Car hackers build anti-car-hacking gadget

library
crime | hacking | security

Car hackers have been busy over the past few years.

They’ve zombified cars in wired mode and even wirelessly, to show how you can screw with windows, toot horns, flip headlights on and off, unexpectedly slam on brakes, and take over electronic smart steering so as to steer cars straight into nearby weedlots.

The means of committing vehicular mischief can be dirt cheap.

There was the $30 hacking kit that could be used to steal BMW cars, for example, and then there was the $20, iPhone-sized gadget that renders cars brain-dead.

Then, in August 2013, researchers Charlie Miller and Chris Valasek showed Forbes reporter Andy Greenberg how a ride in a Toyota Prius could turn into the journey from hell.

All these car-hacking headlines sunk in to US lawmakers’ noggins, resulting in the launch of a congressional investigation into security practices at major auto manufacturers.

In December 2013, US Senator Edward Markey sent a letter to leading car manufacturers asking them to explain how they secure their vehicles against cyber attacks.

The deadline for responses has come and gone, but Markey’s office hasn’t yet released its findings.

But the ride, mind you, isn’t over yet, congressional investigation findings or no.

Miller and Valasek plan to give a talk at the upcoming Black Hat conference in August, during which they say they’ll be outlining new potential wireless attack points in automobiles.

But where there are skidmarks, there’s also hope.

Beyond more white-knuckled stunts, the pair also plan to unveil a prototype device meant to foil the type of hacks they’ve been throwing at cars.

Miller, who’s a security researcher at Twitter, says:

These attacks seemed serious enough that we should actually consider how to defend against them. … We actually wanted to do something to help solve this problem.

They cooked up the anti-hacking device for about $150 in parts, Forbes’s Greenberg reports: an mbed NXP micro controller and a simple board.

It plugs into a jack underneath a car or truck’s dashboard known as the OBD2 port.

After being powered on for a minute during routine driving, the device captures the vehicle’s typical data patterns.

Switching it into detection mode will enable it to monitor for anomalies that depart from this typical behavior profile.

Greenberg gives the example of a command normally associated with the car being parked that instead shows up when the car’s traveling at 80 mph on the freeway.

If the car diagnoses hijinx, it puts the car into what the researchers call “limp mode” – the network shuts down, and higher-level functions such as power steering and lane assist are disabled until the vehicle is restarted.

So far, Miller and Valasek’s invention hasn’t flagged any false positives and hasn’t mistakenly shut down a car – owing, they said, to a car’s digital communications being more predictable than those of most computer networks:

It’s just machines talking to machines. … In the automotive world, the traffic is so normalized that it’s very obvious when something happens that’s not supposed to happen.

The pair don’t plan to sell their anti-car-hacking gadget.

Rather, their aim is to demonstrate how easy it would be for automakers to protect vehicles from the attacks that they and others have already vividly demonstrated.

Hopefully, the carmakers will be willing to protect people by implementing a version of a $150 gadget built by security researchers.

If not, one hopes that congress members such as Senator Markey will have a lot more than questions to throw at them.