Vulnerabilities / Threats
8/12/2010
01:14 PM
50%
50%

Hackers Deflate Auto Tire-Pressure Sensors

Monitors in fast-moving cars can be damaged using spoofed wireless signals, leading to security, privacy, and safety threats.

The wireless systems that monitor tire pressure in modern cars can be spoofed remotely or even damaged, according to a team of Rutgers University and the University of South Carolina computer scientists.

In particular, when driving two cars next to each other, the researchers could trigger a "low tire pressure" warning at 35 miles per hour, and a "check tire pressure" warning at 65 miles per hour. In addition, they found that at least one type of tire pressure system -- not disclosed -- "could be damaged through spoofed wireless signals."

The researchers plan to present their in-car wireless network security and privacy vulnerability findings Thursday at the Usenix conference in Washington.

"We have not heard of any security compromises to date, but it's our mission as privacy and security researchers to identify potential problems before they become widespread and serious," said Marco Gruteser, associate professor of electrical and computer engineering at Rutgers, in a statement.

While in-car wireless networks are meant to be shielded, researchers could still eavesdrop on communications from 30 feet away using a simple antenna, and 120 feet away when using an amplifier. In addition, according to their research, "reverse-engineering of the underlying protocols revealed static 32-bit identifiers and that messages can be easily triggered remotely, which raises privacy concerns as vehicles can be tracked through these identifiers."

The researchers studied two systems identified only as "commonly used in vehicles manufactured during the past three years" and found that neither performed authentication or input validation. As a result, the researchers were able to spoof the sensor messages. "We validated this experimentally by triggering tire pressure warning messages in a moving vehicle from a customized software radio attack platform located in a nearby vehicle," they said.

What does it take to hack a car's wireless network? Try college-level engineering expertise and a few thousand dollars' worth of publicly available radio and computer equipment. The researchers also used their own cars.

Spurred by the Firestone tire recall in the 2000, in 2003, the U.S. Department of Transportation began requiring a phase-in of tire pressure monitoring systems. By September 2007, all light vehicles -- 26,000 pounds or less -- sold in the United States contained either wired or wireless versions of such systems.

According to Wade Trappe, an associate professor of electrical and computer engineering at Rutgers who worked on the project, "while we agree this technology is essential for driver safety, more can be done to improve security, such as using input validation or encryption."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.