Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/5/2013
05:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Car Hackers Release Tools

Researchers who hacked Toyota Prius and Ford Escape hope to foster future 'car-in-a-box' model for tinkering with vehicle security issues

DEF CON 21 – Las Vegas -- A pair of researchers today released their homegrown tools for hacking computerized features in popular automobile models. Charlie Miller and Chris Valasek here last week at the hacker convention demonstrated how they were able to take control of the electronic smart steering, braking, acceleration, engine, and other features of the 2010 Toyota Prius and the 2010 Ford Escape.

Miller and Valasek tore apart the dashboards of the vehicles to learn how the various automated features were networked and run, and ultimately wrote code to control the electronics that run the steering wheel, brakes, and other functions. Their work follows the remote car-hacking research in 2011 by the University of Washington and the University of California-San Diego, which found ways to hack car features via Bluetooth and rogue CDs, for instance. The academics kept private some details of the hacks, including which cars they were able to "own."

So Miller and Valasek wanted to take car hacking a step further and drill down and see what really could be done if a hacker got inside the car's network. They also wanted to share those details, as well as the car-hacking tools they built, with other researchers.

"This addresses a problem that doesn't really exist yet but we're afraid will, very soon. We want to get ahead of the curve," Miller, who is a security engineer at Twitter, said in an interview with Dark Reading.

The pair, known for their software-hacking, spent about 10 months working on the hacks. Miller says they hope the tools will help other researchers find other weaknesses in vehicles that should be addressed.

Miller says he and Valasek hope to also help create a "car-in-a-box" research model that simulates the vehicles so you don't need to spend $40,000 on a vehicle to test.

"One of our big goals is to get other people involved in this. But obviously, there's a scale issue ... people don't have [money] to buy the cars," he says. "We want to lower that barrier to entry, with a car-in-a-box [model] ... where you could do simulation and research on this that you know would work in a real car."

[Researcher demonstrates how 'horrifyingly' easy it is to disarm a car alarm system and control other GSM and cell-connected devices. See 'War Texting' Attack Hacks Car Alarm System .]

At the heart of their car-hacking research was cheating the Controller Area Network (CAN) technology resident in the vehicles by injecting their own messages that would disable the Ford Escape's breaks at slow speeds or kill its engine while on the road, for example. They were able to force the Toyota Prius to brake at 80 miles per hour and to jerk the steering wheel out of the driver's control.

CAN supports the electronic control units (ECUs) for each of the car's automated features. "Almost of the [automated] features in the Prius are controlled by computers that take input from sensors," Valasek told DEF CON attendees. "The ECUs are connected by the CAN bus ... once you're on the CAN bus ... and if you compromise an ECU or are connected in physically, you're all good."

The researchers sent their own messages to the CAN network in the hacks. In one hack captured on videotape, the researchers simulated a message that the Prius's gas pedal was "floored" when it was not. The car ultimately stopped, but the engine was still revving up as if the accelerator was engaged. "This was done by the injection of 'normal' CAN traffic," said Valasek, who is director of security intelligence for IOActive.

Miller and Valasek's tools include EcomCat, a "Swiss Army knife" that can read and write to the CAN bus, store output from the CAN bus, and read and write from file, for example; EcomCat API, an application programming interface for EcomCat; and PyEcom, a Python tool.

But not all of the cars' functions run over CAN. The directly wired functions like the speedometer, lights, and horn can be manipulated by injection attacks on the diagnostics, the researchers found. "You can take out the ECU in control of all of the lights in the car. So you can turn the lights out, and the AC goes out, the radio goes out, the brake lights go out, and you can't get out of park, either," Miller told DEF CON attendees.

Toyota and Ford have publicly played down the research. The researchers provided both auto companies with their white paper, but neither firm has promised any fixes. Ford said in a statement for a "Today" show segment featuring Miller and Valasek's research that "This particular attack was not performed remotely over-the-air, but as a highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers."

Miller says Toyota's response was similar, saying its focus was on remote attacks and that this research didn't constitute hacking. It's unlikely that Ford or Toyota will address the security issues in the end, he says. "It's not enough to get them to do anything. And it's not a Web browser bug, where you could release a patch. It's going to be difficult" to secure these systems in the cars, he told Dark Reading.

There are some steps the carmakers could make, though, according to Miller, such as isolating CANs and adding a detection-type system on the network to catch any suspicious or unauthorized behavior.

Miller and Valasek's white paper and tools can be downloaded here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.