Researchers: Hackers Could Break Into Vehicles From A Distance

March 15, 2011
2010 bmw 7 series high security 003

2010 bmw 7 series high security 003

If you drive a new or nearly new car, you could be packing just as much computing power in your vehicle as you have on your desk or in your briefcase.

Plus, vehicles are more connected than ever before. And that connectivity, while it can make our vehicles better and our experience more convenient and secure in most cases, can also be exploited by hackers.

Last week, researchers presented findings to the National Academies Committee on Electronic Vehicle Controls and Unintended Acceleration, which included an examination of electronic throttle controls as well as other electronic vehicle functions, looking at their design, reliability, software, environmental factors and, notably, their cybersecurity.

In the research, a team of ten computer-security experts looked at vehicle security over the course of two years—following up on a paper we reported on last year—and looked for vulnerabilities through which they might gain control of the vehicle or some of its subsystems.

Could they hack into a vehicle's Bluetooth hands-free system? Check. Its emergency-services cellular-network connection? Check. Could they access central vehicle controls through those entry points, without any physical access to the vehicle? Check.

The researchers didn't single out any brands or models, but they looked at a number of vehicles that include an embedded cellular connection to provide an automated emergency response, as well as call-center concierge services. Examples include OnStar (GM), Safety Connect (Toyota), Enform (Lexus ), Sync (Ford), and Mbrace (Mercedes-Benz).

Update: We've since heard from Ford, and according to technology communications manager Alan Hall the automaker's Sync technology falls into a different category as the cellular connection is not embedded. Sync hardware includes a built-in firewall; vehicle control systems are separate; sensitive information or updates are encrypted; and software updated must be 'code-signed' by Ford.

Although they point to no specific or dire vulnerabilities, the exercise essentially demonstrates to automakers and suppliers that if an attacker is determined (and knowledgeable) enough, he or she can gain access.

The hackers even managed to hack into vehicles using vulnerabilities in cellular-connection-based safety features—such as those that automatically allow concierge services when the airbags inflate (or trigger the systems to call 911).

In one attack scenario, the team looking for these vulnerabilities showed that thieves or mischief-makers could target particular models of vehicles remotely, find their location, and unlock them without forcing any physical entry. Worse yet, the team showed that they could disable a vehicle's brakes electronically.

The research team's findings will be assembled in a report to the National Highway Traffic Safety Administration (NHTSA), in hopes of new standards for security in vehicle systems.

Is this all too alarmist? Perhaps. A professor overseeing the research told Technology Review that the primary researchers both feel comfortable driving their vehicles.

That said, it's probably time for automakers to think a little more seriously about security.

Are you concerned about the security of certain vehicle options or components? Let us know which ones and why.

[Center for Automotive Embedded Security, via New York Times and Technology Review]

The Car Connection
See the winners »
The Car Connection
Commenting is closed for this article
Ratings and Reviews
Rate and review your car for The Car Connection
Review your car
The Car Connection Daily Headlines
I agree to receive emails from The Car Connection. I understand that I can unsubscribe at any time. Privacy Policy.
Thank you! Please check your email for confirmation.