable the brakes and turn off the engine while the vehicle was moving.
Fortunately, the hack is technically difficult and the risk to drivers is low – for now. But the benign hackers, led by Tadayoshi Kohno at the University of Washington in Seattle and Stefan Savage at the University of California, San Diego, have revealed the details to encourage car makers to make future vehicles more secure.
Computers help control many systems in modern vehicles, from anti-lock braking systems to the timing of ignition. Each system typically has its own dedicated computer controller, which is connected to a network that can be accessed by mechanics via a socket under the dashboard.
Kohno and Savage's team tested two 2009 sedans of the same make and model, which they decline to name. In a paper to be presented next week at the IEEE Symposium on Security and Privacy in Oakland, California, they describe how they plugged a laptop into the control socket and used software called CarShark to send signals into the car's networks. By sending random commands and observing the effect of each, they were able to decipher the language used by the control systems.
In tests on a disused airfield in Washington state, with the laptop plugged into a control network, the researchers were able to kill the engine and disable the brakes of a car moving at 65 kilometres per hour. They were also able to instantaneously lock the brakes.
Clearly, drivers would notice a laptop plugged into their car's control systems. But it would be possible to achieve the same result with less obtrusive hardware that could be controlled remotely. Still more alarmingly, the researchers say they also took control of a car using wireless signals and operated it via the internet, but would not provide further details of this part of the study.
Although the attacks sound alarming, they require a high level of knowledge to carry out. "Car tuning" enthusiasts have similarly discovered how to control many of the systems the researchers compromised – although there is no evidence of anyone using these methods to malicious ends. Industry experts say they have never seen such attacks being used outside of the new experiment.
Savage says that the car industry's attitude to system security is similar to that of the computer industry prior to the internet – which exposed computers to attack and revealed many vulnerabilities.
"This industry hasn't had to deal with adversarial pressure, so its defences haven't had to be that strong," Savage says. He hopes that industry and regulators will come together to develop a consensus on how to protect cars before such attacks are attempted.
If you would like