Open search

Everything that can be hacked…

… will be hacked, including cars. Two Spanish security researchers claim they can hack cars wirelessly with a device that costs less than US-$20.

The CAN Hacking Tool is about three-quarters the size of an iPhone (Photo: Forbes)

AT LAST YEAR'S DEFCON CONFERENCE two hackers showed how they can hack cars by means of the OBDII interface. Last year, the hackers still had to sit in the back of the car to control it. At this year’s Black Hat Asia conference, two Spanish researchers will present a device that lets them control a car wirelessly. According to Forbes magazine, Javier Vazquez-Vidal and Alberto Garcia Illera plan to present a gadget that can be physically connected to a car’s internal network to inject malicious commands affecting everything from its windows and headlights to its steering and brakes. Their tool attaches via four wires to the CAN network of a vehicle, drawing power from the car’s electrical system and waiting to relay wireless commands sent remotely from an attacker’s computer. They call their creation the CAN Hacking Tool, or CHT.

The researchers tested four different vehicles, whose specific make and model they declined to name. In some cases, the attacks required gaining under-the-hood access or opening the car’s trunk, while in other instances, they say they could simply crawl under the car to plant the device. “It can take five minutes or less to hook it up and then walk away,” says Vazquez Vidal. “We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.”

While they say they don’t plan to release the code used to inject commands into their test vehicles’ networks, the repository for the tool presented at Black Hat Arsenal USA and Defcon 21 in Las Vegas in 2013 is available online. That tool uses an Arduino Mega2560, but according to the researcher’s repository on GitHub, last year’s demo version was only used as a proof for their concept and does not work on the portable tool. According to their site, “this tool will allow you to read and write original and modified files to your car Engine ECU, and can be built under $26 if you spend a few minutes at ebay and are not in a rush (for shipment).” Which means, even if the tool were discovered, it would be very hard to trace.

For now, the tool communicates only via Bluetooth, limiting the range of any wireless attack to a few meter. When the two researchers present their research at Black Hat, they say they’ll upgrade it to use a GSM cellular radio instead. GSM would make it possible to control the device from miles away. And apparently more developments are to come: On Twitter, where the two researches keep the public up to date with the progress of their device, Vazquez Vidal posted this week: “Many people think that CHT is just another logger/injector with gsm, and that we are going to talk about known stuff. Wait for #BlackHat!” Depending on what they show at the conference, their presentation could reach their goal of convincing car makers to look into security issues of their cars. The researchers argue that car makers need to look beyond the initial wireless penetration of a car’s network to consider adding security between a vehicle’s systems, limiting a rogue device’s ability to wreak havoc. According to Vazquez Vidal “the goal isn’t to release our hacking tool to the public and say ‘take this and start hacking cars. We want to reach the manufacturers and show them what can be done.”

Letter to the editor from Christian Peter (SK Continental E-Motion)

"In today's world, all electronic products suffer from one main issue when it comes to security aspects: If a device provides a mechanism to control something, it provides a mechanism to control something. To develop a wireless device as an interface to access a car's CAN network is not a big deal, which is why the mentioned "development" is no news. Such a device is almost like a Trojan horse. If you grant somebody access to your car, you have to trust them that they only do what you asked them to do. They could also loosen the bolts of all wheels and cut all brake pipes.

Many things can be reverse engineered through spending a lot of time analyzing CAN traces. Ensuring a better protection of a private bus system is almost senseless, as this will only increase the efforts for intruders to develop strategies how to get access to what they want - but it does not ensure 100 % security. A private bus system can't be accessed from outside the car.

In case of the "CAN Hacking Tool" one should ask how the two developers found out how to use the information in a CAN network. From my perspective the bigger issue with security topics is the illegal distribution of security algorithms (Seed & Key etc.) and tools. This is something that can't be avoided in a technical manner. This topic needs to be addressed by developing proper ideas on how to handle confidential information and algorithms during the development phase and production and in maintenance facilities. Therefore, it is irresponsible to outsource maintenance facilities, when it comes to providing these facilities with tools that contain confidential algorithms with which the serial number of a device can be changed. It's only a matter of time until this algorithm is extracted and available on the Internet. The topic of handling confidential information is a major risk these days. It should be the major task of OEMs and suppliers to ensure this confidential matter when it comes to technical security aspects.

From a technical point of view, OEMs should clearly concentrate on the secure development of all wireless connections of a vehicle like mobile phones, telematics, and systems. It is very important to keep the car's private bus systems private and to avoid providing any possibility for intrusion via wireless technologies. If this is not ensured, intruders might be able to penetrate cars quite easily. The mentioned Trojan horse "CAN Hacking Tool" is nothing we should be concerned about, since this technology requires direct access to a car's private bus systems."

Publish date

Black Hat
Git Hub

SK Continental E-Motion